From 02bc804b997f43ea112002310775e3238d218992 Mon Sep 17 00:00:00 2001 From: Andrew Shadura Date: Wed, 15 Aug 2012 22:11:15 +0200 Subject: Add initial packaging by GRML project. --- ChangeLog | 15 +++ LICENSE | 340 ++++++++++++++++++++++++++++++++++++++++++++++ README | 184 +++++++++++++++++++++++++ debian/changelog | 13 ++ debian/compat | 1 + debian/control | 20 +++ debian/copyright | 18 +++ debian/dirs | 1 + debian/docs | 1 + debian/rules | 64 +++++++++ debian/watch | 8 ++ nat-traverse | 404 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ nat-traverse.1 | 319 +++++++++++++++++++++++++++++++++++++++++++ 13 files changed, 1388 insertions(+) create mode 100644 ChangeLog create mode 100644 LICENSE create mode 100644 README create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/dirs create mode 100644 debian/docs create mode 100755 debian/rules create mode 100644 debian/watch create mode 100755 nat-traverse create mode 100644 nat-traverse.1 diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..361d51d --- /dev/null +++ b/ChangeLog @@ -0,0 +1,15 @@ +nat-traverse -- Use of UDP to traverse NAT gateways + +2005-08-23 + * v0.4: New option --quit-after-connect quits nat-traverse after the tunnel + has been established successfully. + +2005-06-29 + * v0.3: Made nat-traverse work with Perl 5.6.1 (previously Perl 5.8.0 was + required) + +2005-06-26 + * v0.2: Fixed a rare race condition + +2005-06-25 + * v0.1: Initial release diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3912109 --- /dev/null +++ b/LICENSE @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/README b/README new file mode 100644 index 0000000..cd36aea --- /dev/null +++ b/README @@ -0,0 +1,184 @@ +NAME + nat-traverse - Use of UDP to traverse NAT gateways + +SYNOPSIS + user@left $ nat-traverse 40000:natgw-of-right:40001 + user@right $ nat-traverse 40001:natgw-of-left:40000 + +VERSION + This document describes nat-traverse v0.4. + +DESCRIPTION + nat-traverse establishes connections between nodes which are behind NAT + gateways, i.e. hosts which do *not* have public IP addresses. + Additionally, you can setup a small VPN by using pppd on top of + nat-traverse (see "EXAMPLES"). nat-traverse does *not* need an external + server on the Internet, and it isn't necessary to reconfigure the + involved NAT gateways, either. *nat-traverse works out-of-the-box.* + + See "TECHNIQUE" for how this is achieved. + +OPTIONS + "*local_port*:*peer*:*remote_port*" (required) + Sets the local port to use and the remote address to connect to. + + Note that you have to give the IP address or hostname of the *NAT + gateway* of the host you want to connect to, as the target host + doesn't have a public IP address. + + "--cmd="*pppd...*"" + Runs the specified command after establishing the connection. + + The command will be run with its STDIN and STDOUT bound to the + socket, i.e. everything the command writes to STDOUT will be + forwarded to the peer. + + If no command is specified, nat-traverse will relay input from STDIN + to the peer and vice versa, i.e. nat-traverse degrades to netcat. + + "--window=*10*" + Sets the number of initial garbage packets to send. The default, 10, + should work with most firewalls. + + "--timeout=*10*" + Sets the maximum number of seconds to wait for an acknowledgement by + the peer. + + "--quit-after-connect" + Quits nat-traverse after the tunnel has been established + successfully. + + nat-traverse returns a non-0 statuscode to indicate that it wasn't + able to establish the tunnel. + + "--quit-after-connect" is useful if you want another program to use + the tunnel. For example, you could configure OpenVPN to use the the + same ports as nat-traverse -- thus OpenVPN would be able to cross + NAT gateways. + + "--version", "--help" + +TECHNIQUE + nat-traverse establishes connections between hosts behind NAT gateways, + without need for reconfiguration of the involved NAT gateways. + + 1. Firstly, nat-traverse on host "left" sends garbage UDP packets to + the NAT gateway of "right". These packets are, of course, discarded + by the firewall. + + 2. Then "right"'s nat-traverse sends garbage UDP packets to the NAT + gateway of "left". These packets are *not* discarded, as "left"'s + NAT gateway thinks these packets are replies to the packets sent in + step 1! + + 3. "left"'s nat-traverse continues to send garbage packets to "right"'s + NAT gateway. These packets are now not dropped either, as the NAT + gateway thinks the packets are replies to the packets sent in step + 2. + + 4. Finally, both hosts send an acknowledgement packet to signal + readiness. When these packets are received, the connection is + established and nat-traverse can either relay STDIN to the socket or + execute a program. + +EXAMPLES + Setup of a small VPN with PPP + It's easy to setup a VPN (Virtual Private Network) by using the + Point-to-Point Protocol Daemon, "pppd": + + root@left # nat-traverse \ + --cmd="pppd updetach noauth passive notty \ + ipparam vpn 10.0.0.1:10.0.0.2" + 40000:natgw-of-right:40001 + root@right # nat-traverse \ + --cmd="pppd nodetach notty noauth" + 40001:natgw-of-left:40000 + + "pppd" creates a new interface, typically "ppp0". Using this interface, + you can ping 10.0.0.1 or 10.0.0.2. As you can see, "pppd" upgrades the + data-only tunnel nat-traverse provides to a full IP tunnel. Thus you can + establish reliable TCP connections over the tunnel, even though the + tunnel uses UDP! Furthermore, you could even add IPv6 addresses to + "ppp0" by running "ip -6 addr add..."! + + Note though that although this VPN *is* a private network, it is *not* + secured in any way. You may want to use SSH to encrypt the connection. + + Port Forwarding with netcat + You can use "netcat" to forward one of your local UDP or TCP ports to an + arbitrary UDP or TCP port of the remote host, similar to "ssh -L" or + "ssh -R": + + user@left $ nat-traverse 10001:natgw-of-right:10002 \ + --cmd="nc -vlp 20000" + user@right $ nat-traverse 10002:natgw-of-left:10001 \ + --cmd="nc -vlp 22" + + As soon as the tunnel is established (using UDP ports 10001 and 10002), + "left"'s TCP port 20000 is forwarded to "right"'s SSH Daemon (TCP port + 22): + + user@some-other-host $ ssh -p 20000 user@left + # Will connect to right's SSH daemon! + + But do note that you lose the reliability of TCP in this example, as the + actual data is transported via UDP. If you want reliable streams, use + PPP on top of nat-traverse, as described above. + +LIMITATIONS + Only IPv4 is supported, nat-traverse won't work with IPv6 addresses. + Even though it would be relatively trivial to add IPv6 support, I + refrained from doing that, as there's no need to use NAT with IPv6 (the + address space IPv6 provides is sufficient). + + If you do need IPv6 support, drop me a note and I'll patch nat-traverse. + +SEE ALSO + RFC 1631 at http://www.ietf.org/rfc/rfc1631.txt + The IP Network Address Translator (NAT). K. Egevang, P. Francis. May + 1994. (Obsoleted by RFC3022) (Status: INFORMATIONAL) + + RFC 3022 at http://www.ietf.org/rfc/rfc3022.txt + Traditional IP Network Address Translator (Traditional NAT). P. + Srisuresh, K. Egevang. January 2001. (Obsoletes RFC1631) (Status: + INFORMATIONAL) + + RFC 1661 at http://www.ietf.org/rfc/rfc1661.txt + The Point-to-Point Protocol (PPP). W. Simpson, Ed.. July 1994. + (Obsoletes RFC1548) (Updated by RFC2153) (Also STD0051) (Status: + STANDARD) + + + Website of Paul's PPP Package (open source implementation of the + Point-to-Point Protocol (PPP) on Linux and Solaris) + + German talk about nat-traverse at + http://linide.sourceforge.net/nat-traverse/nat-traverse-talk.pdf + Dieser Vortrag zeigt, wie man einen Tunnel zwischen zwei Computern, + die beide hinter NAT-Gateways sitzen, hinbekommt. Dazu wird ein + neues Programm vorgestellt, welches sowohl einfache Tastendrücke an + die Gegenseite weiterleiten, als auch beliebige Programme mit + Verbindungen zur Gegenseite starten kann. Damit ist ein einfaches + VPN schnell aufgebaut. + +AUTHOR + Copyright (C) 2005 Ingo