directory

  • The MAC header
  • The IP header
  • Network Address Translation (NAT)
    • NAT source
    • The Iptables firewall
  • The problem

In the current home broadband, operators will not directly allocate public IP addresses to users. For example, telecom solves the problem of insufficient IPV4 public IP through NAT44. As can be seen from the address obtained from local IFconfig, most of their host IP addresses are 10.x.x.x. The router directly obtains a private IP address such as 10.x.x.x. Then the router translates the NAT address to access the network from the public network.

To understand NAT in detail, it is necessary to introduce two headers, the MAC header that lives at the data link layer and the IP header that lives at the network layer, and why they encapsulate data the way they do.

The MAC header

The MAC header

1. The contents of Ethernet frames are easy to understand. To find a machine, you need the destination MAC and source MAC.

2. There are two types: one is to know that the target MAC can normally encapsulate the data frame to send; One is to send an ARP request containing the target IP address, broadcast all hosts in the LAN to find the target MAC address, and then normally seal the frame data.

3. CRC cyclic redundancy check technology is required in order to detect errors (bit error 0 changes to 1 or 1 changes to 0).

4. The data should understand. After all, the purpose is to transmit data.

If you don’t understand ARP roles, you can read my other article

The IP header

The IP header

1. The version number is IPV4, and IPV6 is also being promoted.

2. The service type distinction represents the priority of the current packet processing. The kernel processes packets according to the priority order in the queue.

3. Flags, flags, and slice offsets, because datagrams must be sharded if their length exceeds the MTU of the network, which is related to sharding rules;

4. TTL: Ping is often used to query network conditions. Ping uses ICMP.

5 protocol is indicated TCP, UDP protocol, the next layer is the transmission layer always tell people which protocol to use, otherwise people receive a cute face;

6. Then there is the source IP address and the target IP address. The target IP address is the place where you want to go.

Network Address Translation (NAT)

NAT source

Data transmission is a go back, access to others to the public network access, Baidu domain name and IP are sure to pay money to rent the public, but we these common people if each equipment to buy a public IP that we are not going bankrupt, bought how to configure or a problem, I am a computer white how to do ah? In the future, if IPV6 becomes ubiquitous, every device may be able to rent a public IP address for a nominal price, but not in the world of IPV4. So we have subnets. At home and in our company, we are all in a LAN, and most of the IP addresses connected to WIFI are 192.168. Xx. Baidu return results how to find you? So you can tell from your toes that someone must have done the transformation for us.

NAT role

NAT is classified into SNAT and DNAT, which translates a private IP address into a public IP address and a public IP address into a private IP address. The machines in our Wi-Fi also form a LAN, and all devices need to share the public IP of the router. When we ask Baidu “Latiao is weilong delicious or Feiwang delicious?” At the exit of our router, a SNAT will be performed to convert the private IP address to the public IP address.

So the question comes, Baidu reply you “latiao delicious”, DNAT into which private network IP? Getting on your mom’s computer is a hell of a beating, so if you use your toes, you’re going to have to guess that someone recorded the visit.

The Iptables firewall

No, iptables is not a real firewall. There is a netFilter in the kernel space, which is the real security framework for firewalls. Netfilter supports NAT, packet modification, and packet filtering. Where he will do connection tracing, which will be mapped as follows:

< Internal address + Internal port > and < external address + External port >

Put in a table, in fact, is the address camouflage, the internal IP and port disguised as public IP and port, Baidu returned data to check the table. Private IP address search machine, port is to find the machine on the application, Google Browser and Firefox are running on the machine an application, to find out who is asking the port number, computer each application will have their own port number, and will not repeat.

The problem

Knowing the MAC header and IP header and NAT, you can pause and think about how to find your computer after someone sends a network packet to find your LAN gateway using a public IP address.

Send and receive packet

The first thing to know is that when you send a packet, you add a variety of headers and data layer by layer, and when you receive a packet, you unpack it layer by layer, unpack it step by step, and finally the corresponding application turns the headers into data.

Your host must have an IP, assuming that the host has a private NETWORK IP in the LAN, when sending packets, such as your Java code running on the Linux platform to visit Baidu, Linux platform will call the kernel to determine if Baidu’s IP and your own network segment is between the LAN access, Otherwise, else is not on the same network segment and accesses Baidu directly from the public network gateway.

So here’s the idea:

  1. First see if it is the MAC that the gateway of my machine can recognize, take down its MAC head to see, if it is not mine, it is just passing by, bye
  2. If it is my MAC, take it in, and then take down its IP header to determine its IP address. Then the gateway determines which gateway to exit from according to its IP network segment, so as to find the LAN network port of the machine
  3. Here again according to the IP address, detailed find this IP address is corresponding to which machine, gateway this place is ARP cache, cache there is the machine private IP and MAC address of the corresponding relationship, cache if there is so found the machine, If the cache doesn’t have one, you can just send an ARP broadcast and ask who the MAC address of this IP is
  4. After finding this computer, go in from computer network card, judge again according to port is looking for which application, this is to go to QQ looking for QQ, looking for micro letter looking for micro letter.
  5. After the above processing, wechat or QQ return a result, send the result, other machines repeat the judgment process

If there is harvest, passing friends point “watching”, Lu Xun said, “four even is a virtue”, pay attention to me better.