{"id":1390,"date":"2024-05-17T15:41:08","date_gmt":"2024-05-17T07:41:08","guid":{"rendered":"https:\/\/aichh.com\/?p=1390"},"modified":"2024-05-17T15:45:31","modified_gmt":"2024-05-17T07:45:31","slug":"%e8%af%91-nat-%e7%a9%bf%e9%80%8f%e6%98%af%e5%a6%82%e4%bd%95%e5%b7%a5%e4%bd%9c%e7%9a%84%ef%bc%9a%e6%8a%80%e6%9c%af%e5%8e%9f%e7%90%86%e5%8f%8a%e4%bc%81%e4%b8%9a%e7%ba%a7%e5%ae%9e%e8%b7%b5","status":"publish","type":"post","link":"https:\/\/aichh.com\/1390.html","title":{"rendered":"[\u8bd1] NAT \u7a7f\u900f\u662f\u5982\u4f55\u5de5\u4f5c\u7684\uff1a\u6280\u672f\u539f\u7406\u53ca\u4f01\u4e1a\u7ea7\u5b9e\u8df5"},"content":{"rendered":"<h3 id=\"\u8bd1\u8005\u5e8f\">\u8bd1\u8005\u5e8f<\/h3>\n<p>\u672c\u6587\u7ffb\u8bd1\u81ea 2020 \u5e74\u7684\u4e00\u7bc7\u82f1\u6587\u535a\u5ba2\uff1a\u00a0<a href=\"https:\/\/tailscale.com\/blog\/how-nat-traversal-works\/\" target=\"_blank\" rel=\"noopener\">How NAT traversal works<\/a>\u3002<\/p>\n<p>\u8bbe\u60f3\u8fd9\u6837\u4e00\u4e2a\u95ee\u9898\uff1a\u5728\u5317\u4eac\u548c\u4e0a\u6d77\u5404\u6709\u4e00\u53f0<strong><mark>\u5c40\u57df\u7f51\u7684\u673a\u5668<\/mark><\/strong>\uff08\u4f8b\u5982\u4e00\u53f0\u662f\u5bb6\u91cc\u7684\u53f0\u5f0f\u673a\uff0c\u4e00 \u53f0\u662f\u8fde\u63a5\u5230\u661f\u5df4\u514b WiFi \u7684\u7b14\u8bb0\u672c\uff09\uff0c\u4e8c\u8005\u90fd\u662f\u79c1\u7f51 IP \u5730\u5740\uff0c\u4f46\u53ef\u4ee5\u8bbf\u95ee\u516c\u7f51\uff0c\u00a0<strong><mark>\u5982\u4f55\u8ba9\u8fd9\u4e24\u53f0\u673a\u5668\u901a\u4fe1\u5462\uff1f<\/mark><\/strong><\/p>\n<p>\u65e2\u7136\u4e8c\u8005\u90fd\u80fd\u8bbf\u95ee\u516c\u7f51\uff0c\u90a3\u6700\u7b80\u5355\u7684\u65b9\u5f0f\u5f53\u7136\u662f\u5728\u516c\u7f51\u4e0a\u67b6\u8bbe\u4e00\u4e2a\u4e2d\u7ee7\u670d\u52a1\u5668\uff1a \u4e24\u53f0\u673a\u5668\u5206\u522b\u8fde\u63a5\u5230\u4e2d\u7ee7\u670d\u52a1\uff0c\u540e\u8005\u5b8c\u6210\u53cc\u5411\u8f6c\u53d1\u3002\u8fd9\u79cd\u65b9\u5f0f\u663e\u7136\u6709\u5f88\u5927\u7684\u6027\u80fd\u5f00\u9500\uff0c\u800c \u4e14\u4e2d\u7ee7\u670d\u52a1\u5668\u5f88\u5bb9\u6613\u6210\u4e3a\u74f6\u9888\u3002<\/p>\n<p>\u6709\u6ca1\u6709\u529e\u6cd5\u4e0d\u7528\u4e2d\u7ee7\uff0c\u8ba9<strong><mark>\u4e24\u53f0\u673a\u5668\u76f4\u63a5\u901a\u4fe1<\/mark><\/strong>\u5462\uff1f<\/p>\n<p>\u5982\u679c\u6709\u4e00\u5b9a\u7684\u7f51\u7edc\u548c\u534f\u8bae\u57fa\u7840\uff0c\u5c31\u4f1a\u660e\u767d\u8fd9\u4e8b\u513f\u662f\u53ef\u80fd\u7684\u3002Tailscale \u7684\u8fd9\u7bc7<strong><mark>\u53f2\u8bd7\u7ea7\u957f\u6587<\/mark><\/strong>\u7531\u6d45\u5165\u6df1\u5730\u5c55\u793a\u4e86\u8fd9\u79cd\u201c\u53ef\u80fd\u201d\uff0c\u5982\u679c\u5b8c\u5168\u5b9e\u73b0\u672c\u6587\u6240 \u4ecb\u7ecd\u7684\u6280\u672f\uff0c\u4f60\u5c06\u5f97\u5230\u4e00\u4e2a\u4f01\u4e1a\u7ea7\u7684 NAT\/\u9632\u706b\u5899\u7a7f\u900f\u5de5\u5177\u3002 \u6b64\u5916\uff0c\u5982\u4f5c\u8005\u6240\u8bf4\uff0c<strong><mark>\u53bb\u4e2d\u5fc3\u5316\u8f6f\u4ef6<\/mark><\/strong>\u9886\u57df\u4e2d\u7684\u8bb8\u591a\u6709\u8da3\u60f3\u6cd5\uff0c\u7b80\u5316\u4e4b\u540e\u5176\u5b9e\u90fd\u53d8\u6210\u4e86\u00a0<strong><mark>\u8de8\u8fc7\u516c\u7f51\uff08\u4e92\u8054\u7f51\uff09\u5b9e\u73b0\u7aef\u5230\u7aef\u76f4\u8fde<\/mark><\/strong>\u00a0\u8fd9\u4e00\u95ee\u9898\uff0c\u56e0\u6b64\u672c\u6587\u7684\u610f\u4e49\u5e76\u4e0d\u4ec5\u9650\u4e8e NAT \u7a7f\u900f\u672c\u8eab\u3002<\/p>\n<p><strong>\u7531\u4e8e\u8bd1\u8005\u6c34\u5e73\u6709\u9650\uff0c\u672c\u6587\u4e0d\u514d\u5b58\u5728\u9057\u6f0f\u6216\u9519\u8bef\u4e4b\u5904\u3002\u5982\u6709\u7591\u95ee\uff0c\u8bf7\u67e5\u9605\u539f\u6587\u3002<\/strong><\/p>\n<p>\u4ee5\u4e0b\u662f\u8bd1\u6587\u3002<\/p>\n<hr \/>\n<p>\u5728\u524d\u4e00\u7bc7\u6587\u7ae0\u00a0<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works\/\" target=\"_blank\" rel=\"noopener\">How Tailscale Works<\/a>\u00a0\u4e2d\uff0c \u6211\u4eec\u5df2\u7ecf\u7528\u8f83\u957f\u7bc7\u5e45\u4ecb\u7ecd\u4e86 Tailscale \u662f\u5982\u4f55\u5de5\u4f5c\u7684\u3002\u4f46\u5176\u4e2d\u5e76\u6ca1\u6709\u8be6\u7ec6\u63cf\u8ff0\u6211\u4eec\u662f\u00a0<strong><mark>\u5982\u4f55\u7a7f\u900f NAT \u8bbe\u5907\uff0c\u4ece\u800c\u5b9e\u73b0\u7ec8\u7aef\u8bbe\u5907\u76f4\u8fde\u7684<\/mark><\/strong>\u00a0\u2014\u2014 \u4e0d\u7ba1\u8fd9\u4e9b\u7ec8\u7aef\u4e4b\u95f4 \u6709\u4ec0\u4e48\u8bbe\u5907\uff08\u9632\u706b\u5899\u3001NAT \u7b49\uff09\uff0c\u4ee5\u53ca\u6709\u591a\u5c11\u8bbe\u5907\u3002\u672c\u6587\u8bd5\u56fe\u8865\u8db3\u8fd9\u4e00\u5185\u5bb9\u3002<\/p>\n<h1 id=\"1-\u5f15\u8a00\">1 \u5f15\u8a00<\/h1>\n<h2 id=\"11-\u80cc\u666fipv4-\u5730\u5740\u77ed\u7f3a\u5f15\u5165-nat\">1.1 \u80cc\u666f\uff1aIPv4 \u5730\u5740\u77ed\u7f3a\uff0c\u5f15\u5165 NAT<\/h2>\n<p>\u5168\u7403 IPv4 \u5730\u5740\u65e9\u5df2\u4e0d\u591f\u7528\uff0c\u56e0\u6b64\u4eba\u4eec\u53d1\u660e\u4e86 NAT\uff08\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff09\u6765\u7f13\u89e3\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n<p>\u7b80\u5355\u6765\u8bf4\uff0c\u5927\u90e8\u5206\u673a\u5668\u90fd\u4f7f\u7528<strong><mark>\u79c1\u6709 IP \u5730\u5740<\/mark><\/strong>\uff0c\u5982\u679c\u5b83\u4eec\u9700\u8981\u8bbf\u95ee\u516c\u7f51\u670d\u52a1\uff0c\u90a3\u4e48\uff0c<\/p>\n<ul>\n<li>\u51fa\u5411\u6d41\u91cf\uff1a\u9700\u8981\u7ecf\u8fc7\u4e00\u53f0 NAT \u8bbe\u5907\uff0c\u5b83\u4f1a\u5bf9\u6d41\u91cf\u8fdb\u884c SNAT\uff0c\u5c06\u79c1\u6709 srcIP+Port \u8f6c \u6362\u6210 NAT \u8bbe\u5907\u7684\u516c\u7f51 IP+Port\uff08\u8fd9\u6837\u5e94\u7b54\u5305\u624d\u80fd\u56de\u6765\uff09\uff0c\u7136\u540e\u518d\u5c06\u5305\u53d1\u51fa\u53bb\uff1b<\/li>\n<li>\u5e94\u7b54\u6d41\u91cf\uff08\u5165\u5411\uff09\uff1a\u5230\u8fbe NAT \u8bbe\u5907\u540e\u8fdb\u884c\u76f8\u53cd\u7684\u8f6c\u6362\uff0c\u7136\u540e\u518d\u8f6c\u53d1\u7ed9\u5ba2\u6237\u7aef\u3002<\/li>\n<\/ul>\n<p>\u6574\u4e2a\u8fc7\u7a0b\u5bf9\u53cc\u65b9\u900f\u660e\u3002<\/p>\n<p><span style=\"text-indent: 2em;\">\u66f4\u591a\u5173\u4e8e NAT \u7684\u5185\u5bb9\uff0c\u53ef\u53c2\u8003\u00a0<\/span><a style=\"text-indent: 2em;\" href=\"https:\/\/arthurchiao.art\/blog\/nat-zh\/\" target=\"_blank\" rel=\"noopener\">(\u8bd1) NAT - \u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff082016\uff09<\/a><span style=\"text-indent: 2em;\">\u3002 \u8bd1\u6ce8\u3002<\/span><\/p>\n<p>\u4ee5\u4e0a\u662f\u672c\u6587\u6240\u8ba8\u8bba\u95ee\u9898\u7684<strong><mark>\u57fa\u672c\u80cc\u666f<\/mark><\/strong>\u3002<\/p>\n<h2 id=\"12-\u9700\u6c42\u4e24\u53f0\u7ecf\u8fc7-nat-\u7684\u673a\u5668\u5efa\u7acb\u70b9\u5bf9\u70b9\u8fde\u63a5\">1.2 \u9700\u6c42\uff1a\u4e24\u53f0\u7ecf\u8fc7 NAT \u7684\u673a\u5668\u5efa\u7acb\u70b9\u5bf9\u70b9\u8fde\u63a5<\/h2>\n<p>\u5728\u4ee5\u4e0a\u6240\u63cf\u8ff0\u7684 NAT \u80cc\u666f\u4e0b\uff0c\u6211\u4eec\u4ece\u6700\u7b80\u5355\u7684\u95ee\u9898\u5f00\u59cb\uff1a\u5982\u4f55\u5728\u4e24\u53f0\u7ecf\u8fc7 NAT \u7684\u673a\u5668\u4e4b\u95f4\u5efa\u7acb\u00a0<strong><mark>\u70b9\u5bf9\u70b9\u8fde\u63a5<\/mark><\/strong>\uff08\u76f4\u8fde\uff09\u3002\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-intro\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-intro.png\" width=\"1560\" height=\"679\"><\/p>\n<p>\u76f4\u63a5\u7528\u673a\u5668\u7684 IP \u4e92\u8fde\u663e\u7136\u662f\u4e0d\u884c\u7684\uff0c\u56e0\u4e3a\u5b83\u4eec\u90fd\u662f\u79c1\u6709 IP\uff08\u4f8b\u5982\u00a0<code class=\"language-plaintext highlighter-rouge\">192.168.1.x<\/code>\uff09\u3002 \u5728 Tailscale \u4e2d\uff0c\u6211\u4eec\u4f1a\u5efa\u7acb\u4e00\u4e2a\u00a0<strong><mark>WireGuard\u00ae \u96a7\u9053<\/mark><\/strong>\u00a0\u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898 \u2014\u2014 \u4f46\u8fd9\u5e76\u4e0d\u662f\u592a\u91cd\u8981\uff0c\u56e0\u4e3a\u6211\u4eec\u5c06<strong><mark>\u8fc7\u53bb\u51e0\u4ee3\u4eba\u52aa\u529b<\/mark><\/strong>\u90fd\u6574\u5408\u5230\u4e86\u4e00\u4e2a\u5de5\u5177\u96c6\uff0c\u00a0<strong><mark>\u8fd9\u4e9b\u6280\u672f\u5e7f\u6cdb\u9002\u7528\u4e8e\u5404\u79cd\u573a\u666f<\/mark><\/strong>\u3002\u4f8b\u5982\uff0c<\/p>\n<ol>\n<li><a href=\"https:\/\/webrtc.org\/\"><mark>WebRTC<\/mark><\/a>\u00a0\u4f7f\u7528\u8fd9\u4e9b\u6280\u672f\u5728\u6d4f\u89c8\u5668\u4e4b\u95f4\u5b8c\u6210 peer-to-peer \u8bed\u97f3\u3001\u89c6\u9891\u548c\u6570\u636e\u4f20\u8f93\uff0c<\/li>\n<li><strong><mark>VoIP \u7535\u8bdd\u548c\u4e00\u4e9b\u89c6\u9891\u6e38\u620f<\/mark><\/strong>\u4e5f\u4f7f\u7528\u7c7b\u4f3c\u673a\u5236\uff0c\u867d\u7136\u4e0d\u662f\u6240\u6709\u60c5\u51b5\u4e0b\u90fd\u5f88\u6210\u529f\u3002<\/li>\n<\/ol>\n<p>\u63a5\u4e0b\u6765\uff0c\u672c\u6587\u5c06<strong><mark>\u5728\u4e00\u822c\u610f\u4e49\u4e0a\u8ba8\u8bba\u8fd9\u4e9b\u6280\u672f<\/mark><\/strong>\uff0c\u5e76\u5728\u5408\u9002\u7684\u5730\u65b9\u62ff Tailscale \u548c\u5176\u4ed6\u4e00\u4e9b\u4e1c\u897f\u4f5c\u4e3a\u4f8b\u5b50\u3002<\/p>\n<h2 id=\"13-\u65b9\u6848nat-\u7a7f\u900f\">1.3 \u65b9\u6848\uff1aNAT \u7a7f\u900f<\/h2>\n<h3 id=\"131-\u4e24\u4e2a\u5fc5\u5907\u524d\u63d0udp--\u80fd\u76f4\u63a5\u63a7\u5236-socket\">1.3.1 \u4e24\u4e2a\u5fc5\u5907\u524d\u63d0\uff1aUDP + \u80fd\u76f4\u63a5\u63a7\u5236 socket<\/h3>\n<p>\u5982\u679c\u60f3<strong><mark>\u8bbe\u8ba1\u81ea\u5df1\u7684\u534f\u8bae\u6765\u5b9e\u73b0 NAT \u7a7f\u900f<\/mark><\/strong>\uff0c\u90a3\u5fc5\u987b\u6ee1\u8db3\u4ee5\u4e0b\u4e24\u4e2a\u6761\u4ef6\uff1a<\/p>\n<ol>\n<li><strong><mark>\u534f\u8bae\u5e94\u8be5\u57fa\u4e8e UDP<\/mark><\/strong>\u3002\u7406\u8bba\u4e0a\u7528 TCP \u4e5f\u80fd\u5b9e\u73b0\uff0c\u4f46\u5b83\u4f1a\u7ed9\u672c\u5df2\u76f8\u5f53\u590d\u6742\u7684\u95ee\u9898\u518d\u589e\u52a0\u4e00\u5c42\u590d\u6742\u6027\uff0c \u751a\u81f3\u8fd8\u9700\u8981\u5b9a\u5236\u5316\u5185\u6838 \u2014\u2014 \u53d6\u51b3\u4e8e\u4f60\u60f3\u5b9e\u73b0\u5230\u4ec0\u4e48\u7a0b\u5ea6\u3002\u672c\u6587\u63a5\u4e0b\u6765\u90fd\u5c06\u5173\u6ce8\u5728 UDP \u4e0a\u3002\n<p>\u5982\u679c\u8003\u8651 TCP \u662f\u60f3\u5728 NAT \u7a7f\u900f\u65f6\u83b7\u5f97<strong><mark>\u9762\u5411\u6d41\u7684\u8fde\u63a5<\/mark><\/strong>\uff08 stream-oriented connection\uff09\uff0c\u53ef\u4ee5\u8003\u8651\u7528\u00a0<strong><mark>QUIC<\/mark><\/strong>\u00a0\u6765\u66ff\u4ee3\uff0c\u5b83\u6784 \u5efa\u5728 UDP \u4e4b\u4e0a\uff0c\u56e0\u6b64\u6211\u4eec\u80fd\u5c06\u5173\u6ce8\u70b9\u653e\u5728 UDP NAT \u7a7f\u900f\uff0c\u800c\u4ecd\u7136\u80fd\u83b7\u5f97\u4e00\u4e2a \u5f88\u597d\u7684\u6d41\u534f\u8bae\uff08stream protocol\uff09\u3002<\/li>\n<li>\u5bf9\u6536\u53d1\u5305\u7684\u00a0<strong><mark>socket \u6709\u76f4\u63a5\u63a7\u5236\u6743<\/mark><\/strong>\u3002\u4f8b\u5982\uff0c\u4ece\u7ecf\u9a8c\u4e0a\u6765\u8bf4\uff0c\u65e0\u6cd5\u57fa\u4e8e\u67d0\u4e2a\u73b0\u6709\u7684\u7f51\u7edc\u5e93\u5b9e\u73b0 NAT \u7a7f\u900f\uff0c\u56e0\u4e3a\u6211\u4eec\u00a0<strong><mark>\u5fc5\u987b\u5728\u4f7f\u7528\u7684\u201c\u4e3b\u8981\u201d\u534f\u8bae\u4e4b\u5916\uff0c\u53d1\u9001\u548c\u63a5\u6536\u989d\u5916\u7684\u6570\u636e\u5305<\/mark><\/strong>\u3002\n<p>\u67d0\u4e9b\u534f\u8bae\uff08\u4f8b\u5982 WebRTC\uff09\u5c06 NAT \u7a7f\u900f\u4e0e\u5176\u4ed6\u90e8\u5206\u7d27\u5bc6\u96c6\u6210\u3002\u4f46\u5982\u679c\u4f60\u5728\u6784\u5efa\u81ea\u5df1\u7684\u534f\u8bae\uff0c\u00a0<strong><mark>\u5efa\u8bae\u5c06 NAT \u7a7f\u900f\u4f5c\u4e3a\u4e00\u4e2a\u72ec\u7acb\u5b9e\u4f53\uff0c\u4e0e\u4e3b\u534f\u8bae\u5e76\u884c\u8fd0\u884c<\/mark><\/strong>\uff0c\u4e8c\u8005\u4ec5 \u4ec5\u662f\u5171\u4eab socket \u7684\u5173\u7cfb\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff0c\u8fd9\u5c06\u5e26\u6765\u5f88\u5927\u5e2e\u52a9\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-deep-integration\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-deep-integration.png\" width=\"1600\" height=\"760\"><\/p>\n<\/li>\n<\/ol>\n<h3 id=\"132-\u4fdd\u5e95\u65b9\u5f0f\u4e2d\u7ee7\">1.3.2 \u4fdd\u5e95\u65b9\u5f0f\uff1a\u4e2d\u7ee7<\/h3>\n<p>\u5728\u67d0\u4e9b\u573a\u666f\u4e2d\uff0c\u76f4\u63a5\u8bbf\u95ee socket \u8fd9\u4e00\u6761\u4ef6\u53ef\u80fd\u5f88\u96be\u6ee1\u8db3\u3002<\/p>\n<p>\u9000\u800c\u6c42\u5176\u6b21\u7684\u4e00\u4e2a\u65b9\u5f0f\u662f\u8bbe\u7f6e\u4e00\u4e2a local proxy\uff08\u672c\u5730\u4ee3\u7406\uff09\uff0c\u4e3b\u534f\u8bae\u4e0e\u8fd9\u4e2a proxy \u901a\u4fe1 \uff0c\u540e\u8005\u6765\u5b8c\u6210 NAT \u7a7f\u900f\uff0c\u5c06\u5305\u4e2d\u7ee7\uff08relay\uff09\u7ed9\u5bf9\u7aef\u3002\u8fd9\u79cd\u65b9\u5f0f\u589e\u52a0\u4e86\u4e00\u4e2a\u989d\u5916\u7684\u95f4\u63a5\u5c42 \uff0c\u4f46\u597d\u5904\u662f\uff1a<\/p>\n<ol>\n<li>\u4ecd\u7136\u80fd\u83b7\u5f97 NAT \u7a7f\u900f\uff0c<\/li>\n<li><strong><mark>\u4e0d\u9700\u8981\u5bf9\u5df2\u6709\u7684\u5e94\u7528\u7a0b\u5e8f\u505a\u4efb\u4f55\u6539\u52a8<\/mark><\/strong>\u3002<\/li>\n<\/ol>\n<h2 id=\"14-\u6311\u6218\u6709\u72b6\u6001\u9632\u706b\u5899\u548c-nat-\u8bbe\u5907\">1.4 \u6311\u6218\uff1a\u6709\u72b6\u6001\u9632\u706b\u5899\u548c NAT \u8bbe\u5907<\/h2>\n<p>\u6709\u4e86\u4ee5\u4e0a\u94fa\u57ab\uff0c\u4e0b\u9762\u5c31\u4ece\u6700\u57fa\u672c\u7684\u539f\u5219\u5f00\u59cb\uff0c\u4e00\u6b65\u6b65\u770b\u5982\u4f55\u5b9e\u73b0\u4e00\u4e2a\u4f01\u4e1a\u7ea7\u7684 NAT \u7a7f\u900f\u65b9\u6848\u3002<\/p>\n<p>\u6211\u4eec\u7684<strong><mark>\u76ee\u6807<\/mark><\/strong>\u662f\uff1a<strong><mark>\u5728\u4e24\u4e2a\u8bbe\u5907\u4e4b\u95f4\u901a\u8fc7 UDP \u5b9e\u73b0\u53cc\u5411\u901a\u4fe1<\/mark><\/strong>\uff0c \u6709\u4e86\u8fd9\u4e2a\u57fa\u7840\uff0c\u4e0a\u5c42\u7684\u5176\u4ed6\u534f\u8bae\uff08WireGuard, QUIC, WebRTC \u7b49\uff09\u5c31\u80fd\u505a\u4e00\u4e9b\u66f4\u9177\u7684\u4e8b\u60c5\u3002<\/p>\n<p>\u4f46\u5373\u4fbf\u8fd9\u4e2a\u770b\u4f3c\u6700\u57fa\u672c\u7684\u529f\u80fd\uff0c\u5728\u5b9e\u73b0\u4e0a\u4e5f\u8981\u89e3\u51b3<strong><mark>\u4e24\u4e2a\u969c\u788d<\/mark><\/strong>\uff1a<\/p>\n<ol>\n<li>\u6709\u72b6\u6001\u9632\u706b\u5899<\/li>\n<li>NAT \u8bbe\u5907<\/li>\n<\/ol>\n<h1 id=\"2-\u7a7f\u900f\u9632\u706b\u5899\">2 \u7a7f\u900f\u9632\u706b\u5899<\/h1>\n<p>\u6709\u72b6\u6001\u9632\u706b\u5899\u662f\u4ee5\u4e0a\u4e24\u4e2a\u95ee\u9898\u4e2d\u76f8\u5bf9\u6bd4\u8f83\u5bb9\u6613\u89e3\u51b3\u7684\u3002\u5b9e\u9645\u4e0a\uff0c<strong><mark>\u5927\u90e8\u5206 NAT \u8bbe\u5907\u90fd\u81ea\u5e26\u4e86\u4e00\u4e2a\u6709\u72b6\u6001\u9632\u706b\u5899<\/mark><\/strong>\uff0c \u56e0\u6b64\u8981\u89e3\u51b3\u7b2c\u4e8c\u4e2a\u95ee\u9898\uff0c\u5fc5\u987b\u5148\u89e3\u51b3\u6709\u7b2c\u4e00\u4e2a\u95ee\u9898\u3002<\/p>\n<p>\u6709\u72b6\u6001\u9632\u706b\u5899\u5177\u4f53\u6709\u5f88\u591a\u79cd\u7c7b\u578b\uff0c\u6709\u4e9b\u4f60\u53ef\u80fd\u89c1\u8fc7\uff1a<\/p>\n<ul>\n<li>Windows Defender firewall<\/li>\n<li>Ubuntu\u2019s ufw (using iptables\/nftables)<\/li>\n<li>BSD\/macOS\u00a0<code class=\"language-plaintext highlighter-rouge\">pf<\/code><\/li>\n<li>AWS Security Groups\uff08<strong><mark>\u5b89\u5168\u7ec4<\/mark><\/strong>\uff09<\/li>\n<\/ul>\n<h2 id=\"21-\u6709\u72b6\u6001\u9632\u706b\u5899\">2.1 \u6709\u72b6\u6001\u9632\u706b\u5899<\/h2>\n<h3 id=\"211-\u9ed8\u8ba4\u884c\u4e3a\u7b56\u7565\">2.1.1 \u9ed8\u8ba4\u884c\u4e3a\uff08\u7b56\u7565\uff09<\/h3>\n<p>\u4ee5\u4e0a\u9632\u706b\u5899\u7684\u914d\u7f6e\u90fd\u662f\u5f88\u7075\u6d3b\u7684\uff0c\u4f46\u5927\u90e8\u5206\u914d\u7f6e\u9ed8\u8ba4\u90fd\u662f\u5982\u4e0b\u884c\u4e3a\uff1a<\/p>\n<ol>\n<li><strong><mark>\u5141\u8bb8\u6240\u6709\u51fa\u5411\u8fde\u63a5<\/mark><\/strong>\uff08allows all \u201coutbound\u201d connections\uff09<\/li>\n<li><strong><mark>\u7981\u6b62\u6240\u6709\u5165\u5411\u8fde\u63a5<\/mark><\/strong>\uff08blocks all \u201cinbound\u201d connections\uff09<\/li>\n<\/ol>\n<p>\u53ef\u80fd\u6709\u5c11\u91cf\u4f8b\u5916\u89c4\u5219\uff0c\u4f8b\u5982 allowing inbound SSH\u3002<\/p>\n<h3 id=\"212-\u5982\u4f55\u533a\u5206\u5165\u5411\u548c\u51fa\u5411\u5305\">2.1.2 \u5982\u4f55\u533a\u5206\u5165\u5411\u548c\u51fa\u5411\u5305<\/h3>\n<p>\u8fde\u63a5\uff08connection\uff09\u548c\u65b9\u5411\uff08direction\uff09\u90fd\u662f\u534f\u8bae\u8bbe\u8ba1\u8005\u5934\u8111\u4e2d\u7684\u6982\u5ff5\uff0c\u5230\u4e86\u00a0<strong><mark>\u7269\u7406\u4f20\u8f93\u5c42\uff0c\u6bcf\u4e2a\u8fde\u63a5\u90fd\u662f\u53cc\u5411\u7684<\/mark><\/strong>\uff1b\u5141\u8bb8\u6240\u6709\u7684\u5305\u53cc\u5411\u4f20\u8f93\u3002 \u90a3<strong><mark>\u9632\u706b\u5899\u662f\u5982\u4f55\u533a\u5206\u54ea\u4e9b\u662f\u5165\u5411\u5305\u3001\u54ea\u4e9b\u662f\u51fa\u5411\u5305\u7684\u5462<\/mark><\/strong>\uff1f \u8fd9\u5c31\u8981\u56de\u5230<strong><mark>\u201c\u6709\u72b6\u6001\u201d\uff08stateful\uff09<\/mark><\/strong>\u8fd9\u4e09\u4e2a\u5b57\u4e86\uff1a\u6709\u72b6\u6001\u9632\u706b\u5899\u4f1a\u8bb0\u5f55\u5b83 \u770b\u5230\u7684\u6bcf\u4e2a\u5305\uff0c\u5f53\u6536\u5230\u4e0b\u4e00\u4e2a\u5305\u65f6\uff0c\u4f1a\u5229\u7528\u8fd9\u4e9b\u4fe1\u606f\uff08\u72b6\u6001\uff09\u6765\u5224\u65ad\u5e94\u8be5\u505a\u4ec0\u4e48\u3002<\/p>\n<p>\u5bf9 UDP \u6765\u8bf4\uff0c\u89c4\u5219\u5f88\u7b80\u5355\uff1a\u5982\u679c\u9632\u706b\u5899\u4e4b\u524d\u770b\u5230\u8fc7\u4e00\u4e2a\u51fa\u5411\u5305\uff08outbound\uff09\uff0c\u5c31\u4f1a\u5141\u8bb8 \u76f8\u5e94\u7684\u5165\u5411\u5305\uff08inbound\uff09\u901a\u8fc7\uff0c\u4ee5\u4e0b\u56fe\u4e3a\u4f8b\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-1a\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-1a.png\" width=\"1472\" height=\"660\"><\/p>\n<p>\u7b14\u8bb0\u672c\u7535\u8111\u4e2d\u81ea\u5e26\u4e86\u4e00\u4e2a\u9632\u706b\u5899\uff0c\u5f53\u8be5\u9632\u706b\u5899\u770b\u5230\u4ece\u8fd9\u53f0\u673a\u5668\u51fa\u53bb\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234 -&gt; 5.5.5.5:5678<\/code>\u00a0\u5305\u65f6\uff0c\u5c31\u4f1a\u8bb0\u5f55\u4e00\u4e0b\uff1a<code class=\"language-plaintext highlighter-rouge\">5.5.5.5:5678 -&gt; 2.2.2.2:1234<\/code>\u00a0\u5165\u5411\u5305\u5e94\u8be5\u653e\u884c\u3002\u00a0<strong><mark>\u8fd9\u91cc\u7684\u903b\u8f91<\/mark><\/strong>\u662f\uff1a\u6211\u4eec\u4fe1\u4efb\u7684\u4e16\u754c\uff08\u5373\u7b14\u8bb0\u672c\uff09\u60f3\u4e3b\u52a8\u4e0e\u00a0<code class=\"language-plaintext highlighter-rouge\">5.5.5.5:5678<\/code>\u00a0\u901a\u4fe1\uff0c\u56e0\u6b64\u5e94\u8be5\u653e\u884c\uff08allow\uff09\u5176\u56de\u5305\u8def\u5f84\u3002<\/p>\n<blockquote><p>\u67d0\u4e9b<strong><mark>\u975e\u5e38<\/mark><\/strong>\u5bbd\u677e\u7684\u9632\u706b\u5899\u53ea\u8981\u770b\u5230\u6709\u4ece\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234<\/code>\u00a0\u51fa\u53bb\u7684\u5305\uff0c\u5c31 \u4f1a\u5141\u8bb8\u6240\u6709\u4ece\u5916\u90e8\u8fdb\u5165\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234<\/code>\u00a0\u7684\u6d41\u91cf\u3002\u8fd9\u79cd\u9632\u706b\u5899\u5bf9\u6211\u4eec\u7684 NAT \u7a7f\u900f\u6765\u8bf4\u975e \u5e38\u53cb\u597d\uff0c\u4f46\u5df2\u7ecf\u8d8a\u6765\u8d8a\u5c11\u89c1\u4e86\u3002<\/p><\/blockquote>\n<h2 id=\"22-\u9632\u706b\u5899\u671d\u5411face-off\u4e0e\u7a7f\u900f\u65b9\u6848\">2.2 \u9632\u706b\u5899\u671d\u5411\uff08face-off\uff09\u4e0e\u7a7f\u900f\u65b9\u6848<\/h2>\n<h3 id=\"221-\u9632\u706b\u5899\u671d\u5411\u76f8\u540c\">2.2.1 \u9632\u706b\u5899\u671d\u5411\u76f8\u540c<\/h3>\n<h4 id=\"\u573a\u666f\u7279\u70b9\u670d\u52a1\u7aef-ip-\u53ef\u76f4\u63a5\u8bbf\u95ee\">\u573a\u666f\u7279\u70b9\uff1a\u670d\u52a1\u7aef IP \u53ef\u76f4\u63a5\u8bbf\u95ee<\/h4>\n<p>\u5728 NAT \u7a7f\u900f\u573a\u666f\u4e2d\uff0c\u4ee5\u4e0a\u9ed8\u8ba4\u89c4\u5219\u5bf9 UDP \u6d41\u91cf\u7684\u5f71\u54cd\u4e0d\u5927 \u2014\u2014 \u53ea\u8981<strong><mark>\u8def\u5f84\u4e0a\u6240\u6709\u9632\u706b\u5899\u7684\u201c\u671d\u5411\u201d\u662f\u4e00\u6837\u7684<\/mark><\/strong>\u3002 \u4e00\u822c\u6765\u8bf4\uff0c\u4ece\u5185\u7f51\u8bbf\u95ee\u516c\u7f51\u4e0a\u7684\u67d0\u4e2a\u670d\u52a1\u5668\u90fd\u5c5e\u4e8e\u8fd9\u79cd\u60c5\u51b5\u3002<\/p>\n<p>\u6211\u4eec\u552f\u4e00\u7684\u8981\u6c42\u662f\uff1a<strong><mark>\u8fde\u63a5\u5fc5\u987b\u662f\u7531\u9632\u706b\u5899\u540e\u9762\u7684\u673a\u5668\u53d1\u8d77\u7684<\/mark><\/strong>\u3002\u8fd9\u662f\u56e0\u4e3a \u5728\u5b83\u4e3b\u52a8\u548c\u522b\u4eba\u901a\u4fe1\u4e4b\u524d\uff0c\u6ca1\u4eba\u80fd\u4e3b\u52a8\u548c\u5b83\u901a\u4fe1\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<h4 id=\"\u7a7f\u900f\u65b9\u6848\u5ba2\u6237\u7aef\u76f4\u8fde\u670d\u52a1\u7aef\u6216-hub-and-spoke-\u62d3\u6251\">\u7a7f\u900f\u65b9\u6848\uff1a\u5ba2\u6237\u7aef\u76f4\u8fde\u670d\u52a1\u7aef\uff0c\u6216 hub-and-spoke \u62d3\u6251<\/h4>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-2\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-2.png\" width=\"1971\" height=\"654\"><\/p>\n<p>\u4f46\u4e0a\u56fe\u662f<strong><mark>\u5047\u8bbe\u4e86<\/mark><\/strong>\u901a\u4fe1\u53cc\u65b9\u4e2d\uff0c\u5176\u4e2d\u4e00\u7aef<strong><mark>\uff08\u670d\u52a1\u7aef\uff09\u662f\u80fd\u76f4\u63a5\u8bbf\u95ee\u5230\u7684<\/mark><\/strong>\u3002 \u5728 VPN \u573a\u666f\u4e2d\uff0c\u8fd9\u5c31\u5f62\u6210\u4e86\u6240\u8c13\u7684\u00a0<strong><mark>hub-and-spoke \u62d3\u6251<\/mark><\/strong>\uff1a\u4e2d\u5fc3\u7684 hub \u6ca1\u6709\u4efb\u4f55\u9632\u706b\u5899\u7b56\u7565\uff0c\u8c01\u90fd\u80fd\u8bbf\u95ee\u5230\uff1b \u9632\u706b\u5899\u540e\u9762\u7684 spokes \u8fde\u63a5\u5230 hub\u3002\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-3\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-3.png\" width=\"2083\" height=\"970\"><\/p>\n<h3 id=\"222-\u9632\u706b\u5899\u671d\u5411\u4e0d\u540c\">2.2.2 \u9632\u706b\u5899\u671d\u5411\u4e0d\u540c<\/h3>\n<h4 id=\"\u573a\u666f\u7279\u70b9\u670d\u52a1\u7aef-ip-\u4e0d\u53ef\u76f4\u63a5\u8bbf\u95ee\">\u573a\u666f\u7279\u70b9\uff1a\u670d\u52a1\u7aef IP \u4e0d\u53ef\u76f4\u63a5\u8bbf\u95ee<\/h4>\n<p>\u4f46\u5982\u679c\u4e24\u4e2a\u201c\u5ba2\u6237\u7aef\u201d\u60f3\u76f4\u8fde\uff0c\u4ee5\u4e0a\u65b9\u5f0f\u5c31\u4e0d\u884c\u4e86\uff0c\u6b64\u65f6\u4e24\u8fb9\u7684\u9632\u706b\u5899\u76f8\u5411\u800c\u7acb\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-4\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-4.png\" width=\"1607\" height=\"452\"><\/p>\n<p>\u6839\u636e\u524d\u9762\u7684\u8ba8\u8bba\uff0c\u8fd9\u79cd\u60c5\u51b5\u610f\u5473\u7740\uff1a<strong><mark>\u4e24\u8fb9\u8981\u540c\u65f6\u53d1\u8d77\u8fde\u63a5\u8bf7\u6c42<\/mark><\/strong>\uff0c\u4f46\u4e5f\u610f\u5473\u7740 \u4e24\u8fb9\u90fd\u65e0\u6cd5\u53d1\u8d77\u6709\u6548\u8bf7\u6c42\uff0c\u56e0\u4e3a\u5bf9\u65b9\u5148\u53d1\u8d77\u8bf7\u6c42\u624d\u80fd\u5728\u5b83\u7684\u9632\u706b\u5899\u4e0a\u6253\u5f00\u4e00\u6761\u7f1d\u8ba9\u6211\u4eec\u8fdb\u53bb\uff01 \u5982\u4f55\u7834\u89e3\u8fd9\u4e2a\u95ee\u9898\u5462\uff1f\u4e00\u79cd\u65b9\u5f0f\u662f<strong><mark>\u8ba9\u7528\u6237\u91cd\u65b0\u914d\u7f6e\u4e00\u8fb9\u6216\u4e24\u8fb9\u7684\u9632\u706b\u5899\uff0c\u6253\u5f00\u4e00\u4e2a\u7aef\u53e3<\/mark><\/strong>\uff0c \u5141\u8bb8\u5bf9\u65b9\u7684\u6d41\u91cf\u8fdb\u6765\u3002<\/p>\n<ol>\n<li>\u8fd9\u663e\u7136\u5bf9\u7528\u6237\u4e0d\u53cb\u597d\uff0c\u5728\u50cf Tailscale \u8fd9\u6837\u7684 mesh \u7f51\u7edc\u4e2d\u7684\u6269\u5c55\u6027\u4e5f\u4e0d\u597d\uff0c\u5728 mesh \u7f51\u7edc\u4e2d\uff0c\u6211\u4eec\u5047\u8bbe\u5bf9\u7aef\u4f1a\u4ee5\u4e00\u5b9a\u7684\u7c92\u5ea6\u5728\u516c\u7f51\u4e0a\u79fb\u52a8\u3002<\/li>\n<li>\u6b64\u5916\uff0c\u5728\u5f88\u591a\u60c5\u51b5\u4e0b\u7528\u6237\u4e5f\u6ca1\u6709\u9632\u706b\u5899\u7684\u63a7\u5236\u6743\u9650\uff1a\u4f8b\u5982\u5728\u5496\u5561\u9986\u6216\u673a\u573a\u4e2d\uff0c\u8fde\u63a5\u7684\u8def \u7531\u5668\u662f\u4e0d\u53d7\u4f60\u63a7\u5236\u7684\uff08\u5426\u5219\u4f60\u53ef\u80fd\u5c31\u6709\u9ebb\u70e6\u4e86\uff09\u3002<\/li>\n<\/ol>\n<p>\u56e0\u6b64\uff0c\u6211\u4eec\u9700\u8981\u5bfb\u627e\u4e00\u79cd\u4e0d\u7528\u91cd\u65b0\u914d\u7f6e\u9632\u706b\u5899\u7684\u65b9\u5f0f\u3002<\/p>\n<h4 id=\"\u7a7f\u900f\u65b9\u6848\u4e24\u8fb9\u540c\u65f6\u4e3b\u52a8\u5efa\u8fde\u5728\u672c\u5730\u9632\u706b\u5899\u4e3a\u5bf9\u65b9\u6253\u5f00\u4e00\u4e2a\u6d1e\">\u7a7f\u900f\u65b9\u6848\uff1a\u4e24\u8fb9\u540c\u65f6\u4e3b\u52a8\u5efa\u8fde\uff0c\u5728\u672c\u5730\u9632\u706b\u5899\u4e3a\u5bf9\u65b9\u6253\u5f00\u4e00\u4e2a\u6d1e<\/h4>\n<p>\u89e3\u51b3\u7684\u601d\u8def\u8fd8\u662f\u5148\u91cd\u65b0\u5ba1\u89c6\u524d\u9762\u63d0\u5230\u7684\u6709\u72b6\u6001\u9632\u706b\u5899\u89c4\u5219\uff1a<\/p>\n<ul>\n<li>\u5bf9\u4e8e UDP\uff0c\u5176\u89c4\u5219\uff08\u903b\u8f91\uff09\u662f\uff1a<strong><mark>\u5305\u5fc5\u987b\u5148\u51fa\u53bb\u624d\u80fd\u8fdb\u6765<\/mark><\/strong>\uff08packets must flow out before packets can flow back in\uff09\u3002<\/li>\n<li>\u6ce8\u610f\uff0c\u8fd9\u91cc\u9664\u4e86\u8981\u6ee1\u8db3\u5305\u7684 IP \u548c\u7aef\u53e3\u8981\u5339\u914d\u8fd9\u4e00\u6761\u4ef6\u4e4b\u5916\uff0c<strong><mark>\u5e76\u6ca1\u6709\u8981\u6c42\u5305\u5fc5\u987b\u662f\u76f8\u5173\u7684<\/mark><\/strong>\uff08related\uff09\u3002 \u6362\u53e5\u8bdd\u8bf4\uff0c\u53ea\u8981\u67d0\u4e9b\u5305\u5e26\u7740\u6b63\u786e\u7684\u6e90\u548c\u76ee\u7684\u5730\u5740\u51fa\u53bb\u4e86\uff0c<strong><mark>\u4efb\u4f55\u770b\u8d77\u6765\u50cf\u662f\u54cd\u5e94\u7684\u5305\u90fd\u4f1a\u88ab\u9632\u706b\u5899\u653e\u8fdb\u6765<\/mark><\/strong>\u00a0\u2014\u2014 \u5373\u4f7f\u5bf9\u7aef\u6839\u672c\u6ca1\u6536\u5230\u4f60\u53d1\u51fa\u53bb\u7684\u5305\u3002<\/li>\n<\/ul>\n<p>\u56e0\u6b64\uff0c\u8981\u7a7f\u900f\u8fd9\u4e9b\u6709\u72b6\u6001\u9632\u706b\u5899\uff0c\u6211\u4eec\u53ea\u9700\u8981<strong><mark>\u5171\u4eab\u4e00\u4e9b\u4fe1\u606f\uff1a\u8ba9\u4e24\u7aef\u63d0\u524d\u77e5\u9053\u5bf9\u65b9\u4f7f\u7528\u7684 ip:port<\/mark><\/strong>\uff1a<\/p>\n<ul>\n<li>\u624b\u52a8\u9759\u6001\u914d\u7f6e\u662f\u4e00\u79cd\u65b9\u5f0f\uff0c\u4f46\u663e\u7136\u6269\u5c55\u6027\u4e0d\u597d\uff1b<\/li>\n<li>\u6211\u4eec\u5f00\u53d1\u4e86\u4e00\u4e2a\u00a0<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works\/#the-control-plane-key-exchange-and-coordination\">coordination server<\/a>\uff0c \u4ee5\u7075\u6d3b\u3001\u5b89\u5168\u7684\u65b9\u5f0f\u6765\u540c\u6b65\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<p>\u6709\u4e86\u5bf9\u65b9\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u4fe1\u606f\u4e4b\u540e\uff0c\u4e24\u7aef\u5f00\u59cb\u7ed9\u5bf9\u65b9\u53d1\u9001 UDP \u5305\u3002\u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u9884 \u6599\u5230\u67d0\u4e9b\u5305\u5c06\u4f1a\u88ab\u4e22\u5f03\u3002\u56e0\u6b64\uff0c\u53cc\u65b9<strong><mark>\u5fc5\u987b\u8981\u63a5\u53d7\u67d0\u4e9b\u5305\u4f1a\u4e22\u5931\u7684\u4e8b\u5b9e<\/mark><\/strong>\uff0c \u56e0\u6b64\u5982\u679c\u662f\u91cd\u8981\u4fe1\u606f\uff0c\u4f60\u5fc5\u987b\u81ea\u5df1\u51c6\u5907\u597d\u91cd\u4f20\u3002\u5bf9 UDP \u6765\u8bf4\u4e22\u5305\u662f\u53ef\u63a5\u53d7\u7684\uff0c\u4f46\u8fd9\u91cc\u5c24\u5176\u9700\u8981\u63a5\u53d7\u3002<\/p>\n<p>\u6765\u770b\u4e00\u4e0b\u5177\u4f53\u5efa\u8fde\uff08\u7a7f\u900f\uff09\u8fc7\u7a0b\uff1a<\/p>\n<ol>\n<li>\u5982\u56fe\u6240\u793a\uff0c\u7b14\u8bb0\u672c\u51fa\u53bb\u7684\u7b2c\u4e00\u5305\uff0c<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234 -&gt; 7.7.7.7:5678<\/code>\uff0c\u7a7f\u8fc7 Windows Defender \u9632\u706b\u5899\u8fdb\u5165\u5230\u516c\u7f51\u3002\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-5a\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-5a.png\" width=\"1618\" height=\"554\"><\/p>\n<p>\u5bf9\u65b9\u7684\u9632\u706b\u5899\u4f1a\u5c06\u8fd9\u4e2a\u5305\u62e6\u622a\u6389\uff0c\u56e0\u4e3a\u5b83\u6ca1\u6709\u00a0<code class=\"language-plaintext highlighter-rouge\">7.7.7.7:5678 -&gt; 2.2.2.2:1234<\/code>\u00a0\u7684\u6d41\u91cf\u8bb0\u5f55\u3002 \u4f46\u53e6\u4e00\u65b9\u9762\uff0cWindows Defender \u6b64\u65f6\u5df2\u7ecf\u8bb0\u5f55\u4e86\u51fa\u5411\u8fde\u63a5\uff0c\u56e0\u6b64\u4f1a\u5141\u8bb8\u00a0<code class=\"language-plaintext highlighter-rouge\">7.7.7.7:5678 -&gt; 2.2.2.2:1234<\/code>\u00a0\u7684\u5e94\u7b54\u5305\u8fdb\u6765\u3002<\/li>\n<li>\u63a5\u7740\uff0c\u7b2c\u4e00\u4e2a\u00a0<code class=\"language-plaintext highlighter-rouge\">7.7.7.7:5678 -&gt; 2.2.2.2:1234<\/code>\u00a0\u7a7f\u8fc7\u5b83\u81ea\u5df1\u7684\u9632\u706b\u5899\u5230\u8fbe\u516c\u7f51\u3002\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-5b\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-5b.png\" width=\"1622\" height=\"565\"><\/p>\n<p>\u5230\u8fbe\u5ba2\u6237\u7aef\u4fa7\u65f6\uff0cWindows Defender\u00a0<strong><mark>\u8ba4\u4e3a\u8fd9\u662f\u521a\u624d\u51fa\u5411\u5305\u7684\u5e94\u7b54\u5305\uff0c\u56e0\u6b64\u5c31\u653e\u884c\u5b83\u8fdb\u5165\u4e86\uff01<\/mark><\/strong>\u00a0\u6b64\u5916\uff0c\u53f3\u4fa7\u7684\u9632\u706b\u5899\u6b64\u65f6\u4e5f\u8bb0\u5f55\u4e86\uff1a<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234 -&gt; 7.7.7.7:5678<\/code>\u00a0\u7684\u5305\u5e94\u8be5\u653e\u884c\u3002<\/li>\n<li>\u7b14\u8bb0\u672c\u6536\u5230\u670d\u52a1\u5668\u53d1\u6765\u7684\u5305\u4e4b\u540e\uff0c\u53d1\u9001\u4e00\u4e2a\u5305\u4f5c\u4e3a\u5e94\u7b54\u3002\u8fd9\u4e2a\u5305\u7a7f\u8fc7 Windows Defender \u9632\u706b\u5899 \u548c\u670d\u52a1\u7aef\u9632\u706b\u5899\uff08\u56e0\u4e3a\u8fd9\u662f\u5bf9\u670d\u52a1\u7aef\u53d1\u9001\u7684\u5305\u7684\u5e94\u7b54\u5305\uff09\uff0c\u8fbe\u5230\u670d\u52a1\u7aef\u3002\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-firewalls-5c\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-firewalls-5c.png\" width=\"1609\" height=\"562\"><\/p>\n<\/li>\n<\/ol>\n<p>\u6210\u529f\uff01\u8fd9\u6837\u6211\u4eec\u5c31\u5efa\u7acb\u4e86\u4e00\u4e2a<strong><mark>\u7a7f\u900f\u4e24\u4e2a\u76f8\u5411\u9632\u706b\u5899<\/mark><\/strong>\u7684\u53cc\u5411\u901a\u4fe1\u8fde\u63a5\u3002 \u800c\u521d\u770b\u4e4b\u4e0b\uff0c\u8fd9\u9879\u4efb\u52a1\u4f3c\u4e4e\u662f\u4e0d\u53ef\u80fd\u5b8c\u6210\u7684\u3002<\/p>\n<h2 id=\"23-\u5173\u4e8e\u7a7f\u900f\u9632\u706b\u5899\u7684\u4e00\u4e9b\u601d\u8003\">2.3 \u5173\u4e8e\u7a7f\u900f\u9632\u706b\u5899\u7684\u4e00\u4e9b\u601d\u8003<\/h2>\n<p>\u7a7f\u900f\u9632\u706b\u5899\u5e76\u975e\u6c38\u8fdc\u8fd9\u4e48\u8f7b\u677e\uff0c\u6709\u65f6\u4f1a\u53d7\u4e00\u4e9b\u7b2c\u4e09\u65b9\u7cfb\u7edf\u7684\u95f4\u63a5\u5f71\u54cd\uff0c\u9700\u8981\u4ed4\u7ec6\u5904\u7406\u3002 \u90a3\u7a7f\u900f\u9632\u706b\u5899\u9700\u8981\u6ce8\u610f\u4ec0\u4e48\u5462\uff1f\u91cd\u8981\u7684\u4e00\u70b9\u662f\uff1a<strong><mark>\u901a\u4fe1\u53cc\u65b9\u5fc5\u987b\u51e0\u4e4e\u540c\u65f6\u53d1\u8d77\u901a\u4fe1<\/mark><\/strong>\uff0c \u8fd9\u6837\u624d\u80fd\u5728\u8def\u5f84\u4e0a\u7684\u9632\u706b\u5899\u6253\u5f00\u4e00\u6761\u7f1d\uff0c\u800c\u4e14\u4e24\u7aef\u8fd8\u90fd\u662f\u6d3b\u7740\u7684\u3002<\/p>\n<h3 