summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Shadura <bugzilla@tut.by>2012-08-15 22:11:15 +0200
committerAndrew Shadura <bugzilla@tut.by>2012-08-15 22:11:15 +0200
commit02bc804b997f43ea112002310775e3238d218992 (patch)
tree7bce7705be7e844fed6c83fac256df9c4b64b299
Add initial packaging by GRML project.
-rw-r--r--ChangeLog15
-rw-r--r--LICENSE340
-rw-r--r--README184
-rw-r--r--debian/changelog13
-rw-r--r--debian/compat1
-rw-r--r--debian/control20
-rw-r--r--debian/copyright18
-rw-r--r--debian/dirs1
-rw-r--r--debian/docs1
-rwxr-xr-xdebian/rules64
-rw-r--r--debian/watch8
-rwxr-xr-xnat-traverse404
-rw-r--r--nat-traverse.1319
13 files changed, 1388 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..361d51d
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,15 @@
+nat-traverse -- Use of UDP to traverse NAT gateways
+
+2005-08-23
+ * v0.4: New option --quit-after-connect quits nat-traverse after the tunnel
+ has been established successfully.
+
+2005-06-29
+ * v0.3: Made nat-traverse work with Perl 5.6.1 (previously Perl 5.8.0 was
+ required)
+
+2005-06-26
+ * v0.2: Fixed a rare race condition
+
+2005-06-25
+ * v0.1: Initial release
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..3912109
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/README b/README
new file mode 100644
index 0000000..cd36aea
--- /dev/null
+++ b/README
@@ -0,0 +1,184 @@
+NAME
+ nat-traverse - Use of UDP to traverse NAT gateways
+
+SYNOPSIS
+ user@left $ nat-traverse 40000:natgw-of-right:40001
+ user@right $ nat-traverse 40001:natgw-of-left:40000
+
+VERSION
+ This document describes nat-traverse v0.4.
+
+DESCRIPTION
+ nat-traverse establishes connections between nodes which are behind NAT
+ gateways, i.e. hosts which do *not* have public IP addresses.
+ Additionally, you can setup a small VPN by using pppd on top of
+ nat-traverse (see "EXAMPLES"). nat-traverse does *not* need an external
+ server on the Internet, and it isn't necessary to reconfigure the
+ involved NAT gateways, either. *nat-traverse works out-of-the-box.*
+
+ See "TECHNIQUE" for how this is achieved.
+
+OPTIONS
+ "*local_port*:*peer*:*remote_port*" (required)
+ Sets the local port to use and the remote address to connect to.
+
+ Note that you have to give the IP address or hostname of the *NAT
+ gateway* of the host you want to connect to, as the target host
+ doesn't have a public IP address.
+
+ "--cmd="*pppd...*""
+ Runs the specified command after establishing the connection.
+
+ The command will be run with its STDIN and STDOUT bound to the
+ socket, i.e. everything the command writes to STDOUT will be
+ forwarded to the peer.
+
+ If no command is specified, nat-traverse will relay input from STDIN
+ to the peer and vice versa, i.e. nat-traverse degrades to netcat.
+
+ "--window=*10*"
+ Sets the number of initial garbage packets to send. The default, 10,
+ should work with most firewalls.
+
+ "--timeout=*10*"
+ Sets the maximum number of seconds to wait for an acknowledgement by
+ the peer.
+
+ "--quit-after-connect"
+ Quits nat-traverse after the tunnel has been established
+ successfully.
+
+ nat-traverse returns a non-0 statuscode to indicate that it wasn't
+ able to establish the tunnel.
+
+ "--quit-after-connect" is useful if you want another program to use
+ the tunnel. For example, you could configure OpenVPN to use the the
+ same ports as nat-traverse -- thus OpenVPN would be able to cross
+ NAT gateways.
+
+ "--version", "--help"
+
+TECHNIQUE
+ nat-traverse establishes connections between hosts behind NAT gateways,
+ without need for reconfiguration of the involved NAT gateways.
+
+ 1. Firstly, nat-traverse on host "left" sends garbage UDP packets to
+ the NAT gateway of "right". These packets are, of course, discarded
+ by the firewall.
+
+ 2. Then "right"'s nat-traverse sends garbage UDP packets to the NAT
+ gateway of "left". These packets are *not* discarded, as "left"'s
+ NAT gateway thinks these packets are replies to the packets sent in
+ step 1!
+
+ 3. "left"'s nat-traverse continues to send garbage packets to "right"'s
+ NAT gateway. These packets are now not dropped either, as the NAT
+ gateway thinks the packets are replies to the packets sent in step
+ 2.
+
+ 4. Finally, both hosts send an acknowledgement packet to signal
+ readiness. When these packets are received, the connection is
+ established and nat-traverse can either relay STDIN to the socket or
+ execute a program.
