Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address. Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P. Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
RFC4787中,介紹了NAT的功能,將NAT功能分爲兩部分: mapping 和filtering
filtering指當外面的數據包到達NAT時,決定是否將數據包轉發進入內網pc.
Endpoint-Independent Mapping:
The NAT reuses the port mapping for subsequent packets sent
from the same internal IP address and port (X:x) to any
external IP address and port. Specifically, X1’:x1’ equals
X2’:x2’ for all values of Y2:y2.
Address-Dependent Mapping:The NAT reuses the port mapping for subsequent packets sent
from the same internal IP address and port (X:x) to the same
external IP address, regardless of the external port.
Specifically, X1’:x1’ equals X2’:x2’ if and only if, Y2 equals
Y1.
Address and Port-Dependent Mapping:
The NAT reuses the port mapping for subsequent packets sent
from the same internal IP address and port (X:x) to the same
external IP address and port while the mapping is still active.
Specifically, X1’:x1’ equals X2’:x2’ if and only if, Y2:y2
equals Y1:y1.
The key behavior to describe is what criteria are used by the NAT to
filter packets originating from specific external endpoints.
Endpoint-Independent Filtering:
The NAT filters out only packets not destined to the internal
address and port X:x, regardless of the external IP address and
port source (Z:z). The NAT forwards any packets destined to
X:x. In other words, sending packets from the internal side of
the NAT to any external IP address is sufficient to allow any
packets back to the internal endpoint.
Address-Dependent Filtering:
The NAT filters out packets not destined to the internal
address X:x. Additionally, the NAT will filter out packets
from Y:y destined for the internal endpoint X:x if X:x has not
sent packets to Y:any previously (independently of the port
used by Y). In other words, for receiving packets from a
specific external endpoint, it is necessary for the internal
endpoint to send packets first to that specific external
endpoint’s IP address.
Address and Port-Dependent Filtering:
This is similar to the previous behavior, except that the
external port is also relevant. The NAT filters out packets
not destined for the internal address X:x. Additionally, the
NAT will filter out packets from Y:y destined for the internal
endpoint X:x if X:x has not sent packets to Y:y previously. In
other words, for receiving packets from a specific external
endpoint, it is necessary for the internal endpoint to send
packets first to that external endpoint’s IP address and port.