Читать книгу Networking All-in-One For Dummies - Lowe Doug, Doug Lowe - Страница 175

Nearly all firewalls use a technique called network address translation (NAT) to hide the actual IP address of a computer on the local network from the outside world. When that’s the case, the NAT device must use a globally unique IP address to represent the computer to the Internet. Behind the firewall, though, the computer has a private IP address. When packets cross the firewall, the NAT device translates the private IP address to the public IP address and vice versa.

NAT is one of the foundational techniques that enables the Internet to work. It’s the way an organization can have dozens, hundreds, or thousands of computers on its network without requiring a separate public IP address for each computer. Instead, each organization has a relatively small number of public IP addresses that are assigned to the public-facing interfaces of its firewall(s). NAT enables all the computers behind the firewall to communicate with the Internet, piggybacking on the public IP address of the firewall itself.

Consider what typically happens when a user sends a request to a local HTTP server — that is, an HTTP server that is on the same network as the user. Let’s assume that the IP address of the local HTTP server is 192.168.0.100, and the IP address of the user’s computer is 192.168.0.50. What happens is this:

1 The user’s computer sends an HTTP request in the form of an IP packet with the following address information:For the source, the transport protocol is TCP, the IP address is 192.168.0.50. The port number for the source is chosen by client and is typically a high port number. For this example, I’ll use port 45444 for the source port.For the destination, the transport protocol is TCP, the IP address is 192.168.0.100, and the port is 80.

2 The HTTP server receives the request, processes it, and sends back an HTTP response in the form of an IP packet with the following address information:For the source, the transport protocol is TCP, the IP address is 192.168.0.100, and the port is 80.For the destination, the transport protocol is TCP, the IP address is 192.168.0.50, and the port is 45444 (the port that was chosen by the client).

This won’t work if the user wants to send a request to an HTTP server on the Internet, because the IP address of the user’s computer is a private address, not a public address. So, the HTTP server won’t be able to send a response to 192.168.0.50 because such an address doesn’t exist on the public Internet.

That’s where NAT comes in.

The magic of NAT is handled by the firewall itself. The basic idea of NAT is that the firewall maintains an internal table of outgoing packets so it can remember which computer in the local network has requested information from sites on the public Internet. Because more than one computer may make requests for information from the same Internet site, NAT exploits ephemeral ports (see the preceding section) to keep things straight.

Let me walk you through an example. But first, let’s assume that the firewall in this example has the following IP addresses:

 Outside IP address (public): 75.68.10.201

 Inside IP address (private): 192.168.0.1

Let’s also assume that the HTTP server is at 99.84.206.125 (which happens to be Wiley’s web server), and a user whose private IP address is 192.168.0.50 uses a web browser to request information from the HTTP server. The HTTP request will have the following address information:

 Source IP: 192.168.0.50

 Source port: 45444

 Destination IP: 99.84.206.125

 Destination port: 80

Here’s how it works:

1 The firewall sees this packet and realizes that it must substitute its own IP address (let’s assume 192.168.0.1).

2 The firewall selects a random port number from a pool of ephemeral port numbers, which it will use to keep track of the request.For example, let’s say it picks port 42003.

3 The firewall records the following information in its NAT table for this request:Source IP: 192.168.0.50Source port: 45444Destination IP: 99.84.206.125Destination port: 80Temporary port: 42003

4 The firewall modifies the packet by substituting its own public IP address for the source IP and the temporary port for the source port.

5 The firewall sends the modified packet to the public Internet.The modified packet contains the following information:Source IP: 75.68.10.201Source port: 42003Destination IP: 99.84.206.125Destination port: 80

6 A few seconds later, the firewall receives an incoming HTTP response message with the following address information:Source IP: 99.84.206.125Source port: 80Destination IP: 75.68.10.201Destination port: 42003

7 The firewall peruses its NAT table and finds that this response matches the entry it recorded in Step 3.

8 The firewall retrieves the original source IP address and port from the NAT table and substitutes it for the destination IP and port.The modified response message now has the following address information:Source IP: 99.84.206.125Source port: 80Destination IP: 192.168.0.50Destination port: 45444

9 The firewall places the modified packet on the inside interface (that is, the local network), where the network can then deliver the packet to the original requestor (the user at 192.168.0.50).

So, what happens if two or more users have requests to the same web server at the same time? NAT is able to figure it out because each of those requests has a different temporary port number. For example, the user in the preceding example got port 42003. Another user sending a request to the same web server might get port 43859. When the reply comes back from the web server, NAT looks at the destination port to determine which local computer should receive the reply.