Blechschmidt, . + + You may want to visit nat-traverse's Freshmeat project page, + , for new releases. + +LICENSE + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2 of the License, or (at your + option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..ca08a3d --- /dev/null +++ b/debian/changelog @@ -0,0 +1,13 @@ +nat-traverse (0.4-1) unstable; urgency=low + + * New upstream release. + * Bumbed Standards-Version to 3.6.2 (no further changes). + + -- Michael Prokop Wed, 24 Aug 2005 11:59:18 +0200 + +nat-traverse (0.3-1) unstable; urgency=low + + * Initial release. + + -- Michael Prokop Mon, 18 Jul 2005 22:01:25 +0200 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..78be616 --- /dev/null +++ b/debian/control @@ -0,0 +1,20 @@ +Source: nat-traverse +Section: net +Priority: optional +Maintainer: Michael Prokop +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.6.2 + +Package: nat-traverse +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: establish connections between nodes behind NAT gateways + nat-traverse establishes connections between nodes which are + behind NAT gateways, i.e. hosts which do not have public IP + addresses. Additionally, you can setup a small VPN by using pppd + on top of nat-traverse. nat-traverse does not need an external + server on the Internet, and it isn't necessary to reconfigure + the involved NAT gateways, either. nat-traverse works + out-of-the-box. + . + Homepage: http://linide.sourceforge.net/nat-traverse/ diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..5410130 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,18 @@ +This package was debianized by Michael Prokop on +Mon, 18 Jul 2005 22:01:25 +0200. + +It was downloaded from http://linide.sourceforge.net/nat-traverse/ + +Copyright Holder: Ingo Blechschmidt + +License: + +Copyright (C) 2005 Ingo Blechschmidt, . + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2 of +the License, or (at your option) any later version. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..e772481 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +usr/bin diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..e845566 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..6424430 --- /dev/null +++ b/debian/rules @@ -0,0 +1,64 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +configure-stamp: + dh_testdir + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/nat-traverse. + install -m 755 nat-traverse debian/nat-traverse/usr/bin/ + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installman nat-traverse.1 + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..6289d7a --- /dev/null +++ b/debian/watch @@ -0,0 +1,8 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 +http://people.debian.org/~lolando/sfdlr.php?project=nat-traverse nat-traverse-([\d.]*).tar.bz2 diff --git a/nat-traverse b/nat-traverse new file mode 100755 index 0000000..ca7b54c --- /dev/null +++ b/nat-traverse @@ -0,0 +1,404 @@ +#!/usr/bin/perl +# nat-traverse -- Use of UDP to traverse NAT gateways +# Copyright (C) 2005 Ingo Blechschmidt +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. + +use warnings; +use strict; + +use v5.6.0; + +use IO::Socket::INET; +use Getopt::Long; + +# More elegant use constant {...} not available in Perl 5.6.x. +use constant GARBAGE_MAGIC => "nat-traverse-garbage"; +use constant ACK_MAGIC => "nat-traverse-ack"; +use constant PACKET_SIZE => 8 * 1024; + +sub debug($); + +# ARGV parsing. +GetOptions( + "window=i" => \(my $WINDOW = 10), + "timeout=i" => \(my $TIMEOUT = 10), + "quit-after-connect" => \my $QUIT_AFTER_CONNECT, + "cmd=s" => \my $CMD, + "version" => sub { print "nat-traverse 0.4\n" and exit }, + "help" => \&usage, +) or usage(); +usage() unless @ARGV == 1; +my ($LPORT, $PEER, $RPORT) = split /:/, $ARGV[0]; +usage() unless $LPORT =~ /^\d+/ and $RPORT =~ /^\d+/ and $PEER; + +# Helper sub to create our socket... +sub sockgen { + debug "Creating socket localhost:$LPORT <-> $PEER:$RPORT... "; + my $sock = IO::Socket::INET->new( + PeerHost => $PEER, + PeerPort => $RPORT, + LocalPort => $LPORT, + Proto => "udp", + ReuseAddr => 1, + ) or die "Couldn't create socket: $!