id=\"231-\u53cc\u5411\u4e3b\u52a8\u5efa\u8fde\u65c1\u8def\u4fe1\u9053\">2.3.1 \u53cc\u5411\u4e3b\u52a8\u5efa\u8fde\uff1a\u65c1\u8def\u4fe1\u9053<\/h3>\n<p>\u5982\u4f55\u5b9e\u73b0\u201c\u540c\u65f6\u201d\u5462\uff1f\u4e00\u79cd\u65b9\u5f0f\u662f\u4e24\u7aef\u4e0d\u65ad\u91cd\u8bd5\uff0c\u4f46\u663e\u7136\u8fd9\u79cd\u65b9\u5f0f\u5f88\u6d6a\u8d39\u8d44\u6e90\u3002\u5047\u5982\u53cc\u65b9\u90fd \u77e5\u9053\u4f55\u65f6\u5f00\u59cb\u5efa\u8fde\u5c31\u597d\u4e86\u3002<\/p>\n<ul>\n<li>\u8fd9\u542c\u4e0a\u53bb\u662f<strong><mark>\u9e21\u751f\u86cb\u86cb\u751f\u9e21\u7684\u95ee\u9898<\/mark><\/strong>\u4e86\uff1a<strong><mark>\u53cc\u65b9\u60f3\u8981\u901a\u4fe1\uff0c\u5fc5\u987b\u5148\u63d0\u524d\u901a\u4e2a\u4fe1<\/mark><\/strong>\u3002<\/li>\n<li>\u4f46\u5b9e\u9645\u4e0a\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7<strong><mark>\u65c1\u8def\u4fe1\u9053<\/mark><\/strong>\uff08side channel\uff09\u6765\u8fbe\u5230\u8fd9\u4e2a\u76ee\u7684 \uff0c\u5e76\u4e14\u8fd9\u4e2a\u65c1\u8def\u4fe1\u9053\u5e76\u4e0d\u9700\u8981\u5f88 fancy\uff1a\u5b83\u53ef\u4ee5\u6709\u51e0\u79d2\u949f\u7684\u5ef6\u8fdf\u3001\u53ea\u9700\u8981\u4f20\u9001\u51e0 KB \u7684 \u4fe1\u606f\uff0c\u56e0\u6b64\u5373\u4f7f\u662f\u4e00\u4e2a\u914d\u7f6e\u975e\u5e38\u4f4e\u7684\u865a\u62df\u673a\uff0c\u4e5f\u80fd\u4e3a\u51e0\u5343\u53f0\u673a\u5668\u63d0\u4f9b\u8fd9\u6837\u7684\u65c1\u8def\u901a\u4fe1\u670d\u52a1\u3002\n<ul>\n<li>\u5728\u9065\u8fdc\u7684\u8fc7\u53bb\uff0c\u6211\u66fe\u7528 XMPP \u804a\u5929\u6d88\u606f\u4f5c\u4e3a\u65c1\u8def\uff0c\u6548\u679c\u975e\u5e38\u4e0d\u9519\u3002<\/li>\n<li>\u53e6\u4e00\u4e2a\u4f8b\u5b50\u662f WebRTC\uff0c\u5b83\u9700\u8981\u4f60\u63d0\u4f9b\u4e00\u4e2a\u81ea\u5df1\u7684\u201c\u4fe1\u4ee4\u4fe1\u9053\u201d\uff08signalling channel\uff0c \u8fd9\u4e2a\u8bcd\u4e5f\u6697\u793a\u4e86 WebRTC \u7684 IP telephony ancestry\uff09\uff0c\u5e76\u5c06\u5176\u914d\u7f6e\u5230 WebRTC API\u3002<\/li>\n<li>\u5728 Tailscale\uff0c\u6211\u4eec\u7684\u534f\u8c03\u670d\u52a1\u5668\uff08coordination server\uff09\u548c DERP (Detour Encrypted Routing Protocol) \u670d\u52a1\u5668\u96c6\u7fa4\u662f\u6211\u4eec\u7684\u65c1\u8def\u4fe1\u9053\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"232-\u975e\u6d3b\u8dc3\u8fde\u63a5\u88ab\u9632\u706b\u5899\u6e05\u7406\">2.3.2 \u975e\u6d3b\u8dc3\u8fde\u63a5\u88ab\u9632\u706b\u5899\u6e05\u7406<\/h3>\n<p>\u6709\u72b6\u6001\u9632\u706b\u5899\u5185\u5b58\u901a\u5e38\u6bd4\u8f83\u6709\u9650\uff0c\u56e0\u6b64\u4f1a\u5b9a\u671f\u6e05\u7406\u4e0d\u6d3b\u8dc3\u7684\u8fde\u63a5\uff08UDP \u5e38\u89c1\u7684\u662f 30s\uff09\uff0c \u56e0\u6b64\u8981\u4fdd\u6301\u8fde\u63a5 alive \u7684\u8bdd\u9700\u8981\u5b9a\u671f\u901a\u4fe1\uff0c\u5426\u5219\u5c31\u4f1a\u88ab\u9632\u706b\u5899\u5173\u95ed\uff0c\u4e3a\u907f\u514d\u8fd9\u4e2a\u95ee\u9898\uff0c \u6211\u4eec\uff0c<\/p>\n<ol>\n<li>\u8981\u4e48\u5b9a\u671f\u5411\u5bf9\u65b9\u53d1\u5305\u6765 keepalive\uff0c<\/li>\n<li>\u8981\u4e48\u6709\u67d0\u79cd\u5e26\u5916\u65b9\u5f0f\u6765\u6309\u9700\u91cd\u5efa\u8fde\u63a5\u3002<\/li>\n<\/ol>\n<h3 id=\"233-\u95ee\u9898\u90fd\u89e3\u51b3\u4e86\u4e0d\u6311\u6218\u521a\u521a\u5f00\u59cb\">2.3.3 \u95ee\u9898\u90fd\u89e3\u51b3\u4e86\uff1f\u4e0d\uff0c\u6311\u6218\u521a\u521a\u5f00\u59cb<\/h3>\n<p>\u5bf9\u4e8e\u9632\u706b\u5899\u7a7f\u900f\u6765\u8bf4\uff0c \u6211\u4eec<strong><mark>\u5e76\u4e0d\u9700\u8981\u5173\u5fc3\u8def\u5f84\u4e0a\u6709\u51e0\u5835\u5899<\/mark><\/strong>\u00a0\u2014\u2014 \u53ea\u8981\u5b83\u4eec\u662f\u6709\u72b6\u6001\u9632\u706b\u5899\u4e14\u5141\u8bb8\u51fa \u5411\u8fde\u63a5\uff0c\u8fd9\u79cd\u540c\u65f6\u53d1\u5305\uff08simultaneous transmission\uff09\u673a\u5236\u5c31\u80fd\u7a7f\u900f\u4efb\u610f\u591a\u5c42\u9632\u706b\u5899\u3002 \u8fd9\u4e00\u70b9\u5bf9\u6211\u4eec\u6765\u8bf4\u975e\u5e38\u53cb\u597d\uff0c\u56e0\u4e3a\u53ea\u9700\u8981\u5b9e\u73b0\u4e00\u4e2a\u903b\u8f91\uff0c\u7136\u540e\u80fd\u9002\u7528\u4e8e\u4efb\u4f55\u5730\u65b9\u4e86\u3002<\/p>\n<p>\u2026\u5bf9\u5417\uff1f<\/p>\n<p>\u5176\u5b9e\uff0c<strong><mark>\u4e0d\u5b8c\u5168\u5bf9<\/mark><\/strong>\u3002\u8fd9\u4e2a\u673a\u5236\u6709\u6548\u7684\u524d\u63d0\u662f\uff1a\u6211\u4eec\u80fd<strong><mark>\u63d0\u524d\u77e5\u9053\u5bf9\u65b9\u7684 ip:port<\/mark><\/strong>\u3002 \u800c\u8fd9\u5c31\u6d89\u53ca\u5230\u4e86\u6211\u4eec\u4eca\u5929\u7684\u4e3b\u9898\uff1aNAT\uff0c\u5b83\u4f1a\u4f7f\u524d\u9762\u6211\u4eec\u521a\u83b7\u5f97\u7684\u4e00\u70b9\u6ee1\u8db3\u611f\u987f\u65f6\u6d88\u5931\u3002<\/p>\n<p>\u4e0b\u9762\uff0c<strong><mark>\u8fdb\u5165\u672c\u6587\u6b63\u9898<\/mark><\/strong>\u3002<\/p>\n<h1 id=\"3-nat-\u7684\u672c\u8d28\">3 NAT \u7684\u672c\u8d28<\/h1>\n<h2 id=\"31-nat-\u8bbe\u5907\u4e0e\u6709\u72b6\u6001\u9632\u706b\u5899\">3.1 NAT \u8bbe\u5907\u4e0e\u6709\u72b6\u6001\u9632\u706b\u5899<\/h2>\n<p>\u53ef\u4ee5\u8ba4\u4e3a NAT \u8bbe\u5907\u662f\u4e00\u4e2a<strong><mark>\u589e\u5f3a\u7248\u7684\u6709\u72b6\u6001\u9632\u706b\u5899<\/mark><\/strong>\uff0c\u867d\u7136\u5b83\u7684\u589e\u5f3a\u529f\u80fd \u5bf9\u4e8e\u672c\u6587\u573a\u666f\u6765\u8bf4\u5e76\u4e0d\u53d7\u6b22\u8fce\uff1a\u9664\u4e86\u524d\u9762\u63d0\u5230\u7684\u6709\u72b6\u6001\u62e6\u622a\/\u653e\u884c\u529f\u80fd\u4e4b\u5916\uff0c\u5b83\u4eec\u8fd8\u4f1a\u5728\u6570\u636e\u5305\u7ecf\u8fc7\u65f6\u4fee\u6539\u8fd9\u4e9b\u5305\u3002<\/p>\n<h2 id=\"32-nat-\u7a7f\u900f\u4e0e-snatdnat\">3.2 NAT \u7a7f\u900f\u4e0e SNAT\/DNAT<\/h2>\n<p>\u5177\u4f53\u6765\u8bf4\uff0cNAT \u8bbe\u5907\u80fd\u5b8c\u6210\u67d0\u79cd\u7c7b\u578b\u7684\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff0c\u4f8b\u5982\uff0c\u66ff\u6362\u6e90\u6216\u76ee\u7684 IP \u5730\u5740\u6216\u7aef\u53e3\u3002<\/p>\n<ul>\n<li><strong><mark>\u8ba8\u8bba\u8fde\u63a5\u95ee\u9898\u548c NAT \u7a7f\u900f\u95ee\u9898\u65f6<\/mark><\/strong>\uff0c\u6211\u4eec<strong><mark>\u53ea\u4f1a\u53d7 source NAT \u2014\u2014 SNAT \u7684\u5f71\u54cd<\/mark><\/strong>\u3002<\/li>\n<li>DNAT \u4e0d\u4f1a\u5f71\u54cd NAT \u7a7f\u900f\u3002<\/li>\n<\/ul>\n<h2 id=\"33-snat-\u7684\u610f\u4e49\u89e3\u51b3-ipv4-\u5730\u5740\u77ed\u7f3a\u95ee\u9898\">3.3 SNAT \u7684\u610f\u4e49\uff1a\u89e3\u51b3 IPv4 \u5730\u5740\u77ed\u7f3a\u95ee\u9898<\/h2>\n<p>SNAT \u6700\u5e38\u89c1\u7684\u4f7f\u7528\u573a\u666f\u662f<strong><mark>\u5c06\u5f88\u591a\u8bbe\u5907\u8fde\u63a5\u5230\u516c\u7f51\uff0c\u800c\u53ea\u4f7f\u7528\u5c11\u6570\u51e0\u4e2a\u516c\u7f51 IP<\/mark><\/strong>\u3002 \u4f8b\u5982\u5bf9\u4e8e\u6d88\u8d39\u7ea7\u8def\u7531\u5668\uff0c\u4f1a\u5c06\u6240\u6709\u8bbe\u5907\u7684\uff08\u79c1\u6709\uff09 IP \u5730\u5740\u6620\u5c04\u4e3a<strong><mark>\u5355\u4e2a<\/mark><\/strong>\u8fde\u63a5\u5230\u516c\u7f51\u7684 IP \u5730\u5740\u3002<\/p>\n<p>\u8fd9\u79cd\u65b9\u5f0f\u5b58\u5728\u7684\u610f\u4e49\u662f\uff1a\u6211\u4eec\u6709\u8fdc\u591a\u4e8e\u53ef\u7528\u516c\u7f51 IP \u6570\u91cf\u7684\u8bbe\u5907\u9700\u8981\u8fde\u63a5\u5230\u516c\u7f51\uff0c\uff08\u81f3\u5c11 \u5bf9 IPv4 \u6765\u8bf4\u5982\u6b64\uff0cIPv6 \u7684\u60c5\u51b5\u540e\u9762\u4f1a\u8ba8\u8bba\uff09\u3002NAT \u4f7f\u591a\u4e2a\u8bbe\u5907\u80fd\u5171\u4eab\u540c\u4e00 IP \u5730\u5740\uff0c\u56e0 \u6b64\u5373\u4f7f\u9762\u4e34 IPv4 \u5730\u5740\u77ed\u7f3a\u7684\u95ee\u9898\uff0c\u6211\u4eec\u4ecd\u7136\u80fd\u4e0d\u65ad\u6269\u5f20\u4e92\u8054\u7f51\u7684\u89c4\u6a21\u3002<\/p>\n<h2 id=\"34-snat-\u8fc7\u7a0b\u4ee5\u5bb6\u7528\u8def\u7531\u5668\u4e3a\u4f8b\">3.4 SNAT \u8fc7\u7a0b\uff1a\u4ee5\u5bb6\u7528\u8def\u7531\u5668\u4e3a\u4f8b<\/h2>\n<p>\u5047\u8bbe\u4f60\u7684\u7b14\u8bb0\u672c\u8fde\u63a5\u5230\u5bb6\u91cc\u7684 WiFi\uff0c\u4e0b\u9762\u770b\u4e00\u4e0b\u5b83\u8fde\u63a5\u5230\u516c\u7f51\u67d0\u4e2a\u670d\u52a1\u5668\u65f6\u7684\u60c5\u5f62\uff1a<\/p>\n<ol>\n<li>\u7b14\u8bb0\u672c\u53d1\u9001 UDP packet\u00a0<code class=\"language-plaintext highlighter-rouge\">192.168.0.20:1234 -&gt; 7.7.7.7:5678<\/code>\u3002\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-overview-1\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-overview-1.png\" width=\"1874\" height=\"656\"><\/p>\n<p>\u8fd9\u4e00\u6b65\u5c31\u597d\u50cf\u7b14\u8bb0\u672c\u6709\u4e00\u4e2a\u516c\u7f51 IP \u4e00\u6837\uff0c\u4f46\u6e90\u5730\u5740\u00a0<code class=\"language-plaintext highlighter-rouge\">192.168.0.20<\/code>\u00a0\u662f\u79c1\u6709\u5730\u5740\uff0c \u53ea\u80fd\u51fa\u73b0\u5728\u79c1\u6709\u7f51\u7edc\uff0c\u516c\u7f51\u4e0d\u8ba4\uff0c\u6536\u5230\u8fd9\u6837\u7684\u5305\u65f6\u5b83\u4e0d\u77e5\u9053\u5982\u4f55\u5e94\u7b54\u3002<\/li>\n<li>\u5bb6\u7528\u8def\u7531\u5668\u51fa\u573a\uff0c\u6267\u884c SNAT\u3002\u5305\u7ecf\u8fc7\u8def\u7531\u5668\u65f6\uff0c\u8def\u7531\u5668\u53d1\u73b0\u8fd9\u662f\u4e00\u4e2a\u5b83\u6ca1\u6709\u89c1\u8fc7\u7684\u65b0\u4f1a\u8bdd\uff08session\uff09\u3002 \u5b83\u77e5\u9053\u00a0<code class=\"language-plaintext highlighter-rouge\">192.168.0.20<\/code>\u00a0\u662f\u79c1\u6709 IP\uff0c\u516c\u7f51\u65e0\u6cd5\u7ed9\u8fd9\u6837\u7684\u5730\u5740\u56de\u5305\uff0c\u4f46\u5b83\u6709\u529e\u6cd5\u89e3\u51b3\uff1a\n<ol>\n<li>\u5728\u5b83<strong><mark>\u81ea\u5df1\u7684\u516c\u7f51 IP \u4e0a\u6311\u4e00\u4e2a\u53ef\u7528\u7684 UDP \u7aef\u53e3<\/mark><\/strong>\uff0c\u4f8b\u5982\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:4242<\/code>\uff0c<\/li>\n<li>\u7136\u540e\u521b\u5efa\u4e00\u4e2a\u00a0<em>NAT mapping<\/em>\uff1a<code class=\"language-plaintext highlighter-rouge\">192.168.0.20:1234<\/code>\u00a0<code class=\"language-plaintext highlighter-rouge\">&lt;--&gt;<\/code>\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:4242<\/code>\uff0c<\/li>\n<li>\u7136\u540e\u5c06\u5305\u53d1\u5230\u516c\u7f51\uff0c\u6b64\u65f6\u6e90\u5730\u5740\u53d8\u6210\u4e86\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:4242<\/code>\u00a0\u800c\u4e0d\u662f\u539f\u6765\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">192.168.0.20:1234<\/code>\u3002\u56e0\u6b64\u670d\u52a1\u7aef\u770b\u5230\u7684\u662f\u8f6c\u6362\u4e4b\u540e\u5730\u5740\uff0c<\/li>\n<li>\u63a5\u4e0b\u6765\uff0c\u6bcf\u4e2a\u80fd\u5339\u914d\u5230\u8fd9\u6761\u6620\u5c04\u89c4\u5219\u7684\u5305\uff0c\u90fd\u4f1a\u88ab\u8def\u7531\u5668\u6539\u5199 