+
+EXAMPLES
+ Setup of a small VPN with PPP
+ It's easy to setup a VPN (Virtual Private Network) by using the
+ Point-to-Point Protocol Daemon, "pppd":
+
+ root@left # nat-traverse \
+ --cmd="pppd updetach noauth passive notty \
+ ipparam vpn 10.0.0.1:10.0.0.2"
+ 40000:natgw-of-right:40001
+ root@right # nat-traverse \
+ --cmd="pppd nodetach notty noauth"
+ 40001:natgw-of-left:40000
+
+ "pppd" creates a new interface, typically "ppp0". Using this interface,
+ you can ping 10.0.0.1 or 10.0.0.2. As you can see, "pppd" upgrades the
+ data-only tunnel nat-traverse provides to a full IP tunnel. Thus you can
+ establish reliable TCP connections over the tunnel, even though the
+ tunnel uses UDP! Furthermore, you could even add IPv6 addresses to
+ "ppp0" by running "ip -6 addr add..."!
+
+ Note though that although this VPN *is* a private network, it is *not*
+ secured in any way. You may want to use SSH to encrypt the connection.
+
+ Port Forwarding with netcat
+ You can use "netcat" to forward one of your local UDP or TCP ports to an
+ arbitrary UDP or TCP port of the remote host, similar to "ssh -L" or
+ "ssh -R":
+
+ user@left $ nat-traverse 10001:natgw-of-right:10002 \
+ --cmd="nc -vlp 20000"
+ user@right $ nat-traverse 10002:natgw-of-left:10001 \
+ --cmd="nc -vlp 22"
+
+ As soon as the tunnel is established (using UDP ports 10001 and 10002),
+ "left"'s TCP port 20000 is forwarded to "right"'s SSH Daemon (TCP port
+ 22):
+
+ user@some-other-host $ ssh -p 20000 user@left
+ # Will connect to right's SSH daemon!
+
+ But do note that you lose the reliability of TCP in this example, as the
+ actual data is transported via UDP. If you want reliable streams, use
+ PPP on top of nat-traverse, as described above.
+
+LIMITATIONS
+ Only IPv4 is supported, nat-traverse won't work with IPv6 addresses.
+ Even though it would be relatively trivial to add IPv6 support, I
+ refrained from doing that, as there's no need to use NAT with IPv6 (the
+ address space IPv6 provides is sufficient).
+
+ If you do need IPv6 support, drop me a note and I'll patch nat-traverse.
+
+SEE ALSO
+ RFC 1631 at http://www.ietf.org/rfc/rfc1631.txt
+ The IP Network Address Translator (NAT). K. Egevang, P. Francis. May
+ 1994. (Obsoleted by RFC3022) (Status: INFORMATIONAL)
+
+ RFC 3022 at http://www.ietf.org/rfc/rfc3022.txt
+ Traditional IP Network Address Translator (Traditional NAT). P.
+ Srisuresh, K. Egevang. January 2001. (Obsoletes RFC1631) (Status:
+ INFORMATIONAL)
+
+ RFC 1661 at http://www.ietf.org/rfc/rfc1661.txt
+ The Point-to-Point Protocol (PPP). W. Simpson, Ed.. July 1994.
+ (Obsoletes RFC1548) (Updated by RFC2153) (Also STD0051) (Status:
+ STANDARD)
+
+ <http://ppp.samba.org/>
+ Website of Paul's PPP Package (open source implementation of the
+ Point-to-Point Protocol (PPP) on Linux and Solaris)
+
+ German talk about nat-traverse at
+ http://linide.sourceforge.net/nat-traverse/nat-traverse-talk.pdf
+ Dieser Vortrag zeigt, wie man einen Tunnel zwischen zwei Computern,
+ die beide hinter NAT-Gateways sitzen, hinbekommt. Dazu wird ein
+ neues Programm vorgestellt, welches sowohl einfache Tastendrücke an
+ die Gegenseite weiterleiten, als auch beliebige Programme mit
+ Verbindungen zur Gegenseite starten kann. Damit ist ein einfaches
+ VPN schnell aufgebaut.
+
+AUTHOR
+ Copyright (C) 2005 Ingo Blechschmidt, <iblech@web.de>.
+
+ You may want to visit nat-traverse's Freshmeat project page,
+ <http://freshmeat.net/projects/nat-traverse/>, for new releases.
+
+LICENSE
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+ Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..ca08a3d
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,13 @@
+nat-traverse (0.4-1) unstable; urgency=low
+
+ * New upstream release.
+ * Bumbed Standards-Version to 3.6.2 (no further changes).
+
+ -- Michael Prokop <mika@grml.org> Wed, 24 Aug 2005 11:59:18 +0200
+
+nat-traverse (0.3-1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Michael Prokop <mika@grml.org> Mon, 18 Jul 2005 22:01:25 +0200
+
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..b8626c4
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+4
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..78be616
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,20 @@
+Source: nat-traverse
+Section: net
+Priority: optional
+Maintainer: Michael Prokop <mika@grml.org>
+Build-Depends: debhelper (>= 4.0.0)
+Standards-Version: 3.6.2
+
+Package: nat-traverse
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: establish connections between nodes behind NAT gateways
+ nat-traverse establishes connections between nodes which are
+ behind NAT gateways, i.e. hosts which do not have public IP
+ addresses. Additionally, you can setup a small VPN by using pppd
+ on top of nat-traverse. nat-traverse does not need an external
+ server on the Internet, and it isn't necessary to reconfigure
+ the involved NAT gateways, either. nat-traverse works
+ out-of-the-box.
