Re: UDP nat question

Re: UDP nat question

[Filipe Abrantes]

First of all, thanks for replying, it's clear now.

I have one more question related to this:

Imagine a host behind NAT with IP 192.168.22.33 which has an application 
on port 5060 ( a sip client) and opens a connection to a server outside 
the NAT (the sip registrar with IP 130.11.22.33 on port 5060), and 
consider that the NAT box translates the SIP client src_ip to 
129.11.22.33 and src_prt to 5054, for this communication.

The SIP registrar is able to reach the SIP client running on 
192.168.22.33:5060 by using 129.11.22.33:5054, but what about other 
hosts on the Internet? Will they also be able to reach the SIP client 
using the pair 129.11.22.33:5054, or only packets coming from the SIP 
registrar be accepted?

Thanks again

Filipe Abrantes

-- 
Filipe Lameiro Abrantes
INESC Porto
Campus da FEUP
Rua Dr. Roberto Frias, 378
4200-465 Porto
Portugal

Phone: +351 22 209 4266
E-mail: fla@inescporto.pt

Re: UDP nat question

[Damjan]

> Imagine a host behind NAT with IP 192.168.22.33 which has an application 
> on port 5060 ( a sip client) and opens a connection to a server outside 
> the NAT (the sip registrar with IP 130.11.22.33 on port 5060), and 
> consider that the NAT box translates the SIP client src_ip to 
> 129.11.22.33 and src_prt to 5054, for this communication.
> 
> The SIP registrar is able to reach the SIP client running on 
> 192.168.22.33:5060 by using 129.11.22.33:5054, but what about other 
> hosts on the Internet? Will they also be able to reach the SIP client 
> using the pair 129.11.22.33:5054, 

They can't

> or only packets coming from the SIP registrar be accepted?

yes.

Sip clients behind NAT must use a Proxy.


-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!

Re: UDP nat question

[Taylor, Grant]

I don't know for sure but I believe that other clients trying to reach your SIP client on 129.11.22.33:5054 will fail as the SNAT mapping maintained by your NAT router is using the source IP, source port, destination IP, and destination port that it sees in the traffic coming from the SIP client device as it's key to match packets in it's internal structure.  Thus when some other client on the net tries to connect to your SIP device on port 5054 your NAT firewall / router will see this as invalid traffic.  I believe that if you want other clients on the net to be able to contact your SIP device you will need to port forward port 5060 to your SIP device, or all the traffic will need to pass through a SIP proxy somewhere on the net.

Now for the disclaimer:  I'm guessing at this, but from everything that I have read and worked with this is the behavior that I would expect to see in such a situation.



Grant. . . .
> First of all, thanks for replying, it's clear now.
> 
> I have one more question related to this:
> 
> Imagine a host behind NAT with IP 192.168.22.33 which has an application 
> on port 5060 ( a sip client) and opens a connection to a server outside 
> the NAT (the sip registrar with IP 130.11.22.33 on port 5060), and 
> consider that the NAT box translates the SIP client src_ip to 
> 129.11.22.33 and src_prt to 5054, for this communication.
> 
> The SIP registrar is able to reach the SIP client running on 
> 192.168.22.33:5060 by using 129.11.22.33:5054, but what about other 
> hosts on the Internet? Will they also be able to reach the SIP client 
> using the pair 129.11.22.33:5054, or only packets coming from the SIP 
> registrar be accepted?
> 
> Thanks again
> 
> Filipe Abrantes

UDP nat question

[Filipe Abrantes]

Hi all,

I have a basic question about iptables UDP NAT.

Imagine that you have 2 UDP sessions in your private LAN using the same 
port. How does iptables nat these connections? One of the sessions will 
get one external port of the NAT machine and the other session will get 
another one? Does the usual MASQUERADE command suffice to achieve this?

iptables MASQUERADE command:

$IPTABLES -t nat -A POSTROUTING -o $OUTBOUND_IFACE -j MASQUERADE

Hope I have made myself clear and,

Thanks for your attention

Filipe Abrantes

-- 
Filipe Lameiro Abrantes
INESC Porto
Campus da FEUP
Rua Dr. Roberto Frias, 378
4200-465 Porto
Portugal

Phone: +351 22 209 4266
E-mail: fla@inescporto.pt

Re: UDP nat question

[Jason Opperisano]

On Mon, Apr 18, 2005 at 03:26:42PM +0100, Filipe Abrantes wrote:
> Hi all,
> 
> I have a basic question about iptables UDP NAT.
> 
> Imagine that you have 2 UDP sessions in your private LAN using the same 
> port. How does iptables nat these connections? One of the sessions will 
> get one external port of the NAT machine and the other session will get 
> another one? Does the usual MASQUERADE command suffice to achieve this?

if you're talking about two machines in the inside network making
outbound connections to the same UDP port; for example 53, then (a) it's
highly unlikely that both connections will use the same source port and
(b) yes--each machine gets its srcip:sport re-mapped to the iptables
machine's pubip:mappedsrcport.  remember that connection-tracking uses
four values to match a connection:

  src ip, src port, dst ip, dst port

> iptables MASQUERADE command:
> 
> $IPTABLES -t nat -A POSTROUTING -o $OUTBOUND_IFACE -j MASQUERADE

sure.

> Hope I have made myself clear and,

not really--because i'm guessing your actual question is about something
infinitely more complicated that will come out after much dancing
around...maybe i'm wrong.

-j

--
"Lois: Peter, there's a naked man on this cake.
 Peter: There were only two cakes left, and trust me, you do not want
 the one of Al Roker with the Hershey Kiss nipples."
        --Family Guy

Re: UDP nat question

[Daniel Lopes]

Filipe Abrantes schrieb:
> Hi all,
> 
> I have a basic question about iptables UDP NAT.
> 
> Imagine that you have 2 UDP sessions in your private LAN using the same 
> port. How does iptables nat these connections? One of the sessions will 
> get one external port of the NAT machine and the other session will get 
> another one? Does the usual MASQUERADE command suffice to achieve this?
> 
> iptables MASQUERADE command:
> 
> $IPTABLES -t nat -A POSTROUTING -o $OUTBOUND_IFACE -j MASQUERADE
> 
> Hope I have made myself clear and,
> 
> Thanks for your attention
> 
> Filipe Abrantes
> 

For example:
machine 1 running an application on port 1465
machine 2 running an application also on 1465
both make a DNS request to Port 53 UDP
the srcip of the second request reaching the router will be mapped for 
that time to a free port on the router. AFAIK