IP \u548c \u7aef\u53e3\u3002<\/li>\n<\/ol>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-overview-2\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-overview-2.png\" width=\"1939\" height=\"530\"><\/p>\n<\/li>\n<li>\u53cd\u5411\u8def\u5f84\u662f\u7c7b\u4f3c\u7684\uff0c\u8def\u7531\u5668\u4f1a\u6267\u884c\u76f8\u53cd\u7684\u5730\u5740\u8f6c\u6362\uff0c\u5c06\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:4242<\/code>\u00a0\u53d8\u56de\u00a0<code class=\"language-plaintext highlighter-rouge\">192.168.0.20:1234<\/code>\u3002\u5bf9\u4e8e\u7b14\u8bb0\u672c\u6765\u8bf4\uff0c\u5b83\u6839\u672c\u611f\u77e5\u4e0d\u77e5\u9053\u8fd9\u6b63\u53cd\u4e24\u6b21\u53d8\u6362\u8fc7\u7a0b\u3002<\/li>\n<\/ol>\n<p>\u8fd9\u91cc\u662f\u62ff\u5bb6\u7528\u8def\u7531\u5668\u4f5c\u4e3a\u4f8b\u5b50\uff0c\u4f46<strong><mark>\u529e\u516c\u7f51\u7684\u539f\u7406\u662f\u4e00\u6837\u7684<\/mark><\/strong>\u3002\u4e0d\u540c\u4e4b\u5904\u5728 \u4e8e\uff0c\u529e\u516c\u7f51\u7684 NAT \u53ef\u80fd\u6709\u591a\u53f0\u8bbe\u5907\u7ec4\u6210\uff08\u9ad8\u53ef\u7528\u3001\u5bb9\u91cf\u7b49\u76ee\u7684\uff09\uff0c\u800c\u4e14\u5b83\u4eec\u6709\u4e0d\u6b62\u4e00\u4e2a\u516c \u7f51 IP \u5730\u5740\u53ef\u7528\uff0c\u56e0\u6b64\u5728\u9009\u62e9\u53ef\u7528\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u6765\u505a\u6620\u5c04\u65f6\uff0c\u9009\u62e9\u7a7a\u95f4\u66f4\u5927\uff0c\u80fd\u652f\u6301 \u66f4\u591a\u5ba2\u6237\u7aef\u3002<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-overview-3\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-overview-3.png\" width=\"2170\" height=\"898\"><\/p>\n<h2 id=\"35-snat-\u7ed9\u7a7f\u900f\u5e26\u6765\u7684\u6311\u6218\">3.5 SNAT \u7ed9\u7a7f\u900f\u5e26\u6765\u7684\u6311\u6218<\/h2>\n<p>\u73b0\u5728\u6211\u4eec\u9047\u5230\u4e86\u4e0e\u524d\u9762\u6709\u72b6\u6001\u9632\u706b\u5899\u7c7b\u4f3c\u7684\u60c5\u51b5\uff0c\u4f46\u8fd9\u6b21\u662f NAT \u8bbe\u5907\uff1a<strong><mark>\u901a\u4fe1\u53cc\u65b9 \u4e0d\u77e5\u9053\u5bf9\u65b9\u7684 ip:port \u662f\u4ec0\u4e48<\/mark><\/strong>\uff0c\u56e0\u6b64<strong><mark>\u65e0\u6cd5\u4e3b\u52a8\u5efa\u8fde<\/mark><\/strong>\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-stun-1\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-stun-1.png\" width=\"2180\" height=\"620\"><\/p>\n<p>\u4f46\u8fd9\u6b21\u6bd4\u6709\u72b6\u6001\u9632\u706b\u5899\u66f4\u7cdf\u7cd5\uff0c\u4e25\u683c\u6765\u8bf4\uff0c<strong><mark>\u5728\u53cc\u65b9\u53d1\u5305\u4e4b\u524d\uff0c\u6839\u672c\u65e0\u6cd5\u786e\u5b9a\uff08\u81ea\u5df1\u53ca\u5bf9\u65b9\u7684\uff09ip:port \u4fe1\u606f<\/mark><\/strong>\uff0c\u56e0\u4e3a\u00a0<strong><mark>\u53ea\u6709\u51fa\u5411\u5305\u7ecf\u8fc7\u8def\u7531\u5668\u4e4b\u540e\u624d\u4f1a\u4ea7\u751f NAT mapping<\/mark><\/strong>\uff08\u5373\uff0c\u53ef\u4ee5\u88ab\u5bf9\u65b9\u8fde\u63a5\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u4fe1\u606f\uff09\u3002<\/p>\n<p>\u56e0\u6b64\u6211\u4eec\u53c8\u56de\u5230\u4e86\u4e0e\u9632\u706b\u5899\u9047\u5230\u7684\u95ee\u9898\uff0c\u5e76\u4e14\u60c5\u51b5\u66f4\u7cdf\u7cd5\uff1a<strong><mark>\u53cc\u65b9\u90fd\u9700\u8981\u4e3b\u52a8\u548c\u5bf9 \u65b9\u5efa\u8fde\uff0c\u4f46\u53c8\u4e0d\u77e5\u9053\u5bf9\u65b9\u7684\u516c\u7f51\u5730\u5740\u662f\u591a\u5c11<\/mark><\/strong>\uff0c\u53ea\u6709\u5f53\u5bf9\u65b9\u5148\u8bf4\u8bdd\u4e4b\u540e\uff0c\u6211\u4eec\u624d\u80fd\u62ff\u5230\u5b83\u7684\u5730\u5740\u4fe1\u606f\u3002<\/p>\n<p>\u5982\u4f55\u7834\u89e3\u4ee5\u4e0a\u6b7b\u9501\u5462\uff1f\u8fd9\u5c31\u8f6e\u5230\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/STUN\">STUN<\/a>\u00a0\u767b\u573a\u4e86\u3002<\/p>\n<h1 id=\"4-\u7a7f\u900f-nat\u9632\u706b\u5899stun-session-traversal-utilities-for-nat-\u534f\u8bae\">4 \u7a7f\u900f \u201cNAT+\u9632\u706b\u5899\u201d\uff1aSTUN (Session Traversal Utilities for NAT) \u534f\u8bae<\/h1>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/STUN\">STUN<\/a>\u00a0\u65e2\u662f\u4e00\u4e9b\u5bf9 NAT \u8bbe\u5907\u884c\u4e3a\u7684\u8be6\u7ec6\u7814\u7a76\uff0c\u4e5f\u662f\u4e00\u79cd\u534f\u52a9 NAT \u7a7f\u900f\u7684\u534f\u8bae\u3002\u672c\u6587\u4e3b\u8981\u5173\u6ce8 STUN \u534f\u8bae\u3002<\/p>\n<h2 id=\"41-stun-\u539f\u7406\">4.1 STUN \u539f\u7406<\/h2>\n<p><strong><mark>STUN \u57fa\u4e8e\u4e00\u4e2a\u7b80\u5355\u7684\u89c2\u5bdf<\/mark><\/strong>\uff1a\u4ece\u4e00\u4e2a\u4f1a\u88ab NAT \u7684\u5ba2\u6237\u7aef\u8bbf\u95ee\u516c\u7f51\u670d\u52a1\u5668\u65f6\uff0c \u670d\u52a1\u5668\u770b\u5230\u7684\u662f\u00a0<strong><mark>NAT \u8bbe\u5907\u7684\u516c\u7f51 ip:port \u5730\u5740<\/mark><\/strong>\uff0c\u800c\u975e\u8be5\u00a0<strong><mark>\u5ba2\u6237\u7aef\u7684\u5c40\u57df\u7f51 ip:port \u5730\u5740<\/mark><\/strong>\u3002<\/p>\n<p>\u4e5f\u5c31\u662f\u8bf4\uff0c\u670d\u52a1\u5668\u80fd\u544a\u8bc9\u5ba2\u6237\u7aef<strong><mark>\u5b83\u770b\u5230\u7684\u5ba2\u6237\u7aef\u7684 ip:port \u662f\u4ec0\u4e48<\/mark><\/strong>\u3002 \u56e0\u6b64\uff0c\u53ea\u8981\u5c06\u8fd9\u4e2a\u4fe1\u606f\u4ee5\u67d0\u79cd\u65b9\u5f0f\u544a\u8bc9\u901a\u4fe1\u5bf9\u7aef\uff08peer\uff09\uff0c\u540e\u8005\u5c31\u77e5\u9053\u8be5\u548c\u54ea\u4e2a\u5730\u5740\u5efa\u8fde\u4e86\uff01 \u8fd9\u6837\u5c31\u53c8<strong><mark>\u7b80\u5316\u4e3a\u524d\u9762\u7684\u9632\u706b\u5899\u7a7f\u900f\u95ee\u9898\u4e86<\/mark><\/strong>\u3002<\/p>\n<p>\u672c\u8d28\u4e0a\u8fd9\u5c31\u662f\u00a0<strong><mark>STUN \u534f\u8bae\u7684\u5de5\u4f5c\u539f\u7406<\/mark><\/strong>\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<ul>\n<li>\u7b14\u8bb0\u672c\u5411 STUN \u670d\u52a1\u5668\u53d1\u9001\u4e00\u4e2a\u8bf7\u6c42\uff1a\u201c\u4ece\u4f60\u7684\u89d2\u5ea6\u770b\uff0c\u6211\u7684\u5730\u5740\u4ec0\u4e48\uff1f\u201d<\/li>\n<li>STUN \u670d\u52a1\u5668\u8fd4\u56de\u4e00\u4e2a\u54cd\u5e94\uff1a\u201c\u6211\u770b\u5230\u4f60\u7684 UDP \u5305\u662f\u4ece\u8fd9\u4e2a\u5730\u5740\u6765\u7684\uff1a<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u201d\u3002<\/li>\n<\/ul>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-stun-2\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-stun-2.png\" width=\"1560\" height=\"801\"><\/p>\n<blockquote><p>The STUN protocol has a bunch more stuff in it \u2014 there\u2019s a way of obfuscating the\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0in the response to stop really broken NATs from mangling the packet\u2019s payload, and a whole authentication mechanism that only really gets used by TURN and ICE, sibling protocols to STUN that we\u2019ll talk about in a bit. We can ignore all of that stuff for address discovery.<\/p><\/blockquote>\n<h2 id=\"42-\u4e3a\u4ec0\u4e48-nat-\u7a7f\u900f\u903b\u8f91\u548c\u4e3b\u534f\u8bae\u8981\u5171\u4eab\u540c\u4e00\u4e2a-socket\">4.2 \u4e3a\u4ec0\u4e48 NAT \u7a7f\u900f\u903b\u8f91\u548c\u4e3b\u534f\u8bae\u8981\u5171\u4eab\u540c\u4e00\u4e2a socket<\/h2>\n<p>\u7406\u89e3\u4e86 STUN \u539f\u7406\uff0c\u4e5f\u5c31\u80fd\u7406\u89e3\u4e3a\u4ec0\u4e48\u6211\u4eec\u5728\u6587\u7ae0\u5f00\u5934\u8bf4\uff0c\u5982\u679c\u00a0<strong><mark>\u8981\u5b9e\u73b0\u81ea\u5df1\u7684 NAT \u7a7f\u900f\u903b\u8f91\u548c\u4e3b\u534f\u8bae\uff0c\u5c31\u5fc5\u987b\u8ba9\u4e8c\u8005\u5171\u4eab\u540c\u4e00\u4e2a socket<\/mark><\/strong>\uff1a<\/p>\n<ol>\n<li>\u6bcf\u4e2a socket \u5728 NAT \u8bbe\u5907\u4e0a\u90fd\u5bf9\u5e94\u4e00\u4e2a\u6620\u5c04\u5173\u7cfb\uff08\u79c1\u7f51\u5730\u5740 -&gt; \u516c\u7f51\u5730\u5740\uff09\uff0c<\/li>\n<li>STUN \u670d\u52a1\u5668\u53ea\u662f<strong><mark>\u8f85\u52a9<\/mark><\/strong>\u7a7f\u900f\u7684\u57fa\u7840\u8bbe\u65bd\uff0c<\/li>\n<li>\u4e0e STUN \u670d\u52a1\u5668\u901a\u4fe1\u4e4b\u540e\uff0c\u5728 NAT \u53ca\u9632\u706b\u5899\u8bbe\u5907\u4e0a\u6253\u5f00\u4e86\u4e00\u4e2a\u8fde\u63a5\uff0c\u5141\u8bb8\u5165\u5411\u5305\u8fdb\u6765\uff08\u56de\u5fc6\u524d\u9762\u5185\u5bb9\uff0c\u00a0<strong><mark>\u53ea\u8981\u76ee\u7684\u5730\u5740\u5bf9\uff0cUDP \u5305\u5c31\u80fd\u8fdb\u6765<\/mark><\/strong>\uff0c\u4e0d\u7ba1\u8fd9\u4e9b\u5305\u662f\u4e0d\u662f\u4ece STUN \u670d\u52a1\u5668\u6765\u7684\uff09\uff0c<\/li>\n<li>\u56e0\u6b64\uff0c\u63a5\u4e0b\u6765\u53ea\u8981\u5c06\u8fd9\u4e2a\u5730\u5740\u544a\u8bc9\u6211\u4eec\u7684\u901a\u4fe1\u5bf9\u7aef\uff08peer\uff09\uff0c\u8ba9\u5b83\u5f80\u8fd9\u4e2a\u5730\u5740\u53d1\u5305\uff0c\u5c31\u80fd\u5b9e\u73b0\u7a7f\u900f\u4e86\u3002<\/li>\n<\/ol>\n<h2 id=\"43-stun-\u7684\u95ee\u9898\u4e0d\u80fd\u7a7f\u900f\u6240\u6709-nat-\u8bbe\u5907\u4f8b\u5982\u4f01\u4e1a\u7ea7-nat-\u7f51\u5173\">4.3 STUN \u7684\u95ee\u9898\uff1a\u4e0d\u80fd\u7a7f\u900f\u6240\u6709 NAT \u8bbe\u5907\uff08\u4f8b\u5982\u4f01\u4e1a\u7ea7 NAT \u7f51\u5173\uff09<\/h2>\n<p>\u6709\u4e86 STUN\uff0c\u6211\u4eec\u7684<strong><mark>\u7a7f\u900f\u76ee\u7684\u4f3c\u4e4e\u5df2\u7ecf\u5b9e\u73b0\u4e86<\/mark><\/strong>\uff1a\u6bcf\u53f0\u673a\u5668\u90fd\u901a\u8fc7 STUN \u6765\u83b7\u53d6\u81ea\u5df1\u7684\u79c1\u7f51 socket \u5bf9\u5e94\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u7136\u540e\u628a\u8fd9\u4e2a\u4fe1\u606f\u544a\u8bc9\u5bf9\u7aef\uff0c\u7136\u540e\u4e24\u7aef \u540c\u65f6\u53d1\u8d77\u7a7f\u900f\u9632\u706b\u5899\u7684\u5c1d\u8bd5\uff0c\u540e\u9762\u7684\u8fc7\u7a0b\u5c31\u548c\u4e0a\u4e00\u8282\u4ecb\u7ecd\u7684\u9632\u706b\u5899\u7a7f\u900f\u4e00\u6837\u4e86\uff0c<strong><mark>\u5bf9\u5417<\/mark><\/strong>\uff1f<\/p>\n<p>\u7b54\u6848\u662f\uff1a<strong><mark>\u770b\u60c5\u51b5<\/mark><\/strong>\u3002\u67d0\u4e9b\u60c5\u51b5\u4e0b\u786e\u5b9e\u5982\u6b64\uff0c\u4f46\u6709\u4e9b\u60c5\u51b5\u4e0b\u5374\u4e0d\u884c\u3002\u901a\u5e38\u6765\u8bf4\uff0c<\/p>\n<ul>\n<li>\u5bf9\u4e8e\u5927\u90e8\u5206<strong><mark>\u5bb6\u7528\u8def\u7531\u5668\u573a\u666f<\/mark><\/strong>\uff0c\u8fd9\u79cd\u65b9\u5f0f\u662f\u6ca1\u95ee\u9898\u7684\uff1b<\/li>\n<li>\u4f46\u5bf9\u4e8e\u4e00\u4e9b<strong><mark>\u4f01\u4e1a\u7ea7 NAT \u7f51\u5173<\/mark><\/strong>\u6765\u8bf4\uff0c\u8fd9\u79cd\u65b9\u5f0f\u65e0\u6cd5\u594f\u6548\u3002<\/li>\n<\/ul>\n<p>NAT \u8bbe\u5907\u7684\u8bf4\u660e\u4e66\u4e0a\u8d8a\u5f3a\u8c03\u5b83\u7684\u5b89\u5168\u6027\uff0cSTUN \u65b9\u5f0f\u5931\u8d25\u7684\u53ef\u80fd\u6027\u5c31\u8d8a\u9ad8\u3002\uff08\u4f46\u6ce8\u610f\uff0c\u4ece\u5b9e\u9645\u610f\u4e49\u4e0a\u6765\u8bf4\uff0c\u00a0<strong><mark>NAT \u8bbe\u5907\u5728\u4efb\u4f55\u65b9\u9762\u90fd\u5e76\u4e0d\u4f1a\u589e\u5f3a\u7f51\u7edc\u7684\u5b89\u5168\u6027<\/mark><\/strong>\uff0c\u4f46\u8fd9\u4e0d\u662f\u672c\u6587\u91cd\u70b9\uff0c\u56e0\u6b64\u4e0d\u5c55\u5f00\u3002\uff09<\/p>\n<h2 id=\"44-\u91cd\u65b0\u5ba1\u89c6-stun-\u7684\u524d\u63d0\">4.4 \u91cd\u65b0\u5ba1\u89c6 STUN \u7684\u524d\u63d0<\/h2>\n<p>\u518d\u6b21\u5ba1\u89c6\u524d\u9762<strong><mark>\u5173\u4e8e STUN \u7684\u5047\u8bbe<\/mark><\/strong>\uff1a\u5f53 STUN \u670d\u52a1\u5668\u544a\u8bc9\u5ba2\u6237\u7aef\u5728\u516c\u7f51\u770b\u6765\u5b83\u7684\u5730\u5740\u662f\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:4242<\/code>\u00a0\u65f6\uff0c\u90a3\u6240\u6709\u76ee\u7684\u5730\u5740\u662f\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:4242<\/code>\u00a0\u7684\u5305\u5c31\u90fd\u80fd\u7a7f\u900f\u9632\u706b\u5899\u5230\u8fbe\u8be5\u5ba2\u6237\u7aef\u3002<\/p>\n<p>\u8fd9\u4e5f\u6b63\u662f\u95ee\u9898\u6240\u5728\uff1a<strong><mark>\u8fd9\u4e00\u70b9\u5e76\u4e0d\u603b\u662f\u6210\u7acb<\/mark><\/strong>\u3002<\/p>\n<ul>\n<li>\u67d0\u4e9b NAT \u8bbe\u5907\u7684\u884c\u4e3a\u4e0e\u6211\u4eec\u5047\u8bbe\u7684\u4e00\u81f4\uff0c\u5b83\u4eec\u7684\u6709\u72b6\u6001\u9632\u706b\u5899\u7ec4\u4ef6\u53ea\u8981\u770b\u5230\u6709\u5ba2\u6237\u7aef\u81ea\u5df1 \u53d1\u8d77\u7684\u51fa\u5411\u5305\uff0c\u5c31\u4f1a\u5141\u8bb8\u76f8\u5e94\u7684\u5165\u5411\u5305\u8fdb\u5165\uff1b\u56e0\u6b64\u53ea\u8981\u5229\u7528 STUN \u529f\u80fd\uff0c\u518d\u52a0\u4e0a\u4e24\u7aef\u540c\u65f6 \u53d1\u8d77\u9632\u706b\u5899\u7a7f\u900f\uff0c\u5c31\u80fd\u628a\u8fde\u63a5\u6253\u901a\uff1b<br \/>\n<blockquote><p>in theory, there are also NAT devices that are super relaxed, and don\u2019t ship with stateful firewall stuff at all. In those, you don\u2019t even need simultaneous transmission, the STUN request gives you an internet\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0that anyone can connect to with no further ceremony. If such devices do still exist, they\u2019re increasingly rare.<\/p><\/blockquote>\n<\/li>\n<li>\u53e6\u5916\u4e00\u4e9b NAT \u8bbe\u5907\u5c31\u8981\u56f0\u96be\u5f88\u591a\u4e86\uff0c\u5b83\u4f1a<strong><mark>\u9488\u5bf9\u6bcf\u4e2a\u76ee\u7684\u5730\u5740\u6765\u751f\u6210\u4e00\u6761\u76f8\u5e94\u7684\u6620\u5c04\u5173\u7cfb<\/mark><\/strong>\u3002 \u5728\u8fd9\u6837\u7684\u8bbe\u5907\u4e0a\uff0c\u5982\u679c\u6211\u4eec\u7528\u76f8\u540c\u7684 socket \u6765\u5206\u522b\u53d1\u9001\u6570\u636e\u5305\u5230\u00a0<code class=\"language-plaintext highlighter-rouge\">5.5.5.5:1234<\/code>\u00a0and\u00a0<code class=\"language-plaintext highlighter-rouge\">7.7.7.7:2345<\/code>\uff0c\u6211\u4eec\u5c31\u4f1a\u5f97\u5230\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2<\/code>\u00a0\u4e0a\u7684\u4e24\u4e2a\u4e0d\u540c\u7684\u7aef\u53e3\uff0c\u6bcf\u4e2a\u76ee\u7684\u5730\u5740\u5bf9\u5e94\u4e00\u4e2a\u3002 \u5982\u679c\u53cd\u5411\u5305\u7684\u7aef\u53e3\u7528\u7684\u4e0d\u5bf9\uff0c\u5305\u5c31\u65e0\u6cd5\u901a\u8fc7\u9632\u706b\u5899\u3002\u5982\u4e0b\u56fe\u6240\u793a\uff1a\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-stun-3\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-stun-3.png\" width=\"1858\" height=\"839\"><\/p>\n<\/li>\n<\/ul>\n<h1 id=\"5-\u4e2d\u573a\u8865\u8bfenat-\u6b63\u5f0f\u672f\u8bed\">5 \u4e2d\u573a\u8865\u8bfe\uff1aNAT \u6b63\u5f0f\u672f\u8bed<\/h1>\n<p>\u77e5\u9053 NAT \u8bbe\u5907\u7684\u884c\u4e3a\u5e76\u4e0d\u662f\u5b8c\u5168\u4e00\u6837\u4e4b\u540e\uff0c\u6211\u4eec\u6765\u5f15\u5165\u4e00\u4e9b\u6b63\u5f0f\u672f\u8bed\u3002<\/p>\n<h2 id=\"51-\u65e9\u671f\u672f\u8bed\">5.1 \u65e9\u671f\u672f\u8bed<\/h2>\n<p>\u5982\u679c\u4e4b\u524d\u63a5\u89e6\u8fc7 NAT \u7a7f\u900f\uff0c\u53ef\u80fd\u4f1a\u542c\u8bf4\u8fc7\u4e0b\u9762\u8fd9\u4e9b\u540d\u8bcd\uff1a<\/p>\n<ul>\n<li>\u201cFull Cone\u201d<\/li>\n<li>\u201cRestricted Cone\u201d<\/li>\n<li>\u201cPort-Restricted Cone\u201d<\/li>\n<li>\u201cSymmetric\u201d NATs<\/li>\n<\/ul>\n<p>\u8fd9\u4e9b\u90fd\u662f NAT \u7a7f\u900f\u9886\u57df\u7684\u65e9\u671f\u672f\u8bed\u3002<\/p>\n<p>\u4f46\u5176\u5b9e\u8fd9\u4e9b\u672f\u8bed<strong><mark>\u76f8\u5f53\u8ba9\u4eba\u56f0\u60d1<\/mark><\/strong>\u3002\u6211\u6bcf\u6b21\u90fd\u8981 \u67e5\u4e00\u4e0b Restricted Cone NAT \u662f\u4ec0\u4e48\u610f\u601d\u3002\u4ece\u5b9e\u9645\u7ecf\u9a8c\u6765\u770b\uff0c\u6211\u5e76\u4e0d\u662f\u552f\u4e00\u5bf9\u6b64\u611f\u5230\u56f0\u60d1\u7684\u4eba\u3002 \u4f8b\u5982\uff0c\u5982\u4eca\u4e92\u8054\u7f51\u4e0a\u5c06 \u201ceasy\u201d NAT \u5f52\u7c7b\u4e3a Full Cone\uff0c\u800c\u5b9e\u9645\u4e0a\u5b83\u4eec\u66f4\u5e94\u8be5\u5f52\u7c7b\u4e3a Port-Restricted Cone\u3002<\/p>\n<h2 id=\"52-\u8fd1\u671f\u7814\u7a76\u4e0e\u65b0\u672f\u8bed\">5.2 \u8fd1\u671f\u7814\u7a76\u4e0e\u65b0\u672f\u8bed<\/h2>\n<p>\u6700\u8fd1\u7684\u4e00\u4e9b\u7814\u7a76\u548c RFC \u5df2\u7ecf\u63d0\u51fa\u4e86\u4e00\u4e9b\u66f4\u51c6\u786e\u7684\u672f\u8bed\u3002<\/p>\n<ul>\n<li>\u9996\u5148\uff0c\u5b83\u4eec\u660e\u786e\u4e86\u5982\u4e0b\u4e8b\u5b9e\uff1a<strong><mark>NAT \u8bbe\u5907\u7684\u884c\u4e3a\u5dee\u5f02\u8868\u73b0\u5728\u591a\u4e2a\u7ef4\u5ea6<\/mark><\/strong>\uff0c \u800c\u5e76\u975e\u53ea\u6709\u65e9\u671f\u7814\u7a76\u4e2d\u6240\u8bf4\u7684 \u201ccone\u201d \u8fd9\u4e00\u4e2a\u7ef4\u5ea6\uff0c\u56e0\u6b64<strong><mark>\u57fa\u4e8e \u201ccone\u201d \u6765\u5212\u5206\u7c7b\u522b\u5e76\u4e0d\u662f\u5f88\u6709\u5e2e\u52a9<\/mark><\/strong>\u3002<\/li>\n<li>\u5176\u6b21\uff0c\u65b0\u7814\u7a76\u548c\u65b0\u672f\u8bed\u80fd<strong><mark>\u66f4\u51c6\u786e\u5730\u63cf\u8ff0 NAT \u5728\u505a\u4ec0\u4e48<\/mark><\/strong>\u3002<\/li>\n<\/ul>\n<p>\u524d\u9762\u63d0\u5230\u7684\u6240\u8c13\u00a0<strong><mark>\"easy\" \u548c \"hard\" NAT\uff0c\u53ea\u5728\u4e00\u4e2a\u7ef4\u5ea6\u6709\u4e0d\u540c<\/mark><\/strong>\uff1aNAT \u6620\u5c04\u662f\u5426\u8003\u8651\u5230\u76ee\u7684\u5730\u5740\u4fe1\u606f\u3002\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc4787\">RFC 4787<\/a>\u00a0\u4e2d\uff0c<\/p>\n<ul>\n<li>\u5c06\u00a0<strong><mark>easy NAT \u53ca\u5176\u53d8\u79cd<\/mark><\/strong>\u79f0\u4e3a \u201cEndpoint-Independent Mapping\u201d (<strong><mark>EIM\uff0c\u7ec8\u70b9\u65e0\u5173\u7684\u6620\u5c04<\/mark><\/strong>)\u4f46\u662f\uff0c\u4ece<strong><mark>\u201c\u547d\u540d\u5f88\u96be\u201d<\/mark><\/strong>\u8fd9\u4e00\u7a0b\u5e8f\u5458\u754c\u7684\u4f1f\u5927\u4f20\u7edf\u6765\u8bf4\uff0cEIM \u8fd9\u4e2a\u8bcd\u5176\u5b9e \u4e5f\u5e76\u4e0d\u662f 100% \u51c6\u786e\uff0c\u56e0\u4e3a\u8fd9\u79cd NAT \u4ecd\u7136\u4f9d\u8d56 endpoint\uff0c\u53ea\u4e0d\u8fc7\u4f9d\u8d56\u7684\u662f\u6e90 endpoint\uff1a\u6bcf\u4e2a source\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u5bf9\u5e94\u4e00\u4e2a\u6620\u5c04 \u2014\u2014 \u5426\u5219\u4f60\u7684\u5305\u5c31\u4f1a\u548c\u522b\u4eba\u7684\u5305\u6df7\u5728\u4e00\u8d77\uff0c\u5bfc\u81f4\u6df7\u4e71\u3002\n<p>\u4e25\u683c\u6765\u8bf4\uff0cEIM \u5e94\u8be5\u79f0\u4e3a \u201cDestination Endpoint Independent Mapping\u201d (DEIM?)\uff0c \u4f46\u8fd9\u4e2a\u540d\u5b57\u592a\u62d7\u53e3\u4e86\uff0c\u800c\u4e14\u6309\u7167\u60ef\u4f8b\uff0cEndpoint \u6c38\u8fdc\u6307\u7684\u662f Destination Endpoint\u3002<\/li>\n<li>\u5c06\u00a0<strong><mark>hard NAT \u4ee5\u53ca\u53d8\u79cd<\/mark><\/strong>\u79f0\u4e3a \u201cEndpoint-Dependent Mapping\u201d\uff08<strong><mark>EDM\uff0c\u7ec8\u70b9\u76f8\u5173\u7684\u6620\u5c04<\/mark><\/strong>\uff09 \u3002EDM \u4e2d\u8fd8\u6709\u4e00\u4e2a\u5b50\u7c7b\u578b\uff0c\u4f9d\u636e\u662f\u53ea\u6839\u636e dst_ip \u505a\u6620\u5c04\uff0c\u8fd8\u662f\u6839\u636e dst_ip + dst_port \u505a\u6620\u5c04\u3002 \u5bf9\u4e8e NAT \u7a7f\u900f\u6765\u8bf4\uff0c\u8fd9\u79cd\u533a\u5206\u5bf9\u6765\u8bf4\u662f\u4e00\u6837\u7684\uff1a\u5b83\u4eec<strong><mark>\u90fd\u4f1a\u5bfc\u81f4 STUN \u65b9\u5f0f\u4e0d\u53ef\u7528<\/mark><\/strong>\u3002<\/li>\n<\/ul>\n<h2 id=\"53-\u8001\u7684-cone-\u7c7b\u578b\u5212\u5206\">5.3 \u8001\u7684 cone \u7c7b\u578b\u5212\u5206<\/h2>\n<p>\u4f60\u53ef\u80fd\u4f1a\u6709\u7591\u95ee\uff1a\u6839\u636e\u662f\u5426\u4f9d\u8d56 endpoint \u8fd9\u4e00\u6761\u4ef6\uff0c\u53ea\u80fd\u7ec4\u5408\u51fa\u4e24\u79cd\u53ef\u80fd\uff0c\u90a3\u4e3a\u4ec0\u4e48\u4f20 \u7edf\u5206\u7c7b\u4e2d\u4f1a\u6709\u56db\u79cd cone \u7c7b\u578b\u5462\uff1f\u7b54\u6848\u662f\u00a0<strong><mark>cone \u5305\u542b\u4e86\u4e24\u4e2a\u6b63\u4ea4\u7ef4\u5ea6\u7684 NAT \u884c\u4e3a<\/mark><\/strong>\uff1a<\/p>\n<ul>\n<li><strong><mark>NAT \u6620\u5c04\u884c\u4e3a<\/mark><\/strong>\uff1a\u524d\u9762\u5df2\u7ecf\u4ecb\u7ecd\u8fc7\u4e86\uff0c<\/li>\n<li><strong><mark>\u6709\u72b6\u6001\u9632\u706b\u5899\u884c\u4e3a<\/mark><\/strong>\uff1a\u4e0e\u524d\u8005\u7c7b\u4f3c\uff0c\u4e5f\u662f\u5206\u4e3a\u4e0e endpoint \u76f8\u5173\u8fd8\u662f\u65e0\u5173\u4e24\u79cd\u7c7b\u578b\u3002<\/li>\n<\/ul>\n<p>\u56e0\u6b64\u6700\u7ec8\u7ec4\u5408\u5982\u4e0b\uff1a<\/p>\n<p align=\"center\">NAT Cone Types<\/p>\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th><strong>Endpoint \u65e0\u5173 NAT mapping<\/strong><\/th>\n<th><strong>Endpoint \u76f8\u5173 NAT mapping (all types)<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Endpoint \u65e0\u5173\u9632\u706b\u5899<\/strong><\/td>\n<td>Full Cone NAT<\/td>\n<td>N\/A*<\/td>\n<\/tr>\n<tr>\n<td><strong>Endpoint \u76f8\u5173\u9632\u706b\u5899 (dst. IP only)<\/strong><\/td>\n<td>Restricted Cone NAT<\/td>\n<td>N\/A*<\/td>\n<\/tr>\n<tr>\n<td><strong>Endpoint \u76f8\u5173\u9632\u706b\u5899 (dst. IP+port)<\/strong><\/td>\n<td>Port-Restricted Cone NAT<\/td>\n<td>Symmetric NAT<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5206\u89e3\u5230\u8fd9\u79cd\u7a0b\u5ea6\u4e4b\u540e\u5c31\u53ef\u4ee5\u770b\u51fa\uff0c<strong><mark>cone \u7c7b\u578b\u5bf9 NAT \u7a7f\u900f\u573a\u666f\u6765\u8bf4\u5e76\u6ca1\u6709\u4ec0\u4e48\u610f\u4e49<\/mark><\/strong>\u3002 \u6211\u4eec\u5173\u5fc3\u7684\u53ea\u6709\u4e00\u70b9\uff1a\u662f\u5426\u662f