+ .
+ Homepage: http://linide.sourceforge.net/nat-traverse/
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..5410130
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,18 @@
+This package was debianized by Michael Prokop <mika@grml.org> on
+Mon, 18 Jul 2005 22:01:25 +0200.
+
+It was downloaded from http://linide.sourceforge.net/nat-traverse/
+
+Copyright Holder: Ingo Blechschmidt <iblech@web.de>
+
+License:
+
+Copyright (C) 2005 Ingo Blechschmidt, <iblech@web.de>.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation; either version 2 of
+the License, or (at your option) any later version.
+
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 0000000..e772481
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1 @@
+usr/bin
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..e845566
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1 @@
+README
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..6424430
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,64 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+configure-stamp:
+ dh_testdir
+
+ touch configure-stamp
+
+
+build: build-stamp
+
+build-stamp: configure-stamp
+ dh_testdir
+
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Add here commands to install the package into debian/nat-traverse.
+ install -m 755 nat-traverse debian/nat-traverse/usr/bin/
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs ChangeLog
+ dh_installdocs
+ dh_installman nat-traverse.1
+ dh_link
+ dh_strip
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..6289d7a
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,8 @@
+# Example watch control file for uscan
+# Rename this file to "watch" and then you can run the "uscan" command
+# to check for upstream updates and more.
+# See uscan(1) for format
+
+# Compulsory line, this is a version 3 file
+version=3
+http://people.debian.org/~lolando/sfdlr.php?project=nat-traverse nat-traverse-([\d.]*).tar.bz2
diff --git a/nat-traverse b/nat-traverse
new file mode 100755
index 0000000..ca7b54c
--- /dev/null
+++ b/nat-traverse
@@ -0,0 +1,404 @@
+#!/usr/bin/perl
+# nat-traverse -- Use of UDP to traverse NAT gateways
+# Copyright (C) 2005 Ingo Blechschmidt <iblech@web.de>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+use warnings;
+use strict;
+
+use v5.6.0;
+
+use IO::Socket::INET;
+use Getopt::Long;
+
+# More elegant use constant {...} not available in Perl 5.6.x.
+use constant GARBAGE_MAGIC => "nat-traverse-garbage";
+use constant ACK_MAGIC => "nat-traverse-ack";
+use constant PACKET_SIZE => 8 * 1024;
+
+sub debug($);
+
+# ARGV parsing.
+GetOptions(
+ "window=i" => \(my $WINDOW = 10),
+ "timeout=i" => \(my $TIMEOUT = 10),
+ "quit-after-connect" => \my $QUIT_AFTER_CONNECT,
+ "cmd=s" => \my $CMD,
+ "version" => sub { print "nat-traverse 0.4\n" and exit },
+ "help" => \&usage,
+) or usage();
+usage() unless @ARGV == 1;
+my ($LPORT, $PEER, $RPORT) = split /:/, $ARGV[0];
+usage() unless $LPORT =~ /^\d+/ and $RPORT =~ /^\d+/ and $PEER;
+
+# Helper sub to create our socket...
+sub sockgen {
+ debug "Creating socket localhost:$LPORT <-> $PEER:$RPORT... ";
+ my $sock = IO::Socket::INET->new(
+ PeerHost => $PEER,
+ PeerPort => $RPORT,
+ LocalPort => $LPORT,
+ Proto => "udp",
+ ReuseAddr => 1,
+ ) or die "Couldn't create socket: $!\n";
+ debug "done.\n";
+
+ return $sock;
+}
+
+# Helper sub to wait for a given char.
+sub waitfor {
+ my ($sock, $match) = @_;
+
+ while(1) {
+ debug ".";
+ my $got;
+ defined(sysread $sock, $got, length $match) or
+ die "Couldn't read from socket: $!\n";
+ last if defined $got and $got eq $match;
+ }
+}
+
+# Initial phase: Sending of initial packets to make the firewalls think the
+# packets are replies.
+my $sock = sockgen();
+debug "Sending $WINDOW initial packets... ";
+for(1..$WINDOW) {
+ debug ".";
+ syswrite $sock, GARBAGE_MAGIC;
+ sleep 1;
+}
+syswrite $sock, ACK_MAGIC;
+debug " done.\n";
+
+# Waiting for ACK packet so we see the connection is established.
+debug "Waiting for ACK (timeout: $TIMEOUT\Es)... ";
+{
+ local $SIG{ALRM} = sub { die " timeout.\n" };
+ alarm $TIMEOUT;
+ waitfor($sock, ACK_MAGIC);
+ alarm 0;
+}
+debug " done.\n";
+
+# :)
+debug "Connection established.\n";
+
+debug "Exiting.\n" and exit 0 if $QUIT_AFTER_CONNECT;
+
+# Either exec() $CMD or relay STDIN and STDOUT appropriately.