\n"; + debug "done.\n"; + + return $sock; +} + +# Helper sub to wait for a given char. +sub waitfor { + my ($sock, $match) = @_; + + while(1) { + debug "."; + my $got; + defined(sysread $sock, $got, length $match) or + die "Couldn't read from socket: $!\n"; + last if defined $got and $got eq $match; + } +} + +# Initial phase: Sending of initial packets to make the firewalls think the +# packets are replies. +my $sock = sockgen(); +debug "Sending $WINDOW initial packets... "; +for(1..$WINDOW) { + debug "."; + syswrite $sock, GARBAGE_MAGIC; + sleep 1; +} +syswrite $sock, ACK_MAGIC; +debug " done.\n"; + +# Waiting for ACK packet so we see the connection is established. +debug "Waiting for ACK (timeout: $TIMEOUT\Es)... "; +{ + local $SIG{ALRM} = sub { die " timeout.\n" }; + alarm $TIMEOUT; + waitfor($sock, ACK_MAGIC); + alarm 0; +} +debug " done.\n"; + +# :) +debug "Connection established.\n"; + +debug "Exiting.\n" and exit 0 if $QUIT_AFTER_CONNECT; + +# Either exec() $CMD or relay STDIN and STDOUT appropriately. +if(defined $CMD) { + debug "Redirecting STDIN and STDOUT... "; + open STDOUT, ">&", $sock or die "Couldn't redirect STDOUT: $!\n"; + open STDIN, "<&", $sock or die "Couldn't redirect STDIN: $!\n"; + debug "done.\n"; + debug "exec()ing \"$CMD\"...\n"; + exec $CMD or die "Couldn't exec() \"$CMD\": $!\n"; +} else { + debug "Type ahead.\n"; + $SIG{CHLD} = "IGNORE"; + my $pid = fork; + die "Couldn't fork: $!\n" unless defined $pid; + + if($pid) { + # Parent -- read chars from STDIN and send them to the socket. + my $buf; + while(1) { + my $ret = sysread STDIN, $buf, PACKET_SIZE; + defined $ret or die "Couldn't read from STDIN: $!\n"; + $ret or last; + syswrite $sock, $buf or die "Couldn't write to socket: $!\n"; + } + + # Exit on ^D. + debug "Exiting; sending SIGTERM to child process... "; + kill 15 => $pid or die "Couldn't send SIGTERM to child process (PID $pid): $!\n"; + debug "done.\n"; + + } else { + # Child -- print what's "in the socket". + print $_ while + defined(sysread $sock, $_, PACKET_SIZE) or + die "Couldn't read from socket: $!\n"; + } + + # Clean up after ourselves. + close $sock or die "Couldn't close socket: $!\n"; +} + +# Nice debugging output. +{ + my $fresh; + sub debug($) { + my $msg = shift; + + print STDERR "> " and $fresh++ unless $fresh; + print STDERR $msg; + $fresh = 0 if substr($msg, -1) eq "\n"; + 1; + } +} + +# Display usage info. +sub usage { print STDERR <<'USAGE'; exit } +nat-traverse v0.4 -- Use of UDP to traverse NAT gateways + +Usage: + user@left $ nat-traverse [options] port1:natgw-of-right:port2 + user@right $ nat-traverse [options] port2:natgw-of-left:port1 + where + port1, port2: Two unused UDP ports + left, right: The hosts behind NAT gateways you want to connect + natgw-of-left, The addresses of the NAT gateways of left and right + natgw-of-right: + +Available options: + --window=10 The number of initial garbage packets to send. + --timeout=10 The number of seconds to wait for an acknowledgement + of the connection by the peer. + --cmd="pppd..." The command to run with its STDIN and STDOUT bound to + the socket. + If no command is specified, everything you type is + relayed to the other end of the socket, i.e. + nat-traverse degrades to netcat. + --quit-after-connect Quit nat-traverse after the tunnel was established + successfully. + --version Display version information. + --help This help. + +Options may be abbreviated to uniqueness. +Run "perldoc nat-traverse" for more information. +USAGE + + +=head1 NAME + +nat-traverse - Use of UDP to traverse NAT gateways + +=head1 SYNOPSIS + + user@left $ nat-traverse 40000:natgw-of-right:40001 + user@right $ nat-traverse 40001:natgw-of-left:40000 + +=head1 VERSION + +This document describes nat-traverse v0.4. + +=head1 DESCRIPTION + +nat-traverse establishes connections between nodes which are behind NAT +gateways, i.e. hosts which do I have public IP