Symmetric \u2014\u2014 \u6362\u53e5\u8bdd\u8bf4\uff0c\u4e00\u4e2a NAT \u8bbe\u5907\u662f EIM \u8fd8\u662f EDM \u7c7b\u578b\u7684\u3002<\/p>\n<h2 id=\"54-\u9488\u5bf9-nat-\u7a7f\u900f\u573a\u666f\u7b80\u5316-nat-\u5206\u7c7b\">5.4 \u9488\u5bf9 NAT \u7a7f\u900f\u573a\u666f\uff1a\u7b80\u5316 NAT \u5206\u7c7b<\/h2>\n<p>\u4ee5\u4e0a\u8ba8\u8bba\u53ef\u77e5\uff0c\u867d\u7136\u7406\u89e3\u9632\u706b\u5899\u7684\u5177\u4f53\u884c\u4e3a\u5f88\u91cd\u8981\uff0c\u4f46\u5bf9\u4e8e\u7f16\u5199 NAT \u7a7f\u900f\u4ee3\u7801\u6765\u8bf4\uff0c\u8fd9\u4e00\u70b9\u5e76\u4e0d\u91cd\u8981\u3002 \u6211\u4eec\u7684<strong><mark>\u4e24\u7aef\u540c\u65f6\u53d1\u5305<\/mark><\/strong>\u65b9\u5f0f\uff08simultaneous transmission trick\uff09\u80fd\u00a0<strong><mark>\u6709\u6548\u7a7f\u900f\u4ee5\u4e0a\u4e09\u79cd\u7c7b\u578b\u7684\u9632\u706b\u5899<\/mark><\/strong>\u3002\u5728\u771f\u5b9e\u573a\u666f\u4e2d\uff0c \u6211\u4eec\u4e3b\u8981\u5728\u5904\u7406\u7684\u662f IP-and-port endpoint-dependent \u9632\u706b\u5899\u3002<\/p>\n<p>\u56e0\u6b64\uff0c\u5bf9\u4e8e\u5b9e\u9645 NAT \u7a7f\u900f\u5b9e\u73b0\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06\u4ee5\u4e0a\u5206\u7c7b\u7b80\u5316\u6210\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th>Endpoint-Independent NAT mapping<\/th>\n<th>Endpoint-Dependent NAT mapping (dst. IP only)<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Firewall is yes<\/strong><\/td>\n<td>Easy NAT<\/td>\n<td>Hard NAT<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"55-\u66f4\u591a-nat-\u89c4\u8303rfc\">5.5 \u66f4\u591a NAT \u89c4\u8303\uff08RFC\uff09<\/h2>\n<p>\u60f3\u4e86\u89e3\u66f4\u591a\u65b0\u7684 NAT \u672f\u8bed\uff0c\u53ef\u53c2\u8003<\/p>\n<ul>\n<li>RFC\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc4787\" target=\"_blank\" rel=\"noopener\">4787<\/a>\u00a0(NAT Behavioral Requirements for UDP)<\/li>\n<li>RFC\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc5382\" target=\"_blank\" rel=\"noopener\">5382<\/a>\u00a0(for TCP)<\/li>\n<li>RFC\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc5508\" target=\"_blank\" rel=\"noopener\">5508<\/a>\u00a0(for ICMP)<\/li>\n<\/ul>\n<p>\u5982\u679c\u81ea\u5df1\u5b9e\u73b0 NAT\uff0c\u90a3\u5e94\u8be5\uff08should\uff09\u9075\u5faa\u8fd9\u4e9b RFC \u7684\u89c4\u8303\uff0c\u8fd9\u6837\u624d\u80fd\u4f7f\u4f60\u7684 NAT \u884c\u4e3a\u7b26\u5408\u4e1a\u754c\u60ef\u4f8b\uff0c\u4e0e\u5176\u4ed6\u5382\u5546\u7684\u8bbe\u5907\u6216\u8f6f\u4ef6\u826f\u597d\u517c\u5bb9\u3002<\/p>\n<h1 id=\"6-\u7a7f\u900f-nat\u9632\u706b\u5899stun-\u4e0d\u53ef\u7528\u65f6fallback-\u5230\u4e2d\u7ee7\u6a21\u5f0f\">6 \u7a7f\u900f NAT+\u9632\u706b\u5899\uff1aSTUN \u4e0d\u53ef\u7528\u65f6\uff0cfallback \u5230\u4e2d\u7ee7\u6a21\u5f0f<\/h1>\n<h2 id=\"61-\u95ee\u9898\u56de\u987e\u4e0e\u4fdd\u5e95\u65b9\u5f0f\u4e2d\u7ee7\">6.1 \u95ee\u9898\u56de\u987e\u4e0e\u4fdd\u5e95\u65b9\u5f0f\uff08\u4e2d\u7ee7\uff09<\/h2>\n<p>\u8865\u5b8c\u57fa\u7840\u77e5\u8bc6\uff08\u5c24\u5176\u662f\u5b9a\u4e49\u4e86\u4ec0\u4e48\u662f hard NAT\uff09\u4e4b\u540e\uff0c\u56de\u5230\u6211\u4eec\u7684 NAT \u7a7f\u900f\u4e3b\u9898\u3002<\/p>\n<ul>\n<li>\u7b2c 1~4 \u8282\u5df2\u7ecf\u89e3\u51b3\u4e86 STUN \u548c\u9632\u706b\u5899\u7a7f\u900f\u7684\u95ee\u9898\uff0c<\/li>\n<li>\u4f46\u00a0<strong><mark>hard NAT \u5bf9\u6211\u4eec\u6765\u8bf4\u662f\u4e2a\u5927\u95ee\u9898<\/mark><\/strong>\uff0c\u53ea\u8981\u8def\u5f84\u4e0a\u51fa\u73b0\u4e00\u4e2a\u8fd9\u79cd\u8bbe\u5907\uff0c\u524d\u9762\u7684\u65b9\u6848\u5c31\u884c\u4e0d\u901a\u4e86\u3002<\/li>\n<\/ul>\n<p>\u51c6\u5907\u653e\u5f03\u4e86\u5417\uff1f \u8fd9\u624d<strong><mark>\u8fdb\u5165 NAT \u771f\u6b63\u6709\u6311\u6218\u7684\u90e8\u5206<\/mark><\/strong>\uff1a\u5982\u679c\u5df2\u7ecf\u8bd5\u8fc7\u4e86\u524d\u9762\u4ecb\u7ecd\u7684\u6240\u6709\u65b9\u5f0f \u4ecd\u7136\u4e0d\u80fd\u7a7f\u900f\uff0c\u6211\u4eec\u8be5\u600e\u4e48\u529e\u5462\uff1f<\/p>\n<ul>\n<li>\u5b9e\u9645\u4e0a\uff0c\u786e\u5b9e\u6709\u5f88\u591a NAT \u5b9e\u73b0\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\u90fd\u4f1a\u9009\u62e9\u653e\u5f03\uff0c\u5411\u7528\u6237\u62a5\u4e00\u4e2a<strong><mark>\u201c\u65e0\u6cd5\u8fde\u63a5\u201d<\/mark><\/strong>\u4e4b\u7c7b\u7684\u9519\u8bef\u3002<\/li>\n<li>\u4f46\u5bf9\u6211\u4eec\u6765\u8bf4\uff0c\u8fd9\u4e48\u5feb\u5c31\u653e\u5f03\u663e\u7136\u662f\u4e0d\u53ef\u63a5\u53d7\u7684 \u2014\u2014 \u89e3\u51b3\u4e0d\u4e86\u8fde\u901a\u6027\u95ee\u9898\uff0cTailscale \u5c31\u6ca1\u6709\u5b58\u5728\u7684\u610f\u4e49\u3002<\/li>\n<\/ul>\n<p>\u6211\u4eec\u7684\u4fdd\u5e95\u89e3\u51b3\u65b9\u5f0f\u662f\uff1a\u521b\u5efa\u4e00\u4e2a<strong><mark>\u4e2d\u7ee7\u8fde\u63a5<\/mark><\/strong>\uff08relay\uff09\u5b9e\u73b0\u53cc\u65b9\u7684\u65e0\u969c\u788d\u5730\u901a\u4fe1\u3002 \u4f46\u662f\uff0c\u4e2d\u7ee7\u65b9\u5f0f\u6027\u80fd\u4e0d\u662f\u5f88\u5dee\u5417\uff1f\u8fd9\u8981\u770b\u5177\u4f53\u60c5\u51b5\uff1a<\/p>\n<ul>\n<li>\u5982\u679c\u80fd\u76f4\u8fde\uff0c\u90a3\u663e\u7136\u6ca1\u5fc5\u8981\u7528\u4e2d\u7ee7\u65b9\u5f0f\uff1b<\/li>\n<li>\u4f46\u5982\u679c\u65e0\u6cd5\u76f4\u8fde\uff0c\u800c\u4e2d\u7ee7\u8def\u5f84\u53c8\u975e\u5e38\u63a5\u8fd1\u53cc\u65b9\u76f4\u8fde\u7684\u771f\u5b9e\u8def\u5f84\uff0c\u5e76\u4e14\u5e26\u5bbd\u8db3\u591f\u5927\uff0c\u90a3\u4e2d \u7ee7\u65b9\u5f0f\u5e76\u4e0d\u4f1a\u660e\u663e\u964d\u4f4e\u901a\u4fe1\u8d28\u91cf\u3002\u5ef6\u8fdf\u80af\u5b9a\u4f1a\u589e\u52a0\u4e00\u70b9\uff0c\u5e26\u5bbd\u4f1a\u5360\u7528\u4e00\u4e9b\uff0c\u4f46\u00a0<strong><mark>\u76f8\u6bd4\u5b8c\u5168\u8fde\u63a5\u4e0d\u4e0a\uff0c\u8fd8\u662f\u66f4\u80fd\u8ba9\u7528\u6237\u63a5\u53d7\u7684<\/mark><\/strong>\u3002<\/li>\n<\/ul>\n<p>\u4e0d\u8fc7\u8981\u6ce8\u610f\uff1a\u6211\u4eec\u53ea\u6709\u5728\u65e0\u6cd5\u76f4\u8fde\u65f6\u624d\u4f1a\u9009\u62e9\u4e2d\u7ee7\u65b9\u5f0f\u3002\u5b9e\u9645\u573a\u666f\u4e2d\uff0c<\/p>\n<ol>\n<li>\u5bf9\u4e8e\u5927\u90e8\u5206\u7f51\u7edc\uff0c\u6211\u4eec\u90fd\u80fd\u901a\u8fc7\u524d\u9762\u4ecb\u7ecd\u7684\u65b9\u5f0f\u5b9e\u73b0\u76f4\u8fde\uff0c<\/li>\n<li>\u5269\u4e0b\u7684\u957f\u5c3e\u7528\u4e2d\u7ee7\u65b9\u5f0f\u6765\u89e3\u51b3\uff0c\u5e76\u4e0d\u7b97\u4e00\u4e2a\u5f88\u7cdf\u7684\u65b9\u5f0f\u3002<\/li>\n<\/ol>\n<p>\u6b64\u5916\uff0c\u67d0\u4e9b\u7f51\u7edc\u4f1a\u963b\u6b62 NAT \u7a7f\u900f\uff0c\u5176\u5f71\u54cd\u6bd4\u8fd9\u79cd hard NAT \u5927\u591a\u4e86\u3002\u4f8b\u5982\uff0c\u6211\u4eec\u89c2\u5bdf\u5230 UC Berkeley guest WiFi \u7981\u6b62\u9664 DNS \u6d41\u91cf\u4e4b\u5916\u7684\u6240\u6709 outbound UDP \u6d41\u91cf\u3002 \u4e0d\u7ba1\u7528\u4ec0\u4e48 NAT \u9ed1\u79d1\u6280\uff0c\u90fd\u65e0\u6cd5\u7ed5\u8fc7\u8fd9\u4e2a\u62e6\u622a\u3002\u56e0\u6b64\u6211\u4eec\u7ec8\u5f52\u8fd8\u662f\u9700\u8981\u4e00\u4e9b\u53ef\u9760\u7684 fallback \u673a\u5236\u3002<\/p>\n<h2 id=\"62-\u4e2d\u7ee7\u534f\u8baeturnderp\">6.2 \u4e2d\u7ee7\u534f\u8bae\uff1aTURN\u3001DERP<\/h2>\n<p>\u6709\u591a\u79cd\u4e2d\u7ee7\u5b9e\u73b0\u65b9\u5f0f\u3002<\/p>\n<ol>\n<li><strong><mark>TURN<\/mark><\/strong>\u00a0(Traversal Using Relays around NAT)\uff1a\u7ecf\u5178\u65b9\u5f0f\uff0c\u6838\u5fc3\u7406\u5ff5\u662f\n<ol>\n<li><strong><mark>\u7528\u6237<\/mark><\/strong>\uff08\u4eba\uff09\u5148\u53bb\u516c\u7f51\u4e0a\u7684 TURN \u670d\u52a1\u5668\u8ba4\u8bc1\uff0c\u6210\u529f\u540e\u540e\u8005\u4f1a\u544a\u8bc9\u4f60\uff1a\u201c\u6211\u5df2\u7ecf\u4e3a\u4f60\u5206\u914d\u4e86 ip:port\uff0c\u63a5\u4e0b\u6765\u5c06\u4e3a\u4f60\u4e2d\u7ee7\u6d41\u91cf\u201d\uff0c<\/li>\n<li>\u7136\u540e\u5c06\u8fd9\u4e2a ip:port \u5730\u5740\u544a\u8bc9\u5bf9\u65b9\uff0c\u8ba9\u5b83\u53bb\u8fde\u63a5\u8fd9\u4e2a\u5730\u5740\uff0c\u63a5\u4e0b\u53bb\u5c31\u662f\u975e\u5e38\u7b80\u5355\u7684\u5ba2\u6237\u7aef\/\u670d\u52a1\u5668\u901a\u4fe1\u6a21\u578b\u4e86\u3002<\/li>\n<\/ol>\n<p>Tailscale \u5e76\u4e0d\u4f7f\u7528 TURN\u3002\u8fd9\u79cd\u534f\u8bae<strong><mark>\u7528\u8d77\u6765\u5e76\u4e0d\u662f\u5f88\u597d<\/mark><\/strong>\uff0c\u800c\u4e14\u4e0e STUN \u4e0d\u540c\uff0c \u5b83\u6ca1\u6709\u771f\u6b63\u7684\u4ea4\u4e92\u6027\uff0c\u56e0\u4e3a\u4e92\u8054\u7f51\u4e0a\u5e76\u6ca1\u6709\u516c\u5f00\u7684 TURN \u670d\u52a1\u5668\u3002<\/li>\n<li>DERP (Detoured Encrypted Routing Protocol)\u8fd9\u662f\u6211\u4eec\u521b\u5efa\u7684\u4e00\u4e2a\u534f\u8bae\uff0c<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works\/#encrypted-tcp-relays-derp\" target=\"_blank\" rel=\"noopener\">DERP<\/a>\uff0c\n<ol>\n<li>\u5b83\u662f\u4e00\u4e2a<strong><mark>\u901a\u7528\u76ee\u7684\u5305\u4e2d\u7ee7\u534f\u8bae\uff0c\u8fd0\u884c\u5728 HTTP \u4e4b\u4e0a<\/mark><\/strong>\uff0c\u800c\u5927\u90e8\u5206\u7f51\u7edc\u90fd\u662f\u5141\u8bb8 HTTP \u901a\u4fe1\u7684\u3002<\/li>\n<li>\u5b83\u6839\u636e\u76ee\u7684\u516c\u94a5\uff08destination\u2019s public key\uff09\u6765\u4e2d\u7ee7\u52a0\u5bc6\u7684\u6d41\u91cf\uff08encrypted payloads\uff09\u3002<\/li>\n<\/ol>\n<p>\u524d\u9762\u4e5f\u7b80\u5355\u63d0\u5230\u8fc7\uff0cDERP \u65e2\u662f\u6211\u4eec\u5728 NAT \u7a7f\u900f\u5931\u8d25\u65f6\u7684\u4fdd\u5e95\u901a\u4fe1\u65b9\u5f0f\uff08\u6b64\u65f6\u7684\u89d2\u8272 \u4e0e TURN \u7c7b\u4f3c\uff09\uff0c\u4e5f\u662f\u5728\u5176\u4ed6\u4e00\u4e9b\u573a\u666f\u4e0b\u5e2e\u52a9\u6211\u4eec\u5b8c\u6210 NAT \u7a7f\u900f\u7684\u65c1\u8def\u4fe1\u9053\u3002 \u6362\u53e5\u8bdd\u8bf4\uff0c\u5b83\u65e2\u662f\u6211\u4eec\u7684\u4fdd\u5e95\u65b9\u5f0f\uff0c\u4e5f\u662f\u6709\u66f4\u597d\u7684\u7a7f\u900f\u94fe\u8def\u65f6\uff0c\u5e2e\u52a9\u6211\u4eec\u8fdb\u884c\u8fde\u63a5\u5347 \u7ea7\uff08upgrade to a peer-to-peer connection\uff09\u7684\u57fa\u7840\u8bbe\u65bd\u3002<\/li>\n<\/ol>\n<h2 id=\"63-\u5c0f\u7ed3\">6.3 \u5c0f\u7ed3<\/h2>\n<p>\u6709\u4e86\u201c\u4e2d\u7ee7\u201d\u8fd9\u79cd\u4fdd\u5e95\u65b9\u5f0f\u4e4b\u540e\uff0c\u6211\u4eec\u7a7f\u900f\u7684\u6210\u529f\u7387\u5927\u5927\u589e\u52a0\u4e86\u3002 \u5982\u679c\u6b64\u65f6\u4e0d\u518d\u9605\u8bfb\u672c\u6587\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\uff0c\u800c\u662f\u628a\u4e0a\u9762\u4ecb\u7ecd\u7684\u7a7f\u900f\u65b9\u5f0f\u90fd\u5b9e\u73b0\u4e86\uff0c\u6211\u9884\u8ba1\uff1a<\/p>\n<ul>\n<li>90% \u7684\u60c5\u51b5\u4e0b\uff0c\u4f60\u90fd\u80fd\u5b9e\u73b0\u76f4\u8fde\u7a7f\u900f\uff1b<\/li>\n<li>\u5269\u4e0b\u7684 