+if(defined $CMD) {
+ debug "Redirecting STDIN and STDOUT... ";
+ open STDOUT, ">&", $sock or die "Couldn't redirect STDOUT: $!\n";
+ open STDIN, "<&", $sock or die "Couldn't redirect STDIN: $!\n";
+ debug "done.\n";
+ debug "exec()ing \"$CMD\"...\n";
+ exec $CMD or die "Couldn't exec() \"$CMD\": $!\n";
+} else {
+ debug "Type ahead.\n";
+ $SIG{CHLD} = "IGNORE";
+ my $pid = fork;
+ die "Couldn't fork: $!\n" unless defined $pid;
+
+ if($pid) {
+ # Parent -- read chars from STDIN and send them to the socket.
+ my $buf;
+ while(1) {
+ my $ret = sysread STDIN, $buf, PACKET_SIZE;
+ defined $ret or die "Couldn't read from STDIN: $!\n";
+ $ret or last;
+ syswrite $sock, $buf or die "Couldn't write to socket: $!\n";
+ }
+
+ # Exit on ^D.
+ debug "Exiting; sending SIGTERM to child process... ";
+ kill 15 => $pid or die "Couldn't send SIGTERM to child process (PID $pid): $!\n";
+ debug "done.\n";
+
+ } else {
+ # Child -- print what's "in the socket".
+ print $_ while
+ defined(sysread $sock, $_, PACKET_SIZE) or
+ die "Couldn't read from socket: $!\n";
+ }
+
+ # Clean up after ourselves.
+ close $sock or die "Couldn't close socket: $!\n";
+}
+
+# Nice debugging output.
+{
+ my $fresh;
+ sub debug($) {
+ my $msg = shift;
+
+ print STDERR "> " and $fresh++ unless $fresh;
+ print STDERR $msg;
+ $fresh = 0 if substr($msg, -1) eq "\n";
+ 1;
+ }
+}
+
+# Display usage info.
+sub usage { print STDERR <<'USAGE'; exit }
+nat-traverse v0.4 -- Use of UDP to traverse NAT gateways
+
+Usage:
+ user@left $ nat-traverse [options] port1:natgw-of-right:port2
+ user@right $ nat-traverse [options] port2:natgw-of-left:port1
+ where
+ port1, port2: Two unused UDP ports
+ left, right: The hosts behind NAT gateways you want to connect
+ natgw-of-left, The addresses of the NAT gateways of left and right
+ natgw-of-right:
+
+Available options:
+ --window=10 The number of initial garbage packets to send.
+ --timeout=10 The number of seconds to wait for an acknowledgement
+ of the connection by the peer.
+ --cmd="pppd..." The command to run with its STDIN and STDOUT bound to
+ the socket.
+ If no command is specified, everything you type is
+ relayed to the other end of the socket, i.e.
+ nat-traverse degrades to netcat.
+ --quit-after-connect Quit nat-traverse after the tunnel was established
+ successfully.
+ --version Display version information.
+ --help This help.
+
+Options may be abbreviated to uniqueness.
+Run "perldoc nat-traverse" for more information.
+USAGE
+
+
+=head1 NAME
+
+nat-traverse - Use of UDP to traverse NAT gateways
+
+=head1 SYNOPSIS
+
+ user@left $ nat-traverse 40000:natgw-of-right:40001
+ user@right $ nat-traverse 40001:natgw-of-left:40000
+
+=head1 VERSION
+
+This document describes nat-traverse v0.4.
+
+=head1 DESCRIPTION
+
+nat-traverse establishes connections between nodes which are behind NAT
+gateways, i.e. hosts which do I<not> have public IP addresses. Additionally,
+you can setup a small VPN by using pppd on top of nat-traverse (see
+L</EXAMPLES>). nat-traverse does I<not> need an external server on the
+Internet, and it isn't necessary to reconfigure the involved NAT gateways,
+either. I<nat-traverse works out-of-the-box.>
+
+See L</TECHNIQUE> for how this is achieved.
+
+=head1 OPTIONS
+
+=over
+
+=item C<I<local_port>:I<peer>:I<remote_port>> (required)
+
+Sets the local port to use and the remote address to connect to.
+
+Note that you have to give the IP address or hostname of the I<NAT gateway> of
+the host you want to connect to, as the target host doesn't have a public IP
+address.
+
+=item C<--cmd="I<pppd...>">
+
+Runs the specified command after establishing the connection.
+
+The command will be run with its STDIN and STDOUT bound to the socket, i.e.
+everything the command writes to STDOUT will be forwarded to the peer.
+
+If no command is specified, nat-traverse will relay input from STDIN to the peer
+and vice versa, i.e. nat-traverse degrades to netcat.