addresses. Additionally, +you can setup a small VPN by using pppd on top of nat-traverse (see +L). nat-traverse does I need an external server on the +Internet, and it isn't necessary to reconfigure the involved NAT gateways, +either. I + +See L for how this is achieved. + +=head1 OPTIONS + +=over + +=item C:I:I> (required) + +Sets the local port to use and the remote address to connect to. + +Note that you have to give the IP address or hostname of the I of +the host you want to connect to, as the target host doesn't have a public IP +address. + +=item C<--cmd="I"> + +Runs the specified command after establishing the connection. + +The command will be run with its STDIN and STDOUT bound to the socket, i.e. +everything the command writes to STDOUT will be forwarded to the peer. + +If no command is specified, nat-traverse will relay input from STDIN to the peer +and vice versa, i.e. nat-traverse degrades to netcat. + +=item C<--window=I<10>> + +Sets the number of initial garbage packets to send. The default, 10, should +work with most firewalls. + +=item C<--timeout=I<10>> + +Sets the maximum number of seconds to wait for an acknowledgement by the peer. + +=item C<--quit-after-connect> + +Quits nat-traverse after the tunnel has been established successfully. + +nat-traverse returns a non-C<0> statuscode to indicate that it wasn't able to +establish the tunnel. + +C<--quit-after-connect> is useful if you want another program to use the +tunnel. For example, you could configure OpenVPN to use the the same ports as +nat-traverse -- thus OpenVPN would be able to cross NAT gateways. + +=item C<--version>, C<--help> + +=back + +=head1 TECHNIQUE + +nat-traverse establishes connections between hosts behind NAT gateways, without need +for reconfiguration of the involved NAT gateways. + +=over + +=item 1. + +Firstly, nat-traverse on host C sends garbage UDP packets to the NAT gateway +of C. These packets are, of course, discarded by the firewall. + +=item 2. + +Then C's nat-traverse sends garbage UDP packets to the NAT gateway of +C. These packets are I discarded, as C's NAT gateway thinks +these packets are replies to the packets sent in step 1! + +=item 3. + +C's nat-traverse continues to send garbage packets to C's NAT gateway. +These packets are now not dropped either, as the NAT gateway thinks the packets +are replies to the packets sent in step 2. + +=item 4. + +Finally, both hosts send an acknowledgement packet to signal readiness. When +these packets are received, the connection is established and nat-traverse can +either relay STDIN to the socket or execute a program. + +=back + +=head1 EXAMPLES + +=head2 Setup of a small VPN with PPP + +It's easy to setup a VPN (Virtual Private Network) by using the Point-to-Point +Protocol Daemon, C: + + root@left # nat-traverse \ + --cmd="pppd updetach noauth passive notty \ + ipparam vpn 10.0.0.1:10.0.0.2" + 40000:natgw-of-right:40001 + root@right # nat-traverse \ + --cmd="pppd nodetach notty noauth" + 40001:natgw-of-left:40000 + +C creates a new interface, typically C. Using this interface, you +can ping C<10.0.0.1> or C<10.0.0.2>. As you can see, C upgrades the +data-only tunnel nat-traverse provides to a full IP tunnel. Thus you can +establish reliable TCP connections over the tunnel, even though the tunnel uses +UDP! Furthermore, you could even add IPv6 addresses to C by running C! + +Note though that although this VPN I a private network, it is I +secured in any way. You may want to use SSH to encrypt the connection. + +=head2 Port Forwarding with netcat + +You can use C to forward one of your local UDP or TCP ports to an +arbitrary UDP or TCP port of the remote host, similar to C or C: + + user@left $ nat-traverse 10001:natgw-of-right:10002 \ + --cmd="nc -vlp 20000" + user@right $ nat-traverse 10002:natgw-of-left:10001 \ + --cmd="nc -vlp 22" + +As soon as the tunnel is established (using UDP ports C<10001> and C<10002>), +C's TCP port C<20000> is forwarded to C's SSH Daemon (TCP port +C<22>): + + user@some-other-host $ ssh -p 