Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 4 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
So, i have been reading up on NAT-Punchthrough. I seem to be getting the idea, but i have a hard time implementing it, and i feel that i am missing a step here.
Testing this functionality is kind of hard because i have little control over the environment when it comes to a internet based connection.
I have a SQL server to run as my "facilitator" it keeps the external address of both server and client, and their port as seen by the outside.
Here are steps so far:
- I connect to my SQL server through a web request (PHP script) that stores server/client IP/PORT
- When both are known, both client and server attempt connecting (server hosts on a set port, client connects over a set port)
- Nothing significant happens
There are 2 unknowns here, and i would like to check one with you.
Is it true that NAT-Punchthrough requires that i do the first step with the exact (internal/LAN) port i plan to connect with in the step after that?
If so, i don't know how exactly my server works underwater, so it might need more ports then my initial given static port to connect over, but that at least gives me a hint.
If anyone has more documentation on this then me, please let me know.
Sources:
Programming P2P application
http://www.mindcontrol.org/~hplus/nat-punch.html
NAT punch through works on the principle of educated guesswork. It is usually used to create connections with devices that do IP Masquerading. This is the technology used in most home internet modems to the point that NAT has become interchangeably used to refer to IP Masquerading.
When you connect out from a device which is behind a NAT system like a home modem. You have no control of the port that will be used for the outbound connection to the Internet. However many of these devices allocate ports using specific patterns. For example, incremental numbers.
NAT punch through involves trying to directly connect two source systems that are both behind independent NAT devices. A third system, your "facilitator" acts as a detector for the origin port numbers currently being assigned by both NAT devices on outbound connections. The origin port number, along with the IP address is then sent to the other parties.
So now the clever bit to answer your question. Both systems that want to directly connect, start trying to communicate to the other. They try connecting to a range of ports, around the known port number detected by the facilitator. This is the guesswork.
It is important that both source systems start trying to connect as this will establish NAT sessions in the local devices that allow traffic from the Internet in. If either source device correctly guesses one of those NAT session port numbers, then a connection is established.
In reality, engineers from organisations that have use for NAT punch through have probably spent some time examining the more popular NAT port allocation algorithms and tuning their software. If you have control of connections through your NAT devices, then it would be fairly easy to set up some tests and see how the port numbers change between connections to different servers.
Related
(Remaining segment of original Question)
I'm a bit confused on logistics of a software firewall app on a client side computer that blocks incoming on a port. Texts generally depict a Server initiating the bind to a port then setting up listening. Then clients can attempt to connect to this server, upon which the Server assigns the Client another free port number to form the connection protocol tuple.
But how does an app on a client setup or bind to a port to monitor and/or block it?
UPDATE EDIT ADD:
I looked at the links 4dc0 gave in comment and they were helpful.
So I deleted certain segments of my original question as answered to a point that they are mute issue of concern.
After doing more reading I found in the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine. So this led me in a new direction of decipher.
so I looked at this, >netstat -a -n -o -b
I like the -b switch cause some PIDs don't show in task man svcs.
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:49168 0.0.0.0:0 LISTENING 2020
listening
[NortonSecurity.exe]
TCP 0.0.0.0:49169 0.0.0.0:0 LISTENING 2020
[NortonSecurity.exe]
TCP 192.168.1.5:49170 13.91.60.30:443 ESTABLISHED 2020
[NortonSecurity.exe]
TCP 192.168.1.5:51220 50.23.246.167:80 TIME_WAIT 0
TCP 192.168.1.5:51223 151.101.1.69:443 ESTABLISHED 5504
[firefox.exe]
This was interesting but I still needed help deciphering the full impact. I did more searching and found this link,
How do multiple clients connect simultaneously to one port, say 80, on a server?
While a different Title persey it gave me a lot of insight into this and more directions to search from here. Additionally it gave a good book link which in the used sellers section was affordable.
I can see many reasons why someone qualified would not reply to a post like this. However my naivety in posting the question was surpassed only by my desire to get more insight into these facets. Admittedly I was not seeking to write code for such, but desired a deeper understanding of it. As I searched through one clue to the next I realized the depth and scope of what I sought. And after some effort I did find enough to give me an idea of what's going. In case anyone comes by here with same curiosities I'm posting up a few of the better links I found.
Some links are dated but contain paradigm related content of application based filtering, tracking, layer 3, 4, and/or drivers via the NDIS firewall paradigms.
https://www.symantec.com/connect/articles/software-firewalls-made-straw-part-1-2
https://learn.microsoft.com/en-us/windows-hardware/drivers/network/ndis-driver-stack
https://learn.microsoft.com/en-us/windows-hardware/drivers/netcx/
https://www.codeproject.com/Articles/3405/Developing-Firewalls-for-Windows-2000-XP
https://www.codeproject.com/Articles/5602/Simple-Packet-Filter-Firewall
https://www.novell.com/documentation/nbm38/?page=/documentation/nbm38/overview/data/ae70q0b.html
http://programmerworld.net/personal/firewall.htm
Good recommended book
https://www.amazon.com/exec/obidos/tg/detail/-/0471205443/qid=1094828844/sr=1-1/ref=sr_1_1/103-9352427-0026242?v=glance&s=books&tag=hardfocom-20
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 months ago.
Improve this question
I want my pods to receive multicast network traffic flowing from outside of my kubernetes cluster to specific ports in my nodes.
I'm considering two solutions:
Adding hostNetwork: true flag to their yaml file along with hostPort configuration in order to receive the traffic directly to the pod.
Forwarding the traffic locally on the nodes from eth0 interface to docker0 interface using iptables command.