+
+=item C<--window=I<10>>
+
+Sets the number of initial garbage packets to send. The default, 10, should
+work with most firewalls.
+
+=item C<--timeout=I<10>>
+
+Sets the maximum number of seconds to wait for an acknowledgement by the peer.
+
+=item C<--quit-after-connect>
+
+Quits nat-traverse after the tunnel has been established successfully.
+
+nat-traverse returns a non-C<0> statuscode to indicate that it wasn't able to
+establish the tunnel.
+
+C<--quit-after-connect> is useful if you want another program to use the
+tunnel. For example, you could configure OpenVPN to use the the same ports as
+nat-traverse -- thus OpenVPN would be able to cross NAT gateways.
+
+=item C<--version>, C<--help>
+
+=back
+
+=head1 TECHNIQUE
+
+nat-traverse establishes connections between hosts behind NAT gateways, without need
+for reconfiguration of the involved NAT gateways.
+
+=over
+
+=item 1.
+
+Firstly, nat-traverse on host C<left> sends garbage UDP packets to the NAT gateway
+of C<right>. These packets are, of course, discarded by the firewall.
+
+=item 2.
+
+Then C<right>'s nat-traverse sends garbage UDP packets to the NAT gateway of
+C<left>. These packets are I<not> discarded, as C<left>'s NAT gateway thinks
+these packets are replies to the packets sent in step 1!
+
+=item 3.
+
+C<left>'s nat-traverse continues to send garbage packets to C<right>'s NAT gateway.
+These packets are now not dropped either, as the NAT gateway thinks the packets
+are replies to the packets sent in step 2.
+
+=item 4.
+
+Finally, both hosts send an acknowledgement packet to signal readiness. When
+these packets are received, the connection is established and nat-traverse can
+either relay STDIN to the socket or execute a program.
+
+=back
+
+=head1 EXAMPLES
+
+=head2 Setup of a small VPN with PPP
+
+It's easy to setup a VPN (Virtual Private Network) by using the Point-to-Point
+Protocol Daemon, C<pppd>:
+
+ root@left # nat-traverse \
+ --cmd="pppd updetach noauth passive notty \
+ ipparam vpn 10.0.0.1:10.0.0.2"
+ 40000:natgw-of-right:40001
+ root@right # nat-traverse \
+ --cmd="pppd nodetach notty noauth"
+ 40001:natgw-of-left:40000
+
+C<pppd> creates a new interface, typically C<ppp0>. Using this interface, you
+can ping C<10.0.0.1> or C<10.0.0.2>. As you can see, C<pppd> upgrades the
+data-only tunnel nat-traverse provides to a full IP tunnel. Thus you can
+establish reliable TCP connections over the tunnel, even though the tunnel uses
+UDP! Furthermore, you could even add IPv6 addresses to C<ppp0> by running C<ip
+-6 addr add...>!
+
+Note though that although this VPN I<is> a private network, it is I<not>
+secured in any way. You may want to use SSH to encrypt the connection.
+
+=head2 Port Forwarding with netcat
+
+You can use C<netcat> to forward one of your local UDP or TCP ports to an
+arbitrary UDP or TCP port of the remote host, similar to C<ssh -L> or C<ssh
+-R>:
+
+ user@left $ nat-traverse 10001:natgw-of-right:10002 \
+ --cmd="nc -vlp 20000"
+ user@right $ nat-traverse 10002:natgw-of-left:10001 \
+ --cmd="nc -vlp 22"
+
+As soon as the tunnel is established (using UDP ports C<10001> and C<10002>),
+C<left>'s TCP port C<20000> is forwarded to C<right>'s SSH Daemon (TCP port
+C<22>):
+
+ user@some-other-host $ ssh -p 20000 user@left
+ # Will connect to right's SSH daemon!
+
+But do note that you lose the reliability of TCP in this example, as the actual
+data is transported via UDP. If you want reliable streams, use PPP on top of
+nat-traverse, as described above.
+
+=head1 LIMITATIONS
+
+Only IPv4 is supported, nat-traverse won't work with IPv6 addresses. Even
+though it would be relatively trivial to add IPv6 support, I refrained from
+doing that, as there's no need to use NAT with IPv6 (the address space IPv6
+provides is sufficient).
+
+If you do need IPv6 support, drop me a note and I'll patch nat-traverse.
+
+=head1 SEE ALSO
+
+=over
+
+=item L<RFC 1631 at
+http://www.ietf.org/rfc/rfc1631.txt|http://www.ietf.org/rfc/rfc1631.txt>
+
+The IP Network Address Translator (NAT). K. Egevang, P. Francis. May 1994.