20000 user@left + # Will connect to right's SSH daemon! + +But do note that you lose the reliability of TCP in this example, as the actual +data is transported via UDP. If you want reliable streams, use PPP on top of +nat-traverse, as described above. + +=head1 LIMITATIONS + +Only IPv4 is supported, nat-traverse won't work with IPv6 addresses. Even +though it would be relatively trivial to add IPv6 support, I refrained from +doing that, as there's no need to use NAT with IPv6 (the address space IPv6 +provides is sufficient). + +If you do need IPv6 support, drop me a note and I'll patch nat-traverse. + +=head1 SEE ALSO + +=over + +=item L + +The IP Network Address Translator (NAT). K. Egevang, P. Francis. May 1994. +(Obsoleted by RFC3022) (Status: INFORMATIONAL) + +=item L + +Traditional IP Network Address Translator (Traditional NAT). P. Srisuresh, +K. Egevang. January 2001. (Obsoletes RFC1631) (Status: INFORMATIONAL) + +=item L + +The Point-to-Point Protocol (PPP). W. Simpson, Ed.. July 1994. (Obsoletes +RFC1548) (Updated by RFC2153) (Also STD0051) (Status: STANDARD) + +=item L + +Website of Paul's PPP Package (open source implementation of the +Point-to-Point Protocol (PPP) on Linux and Solaris) + +=item L + +Dieser Vortrag zeigt, wie man einen Tunnel zwischen zwei Computern, die +beide hinter NAT-Gateways sitzen, hinbekommt. Dazu wird ein neues Programm +vorgestellt, welches sowohl einfache Tastendrücke an die Gegenseite +weiterleiten, als auch beliebige Programme mit Verbindungen zur Gegenseite +starten kann. Damit ist ein einfaches VPN schnell aufgebaut. + +=back + +=head1 AUTHOR + +Copyright (C) 2005 Ingo Blechschmidt, Eiblech@web.deE. + +You may want to visit nat-traverse's Freshmeat project page, +L, for new releases. + +=head1 LICENSE + +This program is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free Software +Foundation; either version 2 of the License, or (at your option) any later +version. + +This program is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with +this program; if not, write to the Free Software Foundation, Inc., 51 Franklin +Street, Fifth Floor, Boston, MA 02110-1301, USA. diff --git a/nat-traverse.1 b/nat-traverse.1 new file mode 100644 index 0000000..6847116 --- /dev/null +++ b/nat-traverse.1 @@ -0,0 +1,319 @@ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "NAT-TRAVERSE 1" +.TH NAT-TRAVERSE 1 "2005-08-23" "perl v5.8.7" "User Contributed Perl Documentation" +.SH "NAME" +nat\-traverse \- Use of UDP to traverse NAT gateways +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 2 +\& user@left $ nat-traverse 40000:natgw-of-right:40001 +\& user@right $ nat-traverse 40001:natgw-of-left:40000 +.Ve +.SH "VERSION" +.IX Header "VERSION" +This document describes nat-traverse v0.4. +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +nat-traverse establishes connections between nodes which are behind \s-1NAT\s0 +gateways, i.e. hosts which do \fInot\fR have public \s-1IP\s0 addresses. Additionally, +you can setup a small \s-1VPN\s0 by using pppd on top of nat-traverse (see +\&\*(L"\s-1EXAMPLES\s0\*(R"). nat-traverse does \fInot\fR need an external server on the +Internet, and it isn't necessary to reconfigure the involved \s-1NAT\s0 gateways, +either. \fInat-traverse works out\-of\-the\-box.\fR +.PP +See \*(L"\s-1TECHNIQUE\s0\*(R" for how this is achieved. +.SH "OPTIONS" +.IX Header "OPTIONS" +.ie n .IP """\f(CIlocal_port\f(CW:\f(CIpeer\f(CW:\f(CIremote_port\f(CW"" (required)" 4 +.el .IP "\f(CW\f(CIlocal_port\f(CW:\f(CIpeer\f(CW:\f(CIremote_port\f(CW\fR (required)" 4 +.IX Item "local_port:peer:remote_port (required)" +Sets the local port to use and the remote address to connect to. +.Sp +Note that you have to give the \s-1IP\s0 address or hostname of the \fI\s-1NAT\s0 gateway\fR of +the host you want to connect to, as the target host doesn't have a public \s-1IP\s0 +address. +.ie n .IP """\-\-cmd=""\f(CIpppd...\f(CW""""" 4 +.el .IP "\f(CW\-\-cmd=``\f(CIpppd...