路由器将记录保留在NAT中多长时间,并且可以重用来自其他主机的转发请求吗? [英] For how long a router keeps records in the NAT and can they be reused forwarding requests from other hosts?
问题描述
有一个简单的答案可以解释路由器如何将本地网络的请求转换为外部和外部(
There is an answer explaining in simple terms how a router works translating requests from the local network to outside and back (https://superuser.com/questions/105838/how-does-router-know-where-to-forward-packet) what is not clear - for how long a record in the NAT is kept?
例如,如果我向25.34.11.56:3874发送UDP请求,而我的本地端点是192.168.1.21:54389,则路由器将重写请求数据包并将记录添加到NAT.假设外部端点为68.55.32.89:34535.然后,收到我的请求的计算机将响应68.55.32.89:34535,并将其数据包根据NAT记录转发到本地192.168.1.21:54389.之后,记录会发生什么?
For example, if I send a UDP request to 25.34.11.56:3874 and my local endpoint is 192.168.1.21:54389 the router rewrites the request packet and adds a record to the NAT. Let's say the external endpoint will be 68.55.32.89:34535. Then the computer which received my request responds to the 68.55.32.89:34535 and the packet it forwarded to the local 192.168.1.21:54389 in accordance with the NAT record. What happens after that to the records?
如果25.34.11.56:3874决定在10或100分钟后将请求发送到我的外部端点68.55.32.89:34535,该怎么办?路由器还会将其转发到192.168.1.21:54389吗?
What if the 25.34.11.56:3874 decides to send a request to my external endpoint 68.55.32.89:34535 after 10 or 100 minutes? Will it still be forwarded by the router to the 192.168.1.21:54389?
让我们说另一台远程计算机的端点为55.43.77.98:8765.如果此计算机向我的外部端点68.55.32.89:34535发送请求,将会发生什么?是将其转发到本地192.168.1.21:54389还是将其过滤掉,因为远程端点与最初用于第一个请求和NAT记录的25.34.11.56:3874不匹配?
Let's say there is another remote computer with the endpoint 55.43.77.98:8765. What will happen if this computer sends a request to my external endpoint 68.55.32.89:34535? Will it be forwarded to the local 192.168.1.21:54389 or will it be filtered out by the router because the remote endpoint does not match 25.34.11.56:3874 which was initially used for the first request and for the NAT record?
推荐答案
这要视情况而定.
根据 RFC 4787 的第4.3节,不应将NAT的UDP超时设置为小于2分钟(120秒)的时间(选定的知名端口除外).但是,实际上,路由器倾向于使用较小的超时.例如,OpenWRT 14.07使用的超时仅为60秒.
According to Section 4.3 of RFC 4787, the UDP timeout of a NAT should not be smaller than 2 minutes (120 seconds), except for selected, well-known ports. In practice, however, routers tend to use smaller timeouts. For example, OpenWRT 14.07 uses a timeout of just 60 seconds.
对于TCP,超时可能更大,因为TCP连接通常由显式FIN/FIN-ACK交换终止.对于已建立的TCP连接, RFC 5382 的第5节指定了不少于2小时的超时4分钟(7204秒),而OpenWRT使用7440秒.
For TCP, the timeouts can be much larger, since TCP connections are usually terminated by an explicit FIN/FIN-ACK exchange. For established TCP connections, Section 5 of RFC 5382 specifies a timeout of no less than 2 hours 4 minutes (7204 seconds), and OpenWRT uses 7440 seconds.
关于第二个问题,大多数NAT都维护特定于一对端点(套接字地址)的映射.如果NAT内的主机A向套接字地址B发送数据报,则该映射将仅适用于A和B之间的通信-NAT之外的其他主机C将无法使用该特定映射将数据发送给A. (某些所谓的全锥状 NAT允许这样做,但它们很少见.)
Concerning your second question, most NATs maintain mappings that are specific to a pair of endpoints (socket addresses). If a host A inside the NAT sends a datagram to socket adress B, then the mapping will only apply to communication between A and B — a different host C outside the NAT will not be able to use that particular mapping to send data to A. (Some so-called full cone NATs allow that, but they are fairly rare.)
这篇关于路由器将记录保留在NAT中多长时间,并且可以重用来自其他主机的转发请求吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
