pwnat仍然是适用的解决方案 [英] Is pwnat still an applicable solution

问题描述

我需要NAT遍历的解决方案，以在Internet上传输RDP数据.我遇到了以下工具，它真的很棒- pwnat .

I need a solution for NAT traversal to transmit RDP data across the internet. I came across the following tool and it's really amazing - pwnat.

我已经在不同路由器后面的两台不同机器上进行了尝试，但是我无法使它如上述链接中所述正常工作.那么pwnat仍然可以正常工作吗，如果可以，我做错了什么?这对我很有帮助.

I have tried it with the two different machines behind different router, but i am unable to make it work as explained in the above link. So is pwnat still working and if yes what could I have done wrong? It would be very helpful for me.

注意:我正在使用Windows计算机进行测试，并从以下链接下载了Windows版本:

Note: I am using a Windows machine for testing and downloaded the Windows version from the following link:

http://www.sumitgupta.net/pwnat-windows-complied-版本/

推荐答案

否.
我假设您知道它是如何工作的:
服务器将ICMP回显请求数据包发送到固定地址(例如1.2.3.4)，在该地址中不会返回任何回显答复，客户端假装是Internet上的一个跃点，向ICMP发送了ICMP超时数据包.服务器，期望服务器前端的NAT将ICMP时间超出消息转发给服务器.

No.
I assume you know how it worked:
the server sent ICMP echo request packets to the fixed address(for example, 1.2.3.4) where no echo replies wouldn't be returned from, the client, pretending to be a hop on the Internet, sent an ICMP Time Exceeded packet to the server, expected the NAT in the front of the server to forward the ICMP time exceeded message to the server.

上面的图片来自pwnat的首页，前提是客户端不在NAT和NAT实现通常不检查原始的有效负载超时消息.如果客户端和服务器都位于NAT之后，则

The picture above is from the homepage of pwnat, it's on the premise that client is not behind NAT and the original payload in time exceeded message is typically not checked by NAT implementations. If both client and server are behind NAT like this,

=========================================================================================
| CLIENT  | <---> |  NAT-C  | <---> { internet } <---> |  NAT-S  | <---> | SERVER |
=========================================================================================

如今它很少能正常工作，主要有以下两个原因:

It rarely works nowadays mainly for 2 reasons below:

1. 根据在RFC 3022 中，ICMP回显请求标头中的标识符字段将通过NAT-S唯一地映射到注册IP地址的查询标识符，以便它可以将具有相同查询ID的以后的ICMP Echo Rep路由到发件人， 因此，必须修改ICMP查询数据包中的ICMP标头以替换查询ID和ICMP标头校验和. RFC 3022 ICMP错误数据包修改部分:

1. When the server sends ICMP echo request packets to the fixed address, according to RFC 3022, the identifier field in ICMP echo request header will be uniquely mapped to a query identifier of the registered IP address by NAT-S so that it can route future ICMP Echo Replies with the same query ID to the sender, so ICMP header in ICMP Query packets must be modified to replace the query ID and ICMP header checksum. RFC 3022 ICMP error packet modifications section:

在NAPT设置中，如果嵌入在ICMP中的IP消息恰好是 TCP，UDP或ICMP查询数据包，您还需要修改 TCP/UDP标头或查询中的适当TU端口号 ICMP查询头中的标识符字段.

In a NAPT setup, if the IP message embedded within ICMP happens to be a TCP, UDP or ICMP Query packet, you will also need to modify the appropriate TU port number within the TCP/UDP header or the Query Identifier field in the ICMP Query header.

但是客户端不知道外部查询ID( pwnat中的代码使用0作为原始请求的标识符)，它将向服务器发送ICMP Time Exceeded数据包，即使该数据包可以到达服务器前面的NAT-S，NAT-S也无法找到活动映射对于嵌入式数据包，大多数NAT实现都会丢弃它.

But the client doesn't know the external query ID(the code in pwnat use 0 as the identifier of original request), it sends an ICMP Time Exceeded packet to the server, even if the packet can reach NAT-S in front of the server, NAT-S can't find the active mapping for the embedded packet, most of NAT implementations will drop it.

此外，根据 rfc 5508 ， NAT-C从私有领域接收ICMP错误数据包，NAT-C使用嵌入在ICMP错误消息中的数据包(即，从客户端到服务器的IP数据包)来查找该嵌入数据包所属的NAT会话. .如果NAT-C没有针对嵌入式数据包的活动映射，则NAT-C应该静默丢弃ICMP错误数据包.这意味着来自客户端的ICMP超时数据包不会到达NAT-S.

Moreover, according to rfc 5508, when the NAT-C receives the ICMP Error packet from the Private Realm, NAT-C uses the packet embedded within the ICMP Error message (i.e., the IP packet from the client to the server) to look up the NAT Session to which the embedded packet belongs. If NAT-C does not have an active mapping for the embedded packet, the NAT-C SHOULD silently drop the ICMP Error packet. It means the ICMP Time Exceeded packet from the client wouldn't arrive at NAT-S.

因此pwnat仅适用于进行简单地址转换的基本NAT设备( rfc 1631 描述) ，不适用于任何具有可靠NAPT实现的NAPT设备.并且本文确实提到了此问题.

So pwnat only works with basic NAT devices(rfc 1631 describes) which do simple address translation, won't work with any NAPT device which has robust NAPT implementation. And This paper does mention this problem.

这篇关于pwnat仍然是适用的解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！