Server in a NAT subet?

Hi,

I posted the following message in comp.protocols.tcp-ip earlier but
there was no reply... Since my implementation is in Linux, here it
goes:

I have a few NAT related questions. Here is my scenario; I have a
generic wireless ADSL modem/router, and I would like to open a TCP/IP
connection from outside the subnet to a node in the subnet.

My thinking is:

1. The router in its basic form of operation does simple IP
translation? Ie, 192.168.1.2 <-> A.B.C.D where A.B.C.D is the IP
address given by the ADSL provider.

Basically, the router is what it says on the tin, an IP router?

2. Connection establishment:

2.1. Client in the subnet, server somewhere on the internet:

The client in the subnet opens a TCP connection to the server,eg,
connect() call. The sockaddr returned by the server accept() function
has the IP address of the router and the port number which the client
opened? Basically the router replaced the IP header from subnet address
to its address.

Server sends data: The router has a table of open connections (stateful
NAT), and forwards the IP packet to the node which has opened the
connection.

2.2. Server in the subnet and client somewhere else with a global
routable address.

I have a problem at this point. I would like the server to publish its
address which gets stored in a database and at one point in time a
client reads the address and decides to call the server.

I can't publish node's IP address as this is not reachable from
outside, and I am not sure what happens if I publish the routers
address.

Question 1. Is it possible for a node in the subnet, to know that it is
in a subnet and its address isn't global. How would an application
check this? I mean what socket functions do I need?

Question 2. Let's assume the node knows it is in a subnet, how would
the node read the global address of the router?

Question 3. Let's assume the server published router's address and
the client connects(). Since, there is no open connection from within
the subnet, how does the router know where to route the packets?

Question 4. Is this where port forwarding comes in play? The router
sends all packets destined for a certain port number to the node which
is registered for port forwarding? But this requires administrative
changes in the router, what if the user moves to a subnet, gets IP with
dhcp and can't register for port forwarding?

Question 5. Is there such a broadcast packet (ARP message) in the
routers as "who is listening on port X?"? The server that publishes
the address is listen()'ing for connect() from clients.

Any general comments on how to write a server behind a NAT would be
helpful.


Regards,

UM

On 23 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed). com>, UM wrote:

>I posted the following message in comp.protocols.tcp-ip earlier but
>there was no reply... Since my implementation is in Linux, here it
>goes:

Yes, but you have to allow time. Your comp.protocols.tcp-ip posting
was at '23 Nov 2006 07:28:59 -0800', while this post is just two and a
half hours later at '23 Nov 2006 09:58:53 -0800'.

>My thinking is:
>
>1. The router in its basic form of operation does simple IP
>translation? Ie, 192.168.1.2 <-> A.B.C.D where A.B.C.D is the IP
>address given by the ADSL provider.
>
>Basically, the router is what it says on the tin, an IP router?

Well, that does depend on a few circumstances you haven't mentioned, but
is basically correct.

>2.1. Client in the subnet, server somewhere on the internet:
>
>The client in the subnet opens a TCP connection to the server,eg,
>connect() call. The sockaddr returned by the server accept() function
>has the IP address of the router and the port number which the client
>opened? Basically the router replaced the IP header from subnet address
>to its address.

Basically correct. The router might also replace the source port number
as well, but the concept is still the same.

>2.2. Server in the subnet and client somewhere else with a global
>routable address.
>
>I have a problem at this point. I would like the server to publish its
>address which gets stored in a database and at one point in time a
>client reads the address and decides to call the server.

No, because

>I can't publish node's IP address as this is not reachable from
>outside, and I am not sure what happens if I publish the routers
>address.

Ignoring any 'Acceptable Use Policy' or 'Terms of Use' that your ISP may
have, If you have forwarded the port from the router's world address (let's
say '88.107.131.106' that you posted from, and port 80) to the internal
address/port of the real server, then it's essentially the same as above.
The router does of IP re-writing, and the connection goes through.

>Question 4. Is this where port forwarding comes in play? The router
>sends all packets destined for a certain port number to the node which
>is registered for port forwarding?

Yes

>But this requires administrative changes in the router, what if the user
>moves to a subnet, gets IP with dhcp and can't register for port forwarding?

Then you've discovered another one of the disadvantages of DHCP.

>Question 5. Is there such a broadcast packet (ARP message) in the
>routers as "who is listening on port X?"? The server that publishes
>the address is listen()'ing for connect() from clients.

Not in IP - you're perhaps thinking of something like Portmapper which is
more an NIS function.

>Any general comments on how to write a server behind a NAT would be
>helpful.

It's no different that writing one in a non-NAT situation. Where you may
be running into problems is DHCP.

Old guy

> >I can't publish node's IP address as this is not reachable from
> >outside, and I am not sure what happens if I publish the routers
> >address.
>
> Ignoring any 'Acceptable Use Policy' or 'Terms of Use' that your ISP may
> have, If you have forwarded the port from the router's world address (let's
> say '88.107.131.106' that you posted from, and port 80) to the internal
> address/port of the real server, then it's essentially the same as above.
> The router does of IP re-writing, and the connection goes through.
>

Sorry I didn't get this part. I am not aware of any legal limitations
ISPs place on incoming connections.

The definition of a server in my post is a process that calls listen()
and accept()'s TCP/IP connections. Is this not allowed?

On 24 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, UM wrote:

>>> I can't publish node's IP address as this is not reachable from
>>> outside, and I am not sure what happens if I publish the routers
>>> address.
>>
>> Ignoring any 'Acceptable Use Policy' or 'Terms of Use' that your ISP may
>> have, If you have forwarded the port from the router's world address (let's
>> say '88.107.131.106' that you posted from, and port 80) to the internal
>> address/port of the real server, then it's essentially the same as above.
>> The router does of IP re-writing, and the connection goes through.
>
>Sorry I didn't get this part. I am not aware of any legal limitations
>ISPs place on incoming connections.

Some ISPs have rules that a home user may not operate a server (meaning
something that provides services to the Internet). For example, more
ISPs are blocking traffic to/from port 25 in an effort to reduce zombie
spam. Others make the rules in order to increase their income - if you
want to run a server, you must have a commercial account, not a home or
personal type account.

>The definition of a server in my post is a process that calls listen()
>and accept()'s TCP/IP connections. Is this not allowed?

As far is being allowed, you need to read the agreement you have with
your ISP.

Your server is unaware that the world thinks it is located on a different
IP address. The world might see your server on 88.107.131.106, but the
router is re-writing the destination address to 192.168.1.2, and sending
it to that address. On the way back - the router changes the source
address from 192.168.1.2 to 88.107.131.106 and the clients out in the
world have no idea that '88.107.131.106' isn't the actual server.

The only time this might be a problem is if you are hard-coding the IP
address _within_ the data (think of a web page, that includes a URL to
another page on your server - with NAT, you need to code that URL with
the external _name_ that resolves to the external address of your
router [which will then NAT that separate connection, and fetch the page
from your server]). But this should have no effect on the network end
of your server program.

Old guy