[JDEV] NAT Issues
Dan Kegel
dank at alumni.caltech.edu
Sun Dec 17 18:16:41 CST 2000
Bernd Eckenfels wrote:
>
> On Sun, Dec 17, 2000 at 12:05:37PM -0600, Charles Forsythe wrote:
> > - NATs compliant with RFC 2663 can use a UDP hack (see link below).
> ...
> > http://www.alumni.caltech.edu/~dank/peer-nat.html
>
> The problem is, this does not work with common dynamic NAT Systems. Because
> you simple dont know to which Port to send to. And those (like Linux
> Masquerading) are the most common solutions.
But it does, actually. With 2.2.1 - 2.2.14 or so, it works by default.
With 2.2.15 and later, you have to do
echo 1 > /proc/sys/net/ipv4/ip_masq_udp_dloose
to allow it.
The way the hack works is simple: a central address/port server keeps
track of the IP address and UDP port used by each client.
When a new client N joins, and wants to communicate to an older client B,
N sends B a UDP packet, and asks the server to tell B to send N a UDP
packet. When the packet from N hits N's NAT, it opens up that port for
UDP replies. Likewise, when the packet from B hits B's NAT, it opens
up that port for UDP replies. From then on, B's NAT thinks packets
from N are replies, and vice versa, so a bidirectional flow is allowed.
- Dan
More information about the JDev
mailing list