+(Obsoleted by RFC3022) (Status: INFORMATIONAL)
+
+=item L<RFC 3022 at
+http://www.ietf.org/rfc/rfc3022.txt|http://www.ietf.org/rfc/rfc3022.txt>
+
+Traditional IP Network Address Translator (Traditional NAT). P. Srisuresh,
+K. Egevang. January 2001. (Obsoletes RFC1631) (Status: INFORMATIONAL)
+
+=item L<RFC 1661 at
+http://www.ietf.org/rfc/rfc1661.txt|http://www.ietf.org/rfc/rfc1661.txt>
+
+The Point-to-Point Protocol (PPP). W. Simpson, Ed.. July 1994. (Obsoletes
+RFC1548) (Updated by RFC2153) (Also STD0051) (Status: STANDARD)
+
+=item L<http://ppp.samba.org/>
+
+Website of Paul's PPP Package (open source implementation of the
+Point-to-Point Protocol (PPP) on Linux and Solaris)
+
+=item L<German talk about nat-traverse at
+http://linide.sourceforge.net/nat-traverse/nat-traverse-talk.pdf|http://linide.sourceforge.net/nat-traverse/nat-traverse-talk.pdf>
+
+Dieser Vortrag zeigt, wie man einen Tunnel zwischen zwei Computern, die
+beide hinter NAT-Gateways sitzen, hinbekommt. Dazu wird ein neues Programm
+vorgestellt, welches sowohl einfache Tastendrücke an die Gegenseite
+weiterleiten, als auch beliebige Programme mit Verbindungen zur Gegenseite
+starten kann. Damit ist ein einfaches VPN schnell aufgebaut.
+
+=back
+
+=head1 AUTHOR
+
+Copyright (C) 2005 Ingo Blechschmidt, E<lt>iblech@web.deE<gt>.
+
+You may want to visit nat-traverse's Freshmeat project page,
+L<http://freshmeat.net/projects/nat-traverse/>, for new releases.
+
+=head1 LICENSE
+
+This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free Software
+Foundation; either version 2 of the License, or (at your option) any later
+version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with
+this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+Street, Fifth Floor, Boston, MA 02110-1301, USA.
diff --git a/nat-traverse.1 b/nat-traverse.1
new file mode 100644
index 0000000..6847116
--- /dev/null
+++ b/nat-traverse.1
@@ -0,0 +1,319 @@
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. | will give a
+.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.if \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.\"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "NAT-TRAVERSE 1"
+.TH NAT-TRAVERSE 1 "2005-08-23" "perl v5.8.7" "User Contributed Perl Documentation"
+.SH "NAME"
+nat\-traverse \- Use of UDP to traverse NAT gateways
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+.Vb 2
+\& user@left $ nat-traverse 40000:natgw-of-right:40001
+\& user@right $ nat-traverse 40001:natgw-of-left:40000
+.Ve
+.SH "VERSION"
+.IX Header "VERSION"
+This document describes nat-traverse v0.4.
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+nat-traverse establishes connections between nodes which are behind \s-1NAT\s0
+gateways, i.e. hosts which do \fInot\fR have public \s-1IP\s0 addresses. Additionally,
+you can setup a small \s-1VPN\s0 by using pppd on top of nat-traverse (see
+\&\*(L"\s-1EXAMPLES\s0\*(R"). nat-traverse does \fInot\fR need an external server on the
+Internet, and it isn't necessary to reconfigure the involved \s-1NAT\s0 gateways,
+either. \fInat-traverse works out\-of\-the\-box.\fR
+.PP
+See \*(L"\s-1TECHNIQUE\s0\*(R" for how this is achieved.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.ie n .IP """\f(CIlocal_port\f(CW:\f(CIpeer\f(CW:\f(CIremote_port\f(CW"" (required)" 4
+.el .IP "\f(CW\f(CIlocal_port\f(CW:\f(CIpeer\f(CW:\f(CIremote_port\f(CW\fR (required)" 4
+.IX Item "local_port:peer:remote_port (required)"
+Sets the local port to use and the remote address to connect to.
+.Sp
+Note that you have to give the \s-1IP\s0 address or hostname of the \fI\s-1NAT\s0 gateway\fR of
+the host you want to connect to, as the target host doesn't have a public \s-1IP\s0
+address.
+.ie n .IP """\-\-cmd=""\f(CIpppd...\f(CW""""" 4
+.el .IP "\f(CW\-\-cmd=``\f(CIpppd...\f(CW''\fR" 4
+.IX Item "--cmd=""pppd..."""
+Runs the specified command after establishing the connection.
+.Sp
+The command will be run with its \s-1STDIN\s0 and \s-1STDOUT\s0 bound to the socket, i.e.
+everything the command writes to \s-1STDOUT\s0 will be forwarded to the peer.
+.Sp
+If no command is specified, nat-traverse will relay input from \s-1STDIN\s0 to the peer
+and vice versa, i.e. nat-traverse degrades to netcat.
+.ie n .IP """\-\-window=\f(CI10\f(CW""" 4
+.el .IP "\f(CW\-\-window=\f(CI10\f(CW\fR" 4
+.IX Item "--window=10"
+Sets the number of initial garbage packets to send. The default, 10, should
+work with most firewalls.
