NAT support for peer-to-peer games
Serguei I. Ivantsov
manowar at gsc-game.kiev.ua
Tue Sep 21 10:04:20 CEST 2004
I just interesting - whether something changes in Netfilter to support
How to implement the scheme described below using netfilter?
<from the article>
Here's how the hosts know where to send the packets:
1) There is a well-known server with a well-known port, not
behind any NAT or firewall. Its only purpose is to relay
the public and local addresses of all participants in a session
to each other. (A host's public address is the address/ UDP port pair
seen by the outside world; its local address is the pair it
thinks it has.)
2) To join the session, a new host sends its local address
to the well-known server. The server then stores the new
host's public address (from the UDP header) together with its
local address (embedded in the packet).
The list of all participants' public and local addresses are
then sent down to the new host. The new host notes its own public
address in the reply from the server.
3) The server sends the public and local address of the
new host to all existing participants.
4) The new host then sends a hello packet to both the public and
local addresses of each participant; likewise, the existing
participants all send hello packets to both the public and
local addresses of the new host. The packet contains
the sending host's public and local addresses.
These are analogous to TCP's SYN packet, and are retransmitted
periodically if no response is received (see below).
5) The act of sending a packet to the other participants
signals the firewall that a reply will be coming back along
the reverse path. It opens up a return path which just
reverses the source and destination address/ UDP port pairs.
This seems to be a common feature of many firewalls and
SOHO routers (e.g. the Cisco PIX). I don't know how
widespread it is. Is there any data on what firewalls
support this behavior?
6) For participants behind different firewalls / NATs / masquerading
hosts, one packet (the one sent to the peer's public address)
will make it through. For participants behind the same firewall / NAT /
masquerading host, the other packet (the one sent to the peer's
local address) will make it through.
For participants with two IP interfaces, one or the other packet
will make it through; it doesn't matter which.
The entire Dan Kegel article can be found here:
Serguei I. Ivantsov
More information about the netfilter