\f(CW''\fR" 4 +.IX Item "--cmd=""pppd...""" +Runs the specified command after establishing the connection. +.Sp +The command will be run with its \s-1STDIN\s0 and \s-1STDOUT\s0 bound to the socket, i.e. +everything the command writes to \s-1STDOUT\s0 will be forwarded to the peer. +.Sp +If no command is specified, nat-traverse will relay input from \s-1STDIN\s0 to the peer +and vice versa, i.e. nat-traverse degrades to netcat. +.ie n .IP """\-\-window=\f(CI10\f(CW""" 4 +.el .IP "\f(CW\-\-window=\f(CI10\f(CW\fR" 4 +.IX Item "--window=10" +Sets the number of initial garbage packets to send. The default, 10, should +work with most firewalls. +.ie n .IP """\-\-timeout=\f(CI10\f(CW""" 4 +.el .IP "\f(CW\-\-timeout=\f(CI10\f(CW\fR" 4 +.IX Item "--timeout=10" +Sets the maximum number of seconds to wait for an acknowledgement by the peer. +.ie n .IP """\-\-quit\-after\-connect""" 4 +.el .IP "\f(CW\-\-quit\-after\-connect\fR" 4 +.IX Item "--quit-after-connect" +Quits nat-traverse after the tunnel has been established successfully. +.Sp +nat-traverse returns a non\-\f(CW0\fR statuscode to indicate that it wasn't able to +establish the tunnel. +.Sp +\&\f(CW\*(C`\-\-quit\-after\-connect\*(C'\fR is useful if you want another program to use the +tunnel. For example, you could configure OpenVPN to use the the same ports as +nat-traverse \*(-- thus OpenVPN would be able to cross \s-1NAT\s0 gateways. +.ie n .IP """\-\-version""\fR, \f(CW""\-\-help""" 4 +.el .IP "\f(CW\-\-version\fR, \f(CW\-\-help\fR" 4 +.IX Item "--version, --help" +.SH "TECHNIQUE" +.IX Header "TECHNIQUE" +nat-traverse establishes connections between hosts behind \s-1NAT\s0 gateways, without need +for reconfiguration of the involved \s-1NAT\s0 gateways. +.IP "1." 4 +Firstly, nat-traverse on host \f(CW\*(C`left\*(C'\fR sends garbage \s-1UDP\s0 packets to the \s-1NAT\s0 gateway +of \f(CW\*(C`right\*(C'\fR. These packets are, of course, discarded by the firewall. +.IP "2." 4 +Then \f(CW\*(C`right\*(C'\fR's nat-traverse sends garbage \s-1UDP\s0 packets to the \s-1NAT\s0 gateway of +\&\f(CW\*(C`left\*(C'\fR. These packets are \fInot\fR discarded, as \f(CW\*(C`left\*(C'\fR's \s-1NAT\s0 gateway thinks +these packets are replies to the packets sent in step 1! +.IP "3." 4 +\&\f(CW\*(C`left\*(C'\fR's nat-traverse continues to send garbage packets to \f(CW\*(C`right\*(C'\fR's \s-1NAT\s0 gateway. +These packets are now not dropped either, as the \s-1NAT\s0 gateway thinks the packets +are replies to the packets sent in step 2. +.IP "4." 4 +Finally, both hosts send an acknowledgement packet to signal readiness. When +these packets are received, the connection is established and nat-traverse can +either relay \s-1STDIN\s0 to the socket or execute a program. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +.Sh "Setup of a small \s-1VPN\s0 with \s-1PPP\s0" +.IX Subsection "Setup of a small VPN with PPP" +It's easy to setup a \s-1VPN\s0 (Virtual Private Network) by using the Point-to-Point +Protocol Daemon, \f(CW\*(C`pppd\*(C'\fR: +.PP +.Vb 7 +\& root@left # nat-traverse \e +\& --cmd="pppd updetach noauth passive notty \e +\& ipparam vpn 10.0.0.1:10.0.0.2" +\& 40000:natgw-of-right:40001 +\& root@right # nat-traverse \e +\& --cmd="pppd nodetach notty noauth" +\& 40001:natgw-of-left:40000 +.Ve +.PP +\&\f(CW\*(C`pppd\*(C'\fR creates a new interface, typically \f(CW\*(C`ppp0\*(C'\fR. Using this interface, you +can ping \f(CW10.0.0.1\fR or \f(CW10.0.0.2\fR. As you can see, \f(CW\*(C`pppd\*(C'\fR upgrades the +data-only tunnel nat-traverse provides to a full \s-1IP\s0 tunnel. Thus you can +establish reliable \s-1TCP\s0 connections over the tunnel, even though the tunnel uses +\&\s-1UDP\s0! Furthermore, you could even add IPv6 addresses to \f(CW\*(C`ppp0\*(C'\fR by running \f(CW\*(C`ip +\&\-6 addr add...