+.ie n .IP """\-\-timeout=\f(CI10\f(CW""" 4
+.el .IP "\f(CW\-\-timeout=\f(CI10\f(CW\fR" 4
+.IX Item "--timeout=10"
+Sets the maximum number of seconds to wait for an acknowledgement by the peer.
+.ie n .IP """\-\-quit\-after\-connect""" 4
+.el .IP "\f(CW\-\-quit\-after\-connect\fR" 4
+.IX Item "--quit-after-connect"
+Quits nat-traverse after the tunnel has been established successfully.
+.Sp
+nat-traverse returns a non\-\f(CW0\fR statuscode to indicate that it wasn't able to
+establish the tunnel.
+.Sp
+\&\f(CW\*(C`\-\-quit\-after\-connect\*(C'\fR is useful if you want another program to use the
+tunnel. For example, you could configure OpenVPN to use the the same ports as
+nat-traverse \*(-- thus OpenVPN would be able to cross \s-1NAT\s0 gateways.
+.ie n .IP """\-\-version""\fR, \f(CW""\-\-help""" 4
+.el .IP "\f(CW\-\-version\fR, \f(CW\-\-help\fR" 4
+.IX Item "--version, --help"
+.SH "TECHNIQUE"
+.IX Header "TECHNIQUE"
+nat-traverse establishes connections between hosts behind \s-1NAT\s0 gateways, without need
+for reconfiguration of the involved \s-1NAT\s0 gateways.
+.IP "1." 4
+Firstly, nat-traverse on host \f(CW\*(C`left\*(C'\fR sends garbage \s-1UDP\s0 packets to the \s-1NAT\s0 gateway
+of \f(CW\*(C`right\*(C'\fR. These packets are, of course, discarded by the firewall.
+.IP "2." 4
+Then \f(CW\*(C`right\*(C'\fR's nat-traverse sends garbage \s-1UDP\s0 packets to the \s-1NAT\s0 gateway of
+\&\f(CW\*(C`left\*(C'\fR. These packets are \fInot\fR discarded, as \f(CW\*(C`left\*(C'\fR's \s-1NAT\s0 gateway thinks
+these packets are replies to the packets sent in step 1!
+.IP "3." 4
+\&\f(CW\*(C`left\*(C'\fR's nat-traverse continues to send garbage packets to \f(CW\*(C`right\*(C'\fR's \s-1NAT\s0 gateway.
+These packets are now not dropped either, as the \s-1NAT\s0 gateway thinks the packets
+are replies to the packets sent in step 2.
+.IP "4." 4
+Finally, both hosts send an acknowledgement packet to signal readiness. When
+these packets are received, the connection is established and nat-traverse can
+either relay \s-1STDIN\s0 to the socket or execute a program.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+.Sh "Setup of a small \s-1VPN\s0 with \s-1PPP\s0"
+.IX Subsection "Setup of a small VPN with PPP"
+It's easy to setup a \s-1VPN\s0 (Virtual Private Network) by using the Point-to-Point
+Protocol Daemon, \f(CW\*(C`pppd\*(C'\fR:
+.PP
+.Vb 7
+\& root@left # nat-traverse \e
+\& --cmd="pppd updetach noauth passive notty \e
+\& ipparam vpn 10.0.0.1:10.0.0.2"
+\& 40000:natgw-of-right:40001
+\& root@right # nat-traverse \e
+\& --cmd="pppd nodetach notty noauth"
+\& 40001:natgw-of-left:40000
+.Ve
+.PP
+\&\f(CW\*(C`pppd\*(C'\fR creates a new interface, typically \f(CW\*(C`ppp0\*(C'\fR. Using this interface, you
+can ping \f(CW10.0.0.1\fR or \f(CW10.0.0.2\fR. As you can see, \f(CW\*(C`pppd\*(C'\fR upgrades the
+data-only tunnel nat-traverse provides to a full \s-1IP\s0 tunnel. Thus you can
+establish reliable \s-1TCP\s0 connections over the tunnel, even though the tunnel uses
+\&\s-1UDP\s0! Furthermore, you could even add IPv6 addresses to \f(CW\*(C`ppp0\*(C'\fR by running \f(CW\*(C`ip
+\&\-6 addr add...\*(C'\fR!
+.PP
+Note though that although this \s-1VPN\s0 \fIis\fR a private network, it is \fInot\fR
+secured in any way. You may want to use \s-1SSH\s0 to encrypt the connection.