Method 1 is an official feature in Kubernetes, but it feels like breaking a security wall that docker originally imposed, and might cause port
collisions with host's processes, etc.
Method 2 on the other hand transparently forwards the multicast network traffic to the pods.
Despite the fact I can use an automation tool to spread this configuration (ansible/salt etc), anything configured 'out of the scope' of Kubernetes feels a little hacky to me.
Would like to hear your pros and cons, comments, and maybe other solutions to the problem of multicasting to a kubernetes cluster.
A cleaner way to support multicast is to add an additional interface to your PODs through multus-cni. Then, you could associate this new multus interface to your host network interface that will receive multicast traffic on the host. Summarizing, you will have two interface on your POD i.e:
net1 (default) for pod-to-pod communication and other unicast traffic.
eth0 (multus) for multicast traffic. Then you will need to "join" it with a NIC in your host machine, either by using bridge or macvlan
See more details here: https://github.com/intel/multus-cni/blob/master/docs/quickstart.md
In the end we picked method 1, as it is the documented way to achieve what we wanted, and I can report that it works fine.
I heard that WeaveWorks supports multicast: https://www.weave.works/use-cases/multicast-networking/
github issue has few words on multicast support
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I developed an internet-based IOS app,and my app communicates with the server through html requests.
It works perfect when I test it locally. But when I test it through the internet,it seems the html requests can't be received by the server.
I am using my Mac Pro as the server ,and the laptop is connected to the internet via the same wifi as the my iPhones.
So,how can I make a laptop connected to internet via wifi an server?
There are a lot of complications to making something available on the internet from a home machine, and it's not clear from your problem statement where the problem lies. Here are some of the most common gotchas:
Check that the server is accessible from another computer on the same local area network as the server (leave the iOS device out of it at firs - if not, the server is misconfigured. Check firewall settings on the server.
I understand that you want this accessible from devices outside the local area network (ie, you want it to be usable from anywhere, not just your home network). For this, you must configure your router to forward the appropriate port (probably 80, depending on the server software you're using) to the server. This is called "Port Forwarding" or other similar names (depending on the router manufacturer); consult the documentation for your router for information on how to enable it, as the process varies between make and model. Note that some ISP's supply a cable/dsl modem that has it's own firewall in it (for example, comcast business class does this), so you may also have to set up port forwarding on that as well.
You need to specify the external IP address of the server (you can use whatsmyip.com or similar to find it) when connecting to it over the internet, not the LAN IP.
As everything is working locally, the problem is located in the device linking your laptop to the internet : your internet box.
By default, when it receives request from outside, your box will reject them, because this is a security risk (it could allow anyone to access your private network server, and if there is a security breach in a member, this could be a real problem). Moreover, your box has most of the times more than on device connected, so how can it know which device the request it gets is for?
Luckily, there is a way to tell your box "Hey! If you receive a request on this port, forward it to my laptop!". It is called port forwarding. This is quite difficult to explain as every ISP has a different implementation of this. But to set this, you have to connect to your box's administration interface and look for the section related to port forwarding.
Once you're there, you will have to set the port (if you run an HTTP application, it is 80 for example), a protocol (use both in doubt), and finally the destination IP. This is the IP of your computer on the local network. You can get it using ipconfig on Windows.
Once you have set your forward rule, you should be able to acces your app from the internet using either a Dynamic DNS service, or your Internet address, which you can get from websites such as http://www.whatismyip.org
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 12 days ago.
Improve this question
Imagine this situation that there are some smartphones and computer around with their WiFi adapter (wireless adapters) on, but not necessary connected to a network.
Is there a way to look the MAC addresses via a Linux machine?
Any insights are appreciated.
Disconnected clients aren't always silent. In fact, more often than not, clients send out directed and broadcast probe requests searching for access points they have connected to previously, thus revealing their MAC addresses which can be displayed through airodump-ng or by filtering capture packets in Wireshark to display probe requests.
This is the suitable Wireshark filter:
wlan.fc.type_subtype eq 4
Old question, but i'll have a go anyway.
Wifi enabled devices usually send probe requests to try to find Access points they previously have been connected to, even when they are nowhere near them.
If you're using backtrack/kali linux, try this:
Create a wireless adapter alias running in monitor mode (assuming your adapter name is wlan0):
airmon-ng start wlan0
Start scanning for devices and access points:
airodump-ng mon0
The access points will be listed first with their Mac addresses under "BSSID", followed by the devices which will have their MAC addresses listed under "STATION" and a "not associated" flag under "BSSID" if they aren't connected to an access point.
I would like to setup a network connection (RTP or UDP) between two computers at different locations, each of which is behind a NAT modem/firewall. I do not want any modification of the firewalls.
My working assumption is that I need a bot somewhere that both computers can reach (eg a shell account on an internet server). Each computer connects out to the bot and the bot allows the two computers to update and query status and to exchange data.
This is ok as far as it goes, but it means that all data travels via the bot. Is there a way I can connect the two computers without the bot, or failing that, allow the bot to drop out of the data exchange once a connection has been setup? My feeling is that there is no way to do this, but my TCP/IP is a bit rusty...
If you assume nothing on the NAT/Firewall your are correct.
Hole-Punching for example will not work with overloaded NAT (PAT) as far as I know, because the source port is randomized by the NAT device, and it maps/match both the destination public address and the picked up source port elected.
UPnP may work, but again you need to assume it exist and enabled on the NAT device.
As I see it, you got only two options if you want to be generic:
1. Configure the NAT.
2. Use a proxy (the bot you mentioned).
Skype for example uses the second, but does it in a distributed manner by using every Skype client as a potential proxy (probably only if it detects it is not behind a NAT or not limited by it).