NAT Traversal

PompeyBlue · #1 30th June 2004, 08:30 PM

Given that linux is pretty funny about having an ethernet connection, instead of USB, and that the majority of users provide this via a router, is there some NAT traversal solution available in linux to facilitate peer to peer connections ?

I'm told Win does lots of this stuff for you, I know XBOX certainly does.

Jman · #2 1st July 2004, 09:58 AM

Which is the NAT device, a hardware router or a Linux machine? I'm not familiar with setting up NAT over Linux.

PompeyBlue · #3 1st July 2004, 08:25 PM

I'm generally thinking hardware router, although there's no reason you couldn't write some nat software and run it on linux.

It's just something that has caused me much stress in peer to peer communication and I was wondering if there was some linux magic to over come it.

Jman · #4 2nd July 2004, 11:54 AM

Just open the ports in the firewall. You can do this at Main Menu > System Settings > Security Level.

A properly configured NAT device will forward the traffic to the appropriate LAN IP. I'm surfing the web with NAT right now.

PompeyBlue · #5 2nd July 2004, 08:48 PM

Sure,

Surfing the web will work since your NAT box will have translated your outgoing requests and thus translate the returned requests correctly.

For writing peer to peer software though, it's nice if you can do this semi automatically. I was just wondering if there was any kind of library available, or even techniques, or if this was missing ? It seems it's missing, so I'll put together a uPNP library...

Cr0n_J0b · #6 5th July 2004, 05:58 AM

NAT is perfectly acceptable, and generally more robust, faster and reliable than other services that do address translatio...especially MS and their connection sharing.

NAT is performed through a service called IPTABLE, which is also the firewall service for most standard distributions. A number of firewall appliances on the market use linux and IPTABLES as their OS.

IPTABLES would allow you to create a huge number of very specific rules for passing data across your linux router...which is basically what you are creating..

I have been running NAT through IPTABLES for about 8 years with no major issues...there's a lot to learn to get rules running right, but if you don't want to work, you can just go out and get a firewall package like smoothwall (firewall appliance), or firestarter (firewall GUI).

I use firestarter today, just because it's easy to kick off. There is a single switch for NAT and lots of programmable ports...once configured you can still go in and add more specifi stuff through the scripting.

http://www.telematik.informatik.uni-...les-HOWTO.html

PompeyBlue · #7 5th July 2004, 08:58 AM

Thanks,

But I think you guys are misunderstanding what I'm asking. Basically:

I have 3 boxes:

1. Matchmaking lobby server on raw I.P.
2. Client 1 behind NAT\firewall
3. Client 2 behind NAT\firewall

Client 1 is told Client 2's IP address. Client 2 is told about Client 1's IP address. How can Client1 get a UDP packet to client 2, and vice versa, without having to get everyone to configure their NAT\firewall ?

I've used uPNP to automatically configure routers before which will create a port and route packets to the correct box. However there doesn't seem to be any kind of NAT traversal solution in LINUX, is this true or have I just missed it ?

Is the only way to get 2 machines, behind NATs, to talk to each other to get the owners to manually open ports on the NAT\firewall ?

micha · #8 5th July 2004, 12:45 PM

Quote:

Originally Posted by PompeyBlue

Is the only way to get 2 machines, behind NATs, to talk to each other to get the owners to manually open ports on the NAT\firewall ?

I guess so. I don't know other methods than port forwarding/triggering.

Cr0n_J0b · #9 6th July 2004, 06:38 AM

Sorry, I'm still confused...

Internet
|
LOBBY Server 1
|
Router/Firewall (What kind)
|
| +----------Client 1
---------|
|
+---------Client 2

Is this right?...Lobby server outside of firewall, and both clients inside the same firewall? Or are the clients inside of different firewalls?

If they are behind differnt firewalls, then you would need to do one of several things...

1) Setup a VPN between them...good for corporate but not for SOHO use
2) SSH tunnel...easier, cheaper, but would require ssh servers on both sides
3) open ports one each NAT and prtforward requests only to specific machines.

What is the point of this? are you tyring to setup a secure channel to play games on?

PompeyBlue · #10 6th July 2004, 09:31 PM

Hello,

Yes I have 2 clients behind 2 different firewalls and therefore on 2 seperate IP's (if they were on the same LAN I'd just broadcast my game information). The aim is a linux peer to peer network game which would "just work" without having to open ports on the firewalls.

I suppose an ASCII diagram would be:

____________________________ Internet ________________
| | |
____________ ___________ ____________
|Lobby Server| | Router 1 | | Router 2 |
----------------- ---------------- -----------------
| |
___________ ____________
| Client A | | Client B |
---------------- ------------------

Erm, the diagram didn't come out very well!

Client A is informed of Client B's IP address, and vice versa. I then want to start peer to peer connections between the two boxes.

Obviously, the client's will have punched holes through the NAT to the server, but not each other. There are numerous techniques to try and open communications, but I was just wondering if there was anything in Linux that would do this for me ?

Maybe it's part of the Linux philosophy that nothing should happen automatically and everything should be configured. I'm relatively new to fedora ^_^

jeru · #11 6th July 2004, 10:12 PM

If your asking if linux has anything like windows has implimented in ICS reguarding the UPnP open standard....

http://upnp.sourceforge.net/
which is used to make things such as
http://linux-igd.sourceforge.net/

Cr0n_J0b · #12 7th July 2004, 09:50 AM

What you are asking for seems a bit difficult and I can't think of an easy work around...

The issues is trust...how can you get any application...that lives in one secure environment...to move through a different firewall...without telling that firewall what you are trying to do? I would hope that the firewall would block anything that is doesn't specifically know about.

If you don't want to open ports and your clients are both linux systems...you could tunnel between the firewalls with VPN, IPSec, SSH...but you would have to setup the tunnel ahead of time and provide the trust relationship and have the some open ports that would be used...for example tunnel ssh over open telnet ports on each router, then have the ssh servers pass the requests through to the application(Game)...So essentially you would start up SSH with a tunnel that would pass all ports (1716-1800 for example) to the other system through port 23 (but secured by an ssh wrapper).

You would still need to have some open ports on either side, but you could use existing open ports like 80, 23, 22 etc... and drive an encrypted stream carrying the stuff that you want.

just a thought.