\*(C'\fR! +.PP +Note though that although this \s-1VPN\s0 \fIis\fR a private network, it is \fInot\fR +secured in any way. You may want to use \s-1SSH\s0 to encrypt the connection. +.Sh "Port Forwarding with netcat" +.IX Subsection "Port Forwarding with netcat" +You can use \f(CW\*(C`netcat\*(C'\fR to forward one of your local \s-1UDP\s0 or \s-1TCP\s0 ports to an +arbitrary \s-1UDP\s0 or \s-1TCP\s0 port of the remote host, similar to \f(CW\*(C`ssh \-L\*(C'\fR or \f(CW\*(C`ssh +\&\-R\*(C'\fR: +.PP +.Vb 4 +\& user@left $ nat-traverse 10001:natgw-of-right:10002 \e +\& --cmd="nc -vlp 20000" +\& user@right $ nat-traverse 10002:natgw-of-left:10001 \e +\& --cmd="nc -vlp 22" +.Ve +.PP +As soon as the tunnel is established (using \s-1UDP\s0 ports \f(CW10001\fR and \f(CW10002\fR), +\&\f(CW\*(C`left\*(C'\fR's \s-1TCP\s0 port \f(CW20000\fR is forwarded to \f(CW\*(C`right\*(C'\fR's \s-1SSH\s0 Daemon (\s-1TCP\s0 port +\&\f(CW22\fR): +.PP +.Vb 2 +\& user@some-other-host $ ssh -p 20000 user@left +\& # Will connect to right's SSH daemon! +.Ve +.PP +But do note that you lose the reliability of \s-1TCP\s0 in this example, as the actual +data is transported via \s-1UDP\s0. If you want reliable streams, use \s-1PPP\s0 on top of +nat\-traverse, as described above. +.SH "LIMITATIONS" +.IX Header "LIMITATIONS" +Only IPv4 is supported, nat-traverse won't work with IPv6 addresses. Even +though it would be relatively trivial to add IPv6 support, I refrained from +doing that, as there's no need to use \s-1NAT\s0 with IPv6 (the address space IPv6 +provides is sufficient). +.PP +If you do need IPv6 support, drop me a note and I'll patch nat\-traverse. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.IP "\s-1RFC\s0 1631 at http://www.ietf.org/rfc/rfc1631.txt" 4 +.IX Item "RFC 1631 at http://www.ietf.org/rfc/rfc1631.txt" +The \s-1IP\s0 Network Address Translator (\s-1NAT\s0). K. Egevang, P. Francis. May 1994. +(Obsoleted by \s-1RFC3022\s0) (Status: \s-1INFORMATIONAL\s0) +.IP "\s-1RFC\s0 3022 at http://www.ietf.org/rfc/rfc3022.txt" 4 +.IX Item "RFC 3022 at http://www.ietf.org/rfc/rfc3022.txt" +Traditional \s-1IP\s0 Network Address Translator (Traditional \s-1NAT\s0). P. Srisuresh, +K. Egevang. January 2001. (Obsoletes \s-1RFC1631\s0) (Status: \s-1INFORMATIONAL\s0) +.IP "\s-1RFC\s0 1661 at http://www.ietf.org/rfc/rfc1661.txt" 4 +.IX Item "RFC 1661 at http://www.ietf.org/rfc/rfc1661.txt" +The Point-to-Point Protocol (\s-1PPP\s0). W. Simpson, Ed.. July 1994. (Obsoletes +\&\s-1RFC1548\s0) (Updated by \s-1RFC2153\s0) (Also \s-1STD0051\s0) (Status: \s-1STANDARD\s0) +.IP "" 4 +.IX Item "" +Website of Paul's \s-1PPP\s0 Package (open source implementation of the +Point-to-Point Protocol (\s-1PPP\s0) on Linux and Solaris) +.IP "German talk about nat-traverse at http://linide.sourceforge.net/nat\-traverse/nat\-traverse\-talk.pdf" 4 +.IX Item "German talk about nat-traverse at http://linide.sourceforge.net/nat-traverse/nat-traverse-talk.pdf" +Dieser Vortrag zeigt, wie man einen Tunnel zwischen zwei Computern, die +beide hinter NAT-Gateways sitzen, hinbekommt. Dazu wird ein neues Programm +vorgestellt, welches sowohl einfache Tastendrücke an die Gegenseite +weiterleiten, als auch beliebige Programme mit Verbindungen zur Gegenseite +starten kann. Damit ist ein einfaches \s-1VPN\s0 schnell aufgebaut. +.SH "AUTHOR" +.IX Header "AUTHOR" +Copyright (C) 2005 Ingo Blechschmidt, . +.PP +You may want to visit nat\-traverse's Freshmeat project page, +, for new releases. +.SH "LICENSE" +.IX Header "LICENSE" +This program is free software; you can redistribute it and/or modify it under +the terms of the \s-1GNU\s0 General Public License as published by the Free Software +Foundation; either version 2 of the License, or (at your option) any later +version. +.PP +This program is distributed in the hope that it will be useful, but \s-1WITHOUT\s0 \s-1ANY\s0 +\&\s-1WARRANTY\s0; without even the implied warranty of \s-1MERCHANTABILITY\s0 or \s-1FITNESS\s0 \s-1FOR\s0 A +\&\s-1PARTICULAR\s0 \s-1PURPOSE\s0. See the \s-1GNU\s0 General Public License for more details. +.PP +You should have received a copy of the \s-1GNU\s0 General Public License along with +this program; if not, write to the Free Software Foundation, Inc., 51 Franklin +Street, Fifth Floor, Boston, \s-1MA\s0 02110\-1301, \s-1USA\s0. -- cgit v1.2.3