+.Sh "Port Forwarding with netcat"
+.IX Subsection "Port Forwarding with netcat"
+You can use \f(CW\*(C`netcat\*(C'\fR to forward one of your local \s-1UDP\s0 or \s-1TCP\s0 ports to an
+arbitrary \s-1UDP\s0 or \s-1TCP\s0 port of the remote host, similar to \f(CW\*(C`ssh \-L\*(C'\fR or \f(CW\*(C`ssh
+\&\-R\*(C'\fR:
+.PP
+.Vb 4
+\& user@left $ nat-traverse 10001:natgw-of-right:10002 \e
+\& --cmd="nc -vlp 20000"
+\& user@right $ nat-traverse 10002:natgw-of-left:10001 \e
+\& --cmd="nc -vlp 22"
+.Ve
+.PP
+As soon as the tunnel is established (using \s-1UDP\s0 ports \f(CW10001\fR and \f(CW10002\fR),
+\&\f(CW\*(C`left\*(C'\fR's \s-1TCP\s0 port \f(CW20000\fR is forwarded to \f(CW\*(C`right\*(C'\fR's \s-1SSH\s0 Daemon (\s-1TCP\s0 port
+\&\f(CW22\fR):
+.PP
+.Vb 2
+\& user@some-other-host $ ssh -p 20000 user@left
+\& # Will connect to right's SSH daemon!
+.Ve
+.PP
+But do note that you lose the reliability of \s-1TCP\s0 in this example, as the actual
+data is transported via \s-1UDP\s0. If you want reliable streams, use \s-1PPP\s0 on top of
+nat\-traverse, as described above.
+.SH "LIMITATIONS"
+.IX Header "LIMITATIONS"
+Only IPv4 is supported, nat-traverse won't work with IPv6 addresses. Even
+though it would be relatively trivial to add IPv6 support, I refrained from
+doing that, as there's no need to use \s-1NAT\s0 with IPv6 (the address space IPv6
+provides is sufficient).
+.PP
+If you do need IPv6 support, drop me a note and I'll patch nat\-traverse.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+.IP "\s-1RFC\s0 1631 at http://www.ietf.org/rfc/rfc1631.txt" 4
+.IX Item "RFC 1631 at http://www.ietf.org/rfc/rfc1631.txt"
+The \s-1IP\s0 Network Address Translator (\s-1NAT\s0). K. Egevang, P. Francis. May 1994.
+(Obsoleted by \s-1RFC3022\s0) (Status: \s-1INFORMATIONAL\s0)
+.IP "\s-1RFC\s0 3022 at http://www.ietf.org/rfc/rfc3022.txt" 4
+.IX Item "RFC 3022 at http://www.ietf.org/rfc/rfc3022.txt"
+Traditional \s-1IP\s0 Network Address Translator (Traditional \s-1NAT\s0). P. Srisuresh,
+K. Egevang. January 2001. (Obsoletes \s-1RFC1631\s0) (Status: \s-1INFORMATIONAL\s0)
+.IP "\s-1RFC\s0 1661 at http://www.ietf.org/rfc/rfc1661.txt" 4
+.IX Item "RFC 1661 at http://www.ietf.org/rfc/rfc1661.txt"
+The Point-to-Point Protocol (\s-1PPP\s0). W. Simpson, Ed.. July 1994. (Obsoletes
+\&\s-1RFC1548\s0) (Updated by \s-1RFC2153\s0) (Also \s-1STD0051\s0) (Status: \s-1STANDARD\s0)
+.IP "<http://ppp.samba.org/>" 4
+.IX Item "<http://ppp.samba.org/>"
+Website of Paul's \s-1PPP\s0 Package (open source implementation of the
+Point-to-Point Protocol (\s-1PPP\s0) on Linux and Solaris)
+.IP "German talk about nat-traverse at http://linide.sourceforge.net/nat\-traverse/nat\-traverse\-talk.pdf" 4
+.IX Item "German talk about nat-traverse at http://linide.sourceforge.net/nat-traverse/nat-traverse-talk.pdf"
+Dieser Vortrag zeigt, wie man einen Tunnel zwischen zwei Computern, die
+beide hinter NAT-Gateways sitzen, hinbekommt. Dazu wird ein neues Programm
+vorgestellt, welches sowohl einfache Tastendrücke an die Gegenseite
+weiterleiten, als auch beliebige Programme mit Verbindungen zur Gegenseite
+starten kann. Damit ist ein einfaches \s-1VPN\s0 schnell aufgebaut.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Copyright (C) 2005 Ingo Blechschmidt, <iblech@web.de>.
+.PP
+You may want to visit nat\-traverse's Freshmeat project page,
+<http://freshmeat.net/projects/nat\-traverse/>, for new releases.
+.SH "LICENSE"
+.IX Header "LICENSE"
+This program is free software; you can redistribute it and/or modify it under
+the terms of the \s-1GNU\s0 General Public License as published by the Free Software
+Foundation; either version 2 of the License, or (at your option) any later
+version.
+.PP
+This program is distributed in the hope that it will be useful, but \s-1WITHOUT\s0 \s-1ANY\s0
+\&\s-1WARRANTY\s0; without even the implied warranty of \s-1MERCHANTABILITY\s0 or \s-1FITNESS\s0 \s-1FOR\s0 A
+\&\s-1PARTICULAR\s0 \s-1PURPOSE\s0. See the \s-1GNU\s0 General Public License for more details.
+.PP
+You should have received a copy of the \s-1GNU\s0 General Public License along with
+this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+Street, Fifth Floor, Boston, \s-1MA\s0 02110\-1301, \s-1USA\s0.