我曾经几乎翻遍了对ip协议介绍的各种文档,但我仍然解释不了我手中这台电脑是如何访问外网。网络上现存的关于ip网络层的文档对于内外网通信的介绍都不符合我们日常生活的逻辑。日常生活中我们每个家庭,每个公司都有一个内网,不同内网中的ip地址是有可能相同的。公网ip是直接发送数据给内网ip的吗?如果一个公网ip直接发送ip数据包到一个内网ip时(ip数据包的报头ip如果为内网ip),会发生什么情况?到底最后由哪个内网的ip来接受它?事实上,在现实生活中,在7层通信协议的网络层阶段是不可能实现直接由内网ip与外网ip的通信。实现这种通信,我们需要更往上看一层——传输层。而这一切的秘密都藏在NAT(Network Address Translation)之中。
事实上在我以前的工作经历中经常碰到NAT这个名词,而且这个名词还经常和Bridge(桥接)同时出现任我2选1。在配置vmware虚拟机时,在配置docker网络时,在配置调制解调器+路由器的拨号上网时我们都需要在桥接和NAT之间做一个选择。以我以前浅薄的知识对这两个选择的理解就是:配置桥接时,虚拟机的ip地址会与宿主机处于同一ip段之中,而配置NAT时,则反之。
ip地址段的不同只是NAT配置所产生的一个现象,那么NAT的本质是什么?它到底完成了个什么任务?
NAT, Network Address Translation. 它的本质其实就如它的名称所讲——网络地址转化。实现NAT的设备或虚拟设备,一方面连接了很多内网主机,另一方面自己有一个对外的公网ip连接外网(这个外网可以是因特网也可以是另外一个局域网)。当内网主机与外网主机通信时,内网以自身内网ip地址的ip数据包发送给NAT设备,然后NAT设备会更改此ip数据包,换上自己对外网的ip地址,再发送给外网设备。所以,在外网的主机看来,是NAT设备在与自己通信,而非内网的某个ip。
那么当外网再返回数据给NAT设备时,NAT设备又如何把信息传递给确切的内网主机呢?这就不是ip网络层所能做的事情了。这需要更往上看一层,传输层协议。我们以TCP协议为例。TCP协议是基于端口和会话连接的。当内网主机准备与外网主机建立TCP连接时,其实本质上是内网与NAT设备的内网接口上的某个端口建立了TCP连接。然后NAT设备再在外网接口分配一个端口与外网主机建立TCP连接。接着NAT设备给自身上的这两个端口做个数据对接就可以了。UDP也一样,它虽然不是建立在连接的基础上,但它也是stateful的一个传输层协议。NAT设备只要记录传输层协议的状态,维护好这些状态就能保障内外网的通信。
由此实现的NAT设备其实意义是非常重大的。参照下文:
Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.
The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.
Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public addresses is needed for hundreds or even thousands of users.
Most modern firewalls are stateful - that is, they are able to set up the connection between the internal workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way, they are able to keep track of the session composed of communication between the workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information about the connection.
There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world.
Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols.
NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall.