We have come a long way, from building networking between computers with ethernet to multiple servers and switches. In our journey so far we have seen data flowing between devices on a LAN or to be precise on the Intranet.As the world of technology grew it was not enough to just limit within our own network. We now wanted to build networking with other networks. Thus internetworking or Internet started - communication between multiple networks.
Introduction to Routers:
Routers are the devices that help establishing communication between two or more different networks. They forwards data packets between different computer networks.
Routing Types and Protocols:
Routing can be of two types depending on how they are defined:
Static Routing: Static routing is a form of routing that occurs when a router uses a manually-configured routing entry that is usually assigned by a user. The static routers routes data packets based on information on the routing table.
Dynamic Routing: This is the type of routing where a router does not require manual configuration and applies dynamic algorithm to choose best path.Based on these algorithms there are three different types of protocols:
Distance Vector Protocols: Use simple algorithms that calculate a cumulative distance value between routers based on hop count. The least hop count becomes the best path and the packet is send that path. e.g: RIP, IGRP
Link State Protocols: Use sophisticated algorithms that maintain a complex database of internetwork topology. e.g: OSPF
Hybrid(DV+LS) Protocols: Use a combination of distance-vector and link-state methods that tries to incorporate the advantages of both and minimize their disadvantages. e.g: EIGRP
Interesting to note here is all the above three algorithms choose the shortest path and the packet is sent that way.
When a packet has to travel from one network to another it needs a particular path, this path is known as route path.Every device on the network maintains a record of the network paths available to travel to other networks. This record is known as routing table. Let us see how a routing table looks like on a linux box:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
Any incoming and outgoing traffic in a machine has to follow a table like above.Imagine, it is like a map that tells a packet leaving a machine which way it has to travel. Each gateway are like stations in that map which lets you in to you next station until you actually reach your destination.
As we can see in the above table there are two interfaces eth0 and eth1.The first line says if destination is network 10.0.2.0/24 then gateway is 0.0.0.0 via interface eth0. If the destination is network 192.168.56.0/24 then gateway is 0.0.0.0 via eth1. Now we can see the gateway for 0.0.0.0 is 10.0.2.2 which is the ip for eth0. This way a machine goes through its routing table to identify which is the next hop or gateway and via which interface it should send the packet.
Network Address Translation is a mechanism by which we can translate one ip into some other ip. This is available in all routers and devices with a routing engine. It is like masking oneself under someone else’s identity.You might ask why do we need to mask our ip address under some other ip. As the networking work grew more and more people started having there own identity and some scenarios arrive when we can reveal our exact ip address either due to security concern or to avoid conflict with others. But by far the biggest reason behind using NAT is that there aren’t enough IPv4 Ip addresses, but with the new IPv6, there will be more than enough IP addresses. Let us see some of these use cases and the types of NAT used in them
One to One NAT: This is the most common kind of nat where in each ip address is translated to some other ip address. Typical use case is when we want to expose a LAN ip in public WAN/Internet.
For example , say I have setup a website on in my LAN on a server with ip 10.0.0.9(Class A) and I want to make this website public. I will have to make this ip routable in the WAN or Internet.Now as we have seen IP Addressing either Class D or Classless WAN ip address is routable on Internet, so we have to mask my ip (10.0.0.9) under a WAN ip say 220.127.116.11 in my router or gateway and expose it in Internet.Any outgoing traffic from 10.0.0.9 will not look like coming from 18.104.22.168 and likewise any incoming traffic to 22.214.171.124 will be traslated again in the router and sent to 10.0.0.9.
This is just one example scenario , there can be other scenarios too like say Site A and Site B needs to talk to each other, but both has the same range of ip address. In such cases as well you can do one to one NAT.This kind of situation might occur in Site to Site VPN .
Many to One NAT: This is the nat used in almost all organizations to enable Internet access in their offices. As we all know WAN ips are very limited and soon we are going to run out of them, thus they are costlier too.
An organization usually purchases a selected set of such ip address most of the time the block contains may be at max 20 ips.No how do you enable 100s of people on your LAN access the Internet. This one to one NAT will not be used in this situation. We need many to one NAT. In this NAT you mask your entire LAN ip range say 10.0.1.0/16 to one single WAN ip say 126.96.36.199.
Try “http://whatismyip.com” from your browser inside your office.You should be seeing you own WAN ip and ask your colleague too , the ips will be same.This is due to the NAT that has been done.Thus when you access say www.google.com Google will see all traffic from one single ip , though internally it will be your 100 employees accessing it.
SNAT and DNAT(Source NAT & Destination NAT): As the name suggests SNAT is where the source ip masked into some other ip and DNAT is where Destination ip is NATed after the request reaches the router.
Apart from routers, SNAT and DNAT can be easily configured using iptables in linux. This is one form of one to one NAT. This is used mostly when we are sending traffic between two networks. which have conflicting ip ranges.
Port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This can either happen on the same machine or different machine.
Let us take the example in the picture.There are three machine each listening on one port as below.
192.168.1.100 => Port 22 192.168.1.150 => Port 80 192.168.1.200 => Port 5900
All three machines sitting behind 192.168.1.1 which is NATed to public ip 188.8.131.52 and is accessible on the Internet on port 22,80,5900. Now port forwarding is configured on 192.168.1.1 such that when someone sends a request to 184.108.40.206:22 it will reach 192.168.1.1 on port 22 and then will be forwarded to 192.168.1.100:22. Same way for requests 220.127.116.11:80 or 5900.
This is one form of port forwarding where request reaching on one machine on a particular port to forward to a port on another machine.
Another form of port forwarding is when request sent on one port on a machine say port 80 and it gets forwarded to port 443 on the same machine. We will know more about later it in our hands on Exercises.
As simple as it sounds its like one person giving proxy of another.In this case one single machine acting as a proxy for multiple servers sitting behind it. Don’t get confused between Port Forwarding and NAT and Proxy. I would like to explain it with the example below:
X and Y are two friends who work in OrgA and OrgB respectively.Now if X were to communicate to Z who is a colleague of Y, he can do it in three ways:
1. Masquerade himself as Y , enter OrgB and talk to Z. => (NAT) 2. Or X sends an email to Y forwards that Z. => (Port Forwarding) 3. Or Y talks to Z on X's behalf . => (Proxy)
Note: Proxy happens from Ipaddress to Ipaddress, unlike port forwarding which happens from one port on an ip to another port on same or different ip.
Note: Unlike NAT where the actually the source/destination Ip is translated into some other Ip, in Proxy the request is just forwarded from one Ip to another Ip.
There are two types of proxies: Forward Proxy and Reverse Proxy
is normally used when a number of machine on the network have to access sites on the through one single public facing proxy server. This is usually setup when a company wants to restrict and monitor access to certain sites on the internet.So they setup a proxy server which forwards the requests coming from other users machines on the LAN. As you can see in the picture this is the proxy where the request is forwarded to the external sites on internet and inturn the internal users can use those sites.
Reverse Proxy happens when requests from outside is passed to a proxy server and then sent to the respective webservers hosting those sites. This is usually used when you have to allow access to number of websites hosted internally on mutiple servers from Internet.The picture describes it all.
Interesting fact to note over here is that a reverse proxy server is usually an internet facing proxy where its is exposed on the internet. A forward proxy server itself may or may not be publicly exposed on internet,it just has to have internet access.
Now let us try our hands on some exercises on Port Forwarding and Proxy setups in the next chapter.