10% \u91cc\uff0c\u7528\u4e2d\u7ee7\u65b9\u5f0f\u80fd\u7a7f\u900f<strong><mark>\u4e00\u4e9b<\/mark><\/strong>\uff08some\uff09\uff1b<\/li>\n<\/ul>\n<p>\u8fd9\u5df2\u7ecf\u7b97\u662f\u4e00\u4e2a\u201c\u8db3\u591f\u597d\u201d\u7684\u7a7f\u900f\u5b9e\u73b0\u4e86\u3002<\/p>\n<h1 id=\"7-\u7a7f\u900f-nat\u9632\u706b\u5899\u4f01\u4e1a\u7ea7\u6539\u8fdb\">7 \u7a7f\u900f NAT+\u9632\u706b\u5899\uff1a\u4f01\u4e1a\u7ea7\u6539\u8fdb<\/h1>\n<p>\u5982\u679c\u4f60\u5e76\u4e0d\u6ee1\u8db3\u4e8e\u201c\u8db3\u591f\u597d\u201d\uff0c\u90a3\u6211\u4eec\u53ef\u4ee5\u505a\u7684\u4e8b\u60c5\u8fd8\u6709\u5f88\u591a\uff01<\/p>\n<p>\u672c\u8282\u5c06\u4ecb\u7ecd\u4e00\u4e9b\u4e94\u82b1\u516b\u95e8\u7684 tricks\uff0c\u5728\u67d0\u4e9b\u7279\u6b8a\u573a\u666f\u4e0b\u4f1a\u5e2e\u5230\u6211\u4eec\u3002\u5355\u72ec\u4f7f\u7528\u8fd9\u9879\u6280\u672f\u90fd \u65e0\u6cd5\u89e3\u51b3 NAT \u7a7f\u900f\u95ee\u9898\uff0c\u4f46\u5c06\u5b83\u4eec\u5de7\u5999\u5730\u7ec4\u5408\u8d77\u6765\uff0c\u6211\u4eec\u80fd\u66f4\u52a0\u63a5\u8fd1 100% \u7684\u7a7f\u900f\u6210\u529f\u7387\u3002<\/p>\n<h2 id=\"71-\u7a7f\u900f-hard-nat\u66b4\u529b\u7aef\u53e3\u626b\u63cf\">7.1 \u7a7f\u900f hard NAT\uff1a\u66b4\u529b\u7aef\u53e3\u626b\u63cf<\/h2>\n<p>\u56de\u5fc6 hard NAT \u4e2d\u9047\u5230\u7684\u95ee\u9898\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff0c\u5173\u952e\u95ee\u9898\u662f\uff1aeasy NAT \u4e0d\u77e5\u9053\u8be5\u5f80 hard NAT \u65b9\u7684\u54ea\u4e2a\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u53d1\u5305\u3002<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-birthday-attack-1\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-birthday-attack-1.png\" width=\"1863\" height=\"564\"><\/p>\n<p>\u4f46<strong><mark>\u5fc5\u987b<\/mark><\/strong>\u8981\u5f80\u6b63\u786e\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u53d1\u5305\uff0c\u624d\u80fd\u7a7f\u900f\u9632\u706b\u5899\uff0c\u5b9e\u73b0\u53cc\u5411\u4e92\u901a\u3002 \u600e\u4e48\u529e\u5462\uff1f<\/p>\n<ol>\n<li>\u9996\u5148\uff0c\u6211\u4eec\u80fd\u77e5\u9053 hard NAT \u7684<strong><mark>\u4e00\u4e9b<\/mark><\/strong>\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u56e0\u4e3a\u6211\u4eec\u6709 STUN \u670d\u52a1\u5668\u3002\u8fd9\u91cc\u5148\u5047\u8bbe\u6211\u4eec\u83b7\u5f97\u7684\u8fd9\u4e9b IP \u5730\u5740\u90fd\u662f\u6b63\u786e\u7684\uff08\u8fd9\u4e00\u70b9\u5e76\u4e0d\u603b\u662f\u6210\u7acb\uff0c\u4f46\u8fd9\u91cc\u5148\u8fd9\u4e48\u5047 \u8bbe\u3002\u800c\u5b9e\u9645\u4e0a\uff0c\u5927\u90e8\u5206\u60c5\u51b5\u4e0b\u8fd9\u4e00\u70b9\u90fd\u662f\u6210\u7acb\u7684\uff0c\u5982\u679c\u5bf9\u6b64\u6709\u5174\u8da3\uff0c\u53ef\u4ee5\u53c2\u8003 REQ-2 in\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc4787\">RFC 4787<\/a>\uff09\u3002<\/li>\n<li>IP \u5730\u5740\u786e\u5b9a\u4e86\uff0c\u5269\u4e0b\u7684\u5c31\u662f\u7aef\u53e3\u4e86\u3002\u603b\u5171\u6709 65535 \u4e2d\u53ef\u80fd\uff0c\u6211\u4eec\u80fd<strong><mark>\u904d\u5386\u8fd9\u4e2a\u7aef\u53e3\u8303\u56f4<\/mark><\/strong>\u5417\uff1f\u5982\u679c\u53d1\u5305\u901f\u5ea6\u662f 100 packets\/s\uff0c\u90a3\u6700\u574f\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u00a0<strong><mark>10 \u5206\u949f<\/mark><\/strong>\u6765\u627e\u5230\u6b63\u786e\u7684\u7aef\u53e3\u3002 \u8fd8\u662f\u90a3\u53e5\u8bdd\uff0c\u8fd9\u867d\u7136\u4e0d\u662f\u6700\u4f18\u7684\uff0c\u4f46\u603b\u6bd4\u8fde\u4e0d\u4e0a\u597d\u3002\n<p>\u8fd9\u5f88\u50cf\u662f\u7aef\u53e3\u626b\u63cf\uff08\u4e8b\u5b9e\u4e0a\uff0c\u786e\u5b9e\u662f\uff09\uff0c\u5b9e\u9645\u4e2d\u53ef\u80fd\u4f1a\u89e6\u53d1\u5bf9\u65b9\u7684\u7f51\u7edc\u5165\u4fb5\u68c0\u6d4b\u8f6f\u4ef6\u3002<\/li>\n<\/ol>\n<h2 id=\"72-\u57fa\u4e8e\u751f\u65e5\u6096\u8bba\u6539\u8fdb\u66b4\u529b\u626b\u63cfhard-side-\u591a\u5f00\u7aef\u53e3--easy-side-\u968f\u673a\u63a2\u6d4b\">7.2 \u57fa\u4e8e\u751f\u65e5\u6096\u8bba\u6539\u8fdb\u66b4\u529b\u626b\u63cf\uff1ahard side \u591a\u5f00\u7aef\u53e3 + easy side \u968f\u673a\u63a2\u6d4b<\/h2>\n<p>\u5229\u7528\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Birthday_problem\" target=\"_blank\" rel=\"noopener\">birthday paradox<\/a>\u00a0\u7b97\u6cd5\uff0c \u6211\u4eec\u80fd\u5bf9\u7aef\u53e3\u626b\u63cf\u8fdb\u884c\u6539\u8fdb\u3002<\/p>\n<ul>\n<li>\u4e0a\u4e00\u8282\u7684\u57fa\u672c\u524d\u63d0\u662f\uff1ahard side \u53ea\u6253\u5f00\u4e00\u4e2a\u7aef\u53e3\uff0c\u7136\u540e easy side \u66b4\u529b\u626b\u63cf 65535 \u4e2a\u7aef\u53e3\u6765\u5bfb\u627e\u8fd9\u4e2a\u7aef\u53e3\uff1b<\/li>\n<li>\u8fd9\u91cc\u7684\u6539\u8fdb\u662f\uff1a\u5728 hard size \u5f00\u591a\u4e2a\u7aef\u53e3\uff0c\u4f8b\u5982 256 \u4e2a\uff08\u5373\u540c\u65f6\u6253\u5f00 256 \u4e2a socket\uff0c\u76ee\u7684\u5730\u5740\u90fd\u662f easy side \u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff09\uff0c \u7136\u540e easy side \u968f\u673a\u63a2\u6d4b\u8fd9\u8fb9\u7684\u7aef\u53e3\u3002<\/li>\n<\/ul>\n<p>\u8fd9\u91cc\u7701\u53bb\u7b97\u6cd5\u7684\u6570\u5b66\u6a21\u578b\uff0c\u5982\u679c\u4f60\u5bf9\u5b9e\u73b0\u5e72\u5174\u8da3\uff0c\u53ef\u4ee5\u770b\u770b\u6211\u5199\u7684\u00a0<a href=\"https:\/\/github.com\/danderson\/nat-birthday-paradox\" target=\"_blank\" rel=\"noopener\">python calculator<\/a>\u3002 \u8ba1\u7b97\u8fc7\u7a0b\u662f\u201c\u7ecf\u5178\u201d\u751f\u65e5\u6096\u8bba\u7684\u4e00\u4e2a\u5c0f\u53d8\u79cd\u3002 \u4e0b\u9762\u662f\u968f\u7740 easy side random probe \u6b21\u6570\uff08\u5047\u8bbe hard size 256 \u4e2a\u7aef\u53e3\uff09\u7684\u53d8\u5316\uff0c\u4e24\u8fb9\u6253\u5f00\u7684\u7aef\u53e3\u6709\u91cd\u5408\uff08\u5373\u901a\u4fe1\u6210\u529f\uff09\u7684\u6982\u7387\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th>\u968f\u673a\u63a2\u6d4b\u6b21\u6570<\/th>\n<th>\u6210\u529f\u6982\u7387<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>174<\/td>\n<td>50%<\/td>\n<\/tr>\n<tr>\n<td>256<\/td>\n<td>64%<\/td>\n<\/tr>\n<tr>\n<td>1024<\/td>\n<td>98%<\/td>\n<\/tr>\n<tr>\n<td>2048<\/td>\n<td>99.9%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6839\u636e\u4ee5\u4e0a\u7ed3\u679c\uff0c\u5982\u679c\u8fd8\u662f\u5047\u8bbe 100 ports\/s \u8fd9\u6837\u76f8\u5f53\u6e29\u548c\u7684\u63a2\u6d4b\u901f\u7387\uff0c\u90a3\u00a0<strong><mark>2 \u79d2\u949f\u5c31\u6709\u7ea6 50% \u7684\u6210\u529f\u6982\u7387<\/mark><\/strong>\u3002 \u5373\u4f7f\u975e\u5e38\u4e0d\u8d70\u8fd0\uff0c\u6211\u4eec\u4ecd\u7136\u80fd\u5728\u00a0<strong><mark>20s \u65f6\u51e0\u4e4e 100% \u7a7f\u900f\u6210\u529f<\/mark><\/strong>\uff0c\u800c\u6b64\u65f6<strong><mark>\u53ea\u63a2\u6d4b\u4e86\u603b\u7aef\u53e3\u7a7a\u95f4\u7684 4%<\/mark><\/strong>\u3002<\/p>\n<p>\u975e\u5e38\u597d\uff01\u867d\u7136\u8fd9\u79cd hard NAT \u7ed9\u6211\u4eec\u5e26\u6765\u4e86\u4e25\u91cd\u7684\u7a7f\u900f\u5ef6\u8fdf\uff0c\u4f46\u6700\u7ec8\u7ed3\u679c\u4ecd\u7136\u662f\u6210\u529f\u7684\u3002 \u90a3\u4e48\uff0c\u5982\u679c\u662f\u4e24\u4e2a hard NAT\uff0c\u6211\u4eec\u8fd8\u80fd\u5904\u7406\u5417\uff1f<\/p>\n<h2 id=\"73-\u53cc-hard-nat-\u573a\u666f\">7.3 \u53cc hard NAT \u573a\u666f<\/h2>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-birthday-attack-2\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-birthday-attack-2.png\" width=\"1863\" height=\"564\"><\/p>\n<p>\u8fd9\u79cd\u60c5\u51b5\u4e0b\u4ecd\u7136\u53ef\u4ee5\u7528\u524d\u9762\u7684\u00a0<strong><mark>\u591a\u7aef\u53e3+\u968f\u673a\u63a2\u6d4b<\/mark><\/strong>\u00a0\u65b9\u5f0f\uff0c\u4f46\u6210\u529f\u6982\u7387\u8981\u4f4e\u5f88\u591a\u4e86\uff1a<\/p>\n<ul>\n<li>\u6bcf\u6b21\u901a\u8fc7\u4e00\u53f0 hard NAT \u53bb\u63a2\u6d4b\u5bf9\u65b9\u7684\u7aef\u53e3\uff08\u76ee\u7684\u7aef\u53e3\uff09\u65f6\uff0c\u6211\u4eec<strong><mark>\u81ea\u5df1\u540c\u65f6\u4e5f\u751f\u6210\u4e86\u4e00\u4e2a\u968f\u673a\u6e90\u7aef\u53e3<\/mark><\/strong>\uff0c<\/li>\n<li>\u8fd9\u610f\u5473\u7740\u6211\u4eec\u7684\u641c\u7d22\u7a7a\u95f4\u53d8\u6210\u4e86\u4e8c\u7ef4\u00a0<code class=\"language-plaintext highlighter-rouge\">{src port, dst port}<\/code>\u00a0\u5bf9\uff0c\u800c\u4e0d\u518d\u662f\u4e4b\u524d\u7684\u4e00\u7ef4 dst port \u7a7a\u95f4\u3002<\/li>\n<\/ul>\n<p>\u8fd9\u91cc\u6211\u4eec\u4e5f\u4e0d\u5c31\u5177\u4f53\u8ba1\u7b97\u5c55\u5f00\uff0c\u53ea\u544a\u8bc9\u7ed3\u679c\uff1a\u4ecd\u7136<strong><mark>\u5047\u8bbe\u76ee\u7684\u7aef\u6253\u5f00 256 \u4e2a\u7aef\u53e3\uff0c\u4ece\u6e90\u7aef\u53d1\u8d77 2048 \u6b21\uff0820 \u79d2\uff09<\/mark><\/strong>\uff0c \u6210\u529f\u7684\u6982\u7387\u662f\uff1a<strong><mark>0.01%<\/mark><\/strong>\u3002<\/p>\n<p>\u5982\u679c\u4f60\u4e4b\u524d\u5b66\u8fc7\u751f\u65e5\u6096\u8bba\uff0c\u5c31\u5e76\u4e0d\u4f1a\u5bf9\u8fd9\u4e2a\u7ed3\u679c\u611f\u5230\u60ca\u8bb6\u3002\u7406\u8bba\u4e0a\u6765\u8bf4\uff0c<\/p>\n<ul>\n<li>\u8981\u8fbe\u5230\u00a0<strong><mark>99.9% \u7684\u6210\u529f\u7387<\/mark><\/strong>\uff0c\u6211\u4eec\u9700\u8981\u4e24\u8fb9\u5404\u8fdb\u884c<strong><mark>170,000 \u6b21<\/mark><\/strong>\u63a2\u6d4b \u2014\u2014 \u5982\u679c\u8fd8\u662f\u4ee5 100 packets\/sec \u7684\u901f\u5ea6\uff0c\u5c31\u9700\u8981\u00a0<strong><mark>28 \u5206\u949f<\/mark><\/strong>\u3002<\/li>\n<li>\u8981\u8fbe\u5230\u00a0<strong><mark>50% \u7684\u6210\u529f\u7387<\/mark><\/strong>\uff0c\u201c\u53ea\u201d\u9700\u8981 54,000 packets\uff0c\u4e5f\u5c31\u662f\u00a0<strong><mark>9 \u5206\u949f<\/mark><\/strong>\u3002<\/li>\n<li>\u5982\u679c\u4e0d\u4f7f\u7528\u751f\u65e5\u6096\u8bba\u65b9\u5f0f\uff0c\u800c\u4e14<strong><mark>\u66b4\u529b\u7a77\u4e3e\uff0c\u9700\u8981 1.2 \u5e74\u65f6\u95f4<\/mark><\/strong>\uff01<\/li>\n<\/ul>\n<p><strong><mark>\u5bf9\u4e8e\u67d0\u4e9b\u5e94\u7528\u6765\u8bf4\uff0c28 \u5206\u949f\u53ef\u80fd\u4ecd\u7136\u662f\u4e00\u4e2a\u53ef\u63a5\u53d7\u7684\u65f6\u95f4<\/mark><\/strong>\u3002\u7528\u534a\u4e2a\u5c0f\u65f6\u66b4\u529b\u7a7f\u900f NAT \u4e4b\u540e\uff0c \u8fd9\u4e2a\u8fde\u63a5\u5c31\u53ef\u4ee5\u4e00\u76f4\u7528\u7740 \u2014\u2014 \u9664\u975e NAT \u8bbe\u5907\u91cd\u542f\uff0c\u90a3\u6837\u5c31\u9700\u8981\u518d\u6b21\u82b1\u534a\u4e2a\u5c0f\u65f6\u7a7f\u900f\u5efa\u4e2a\u65b0\u8fde\u63a5\u3002\u4f46\u5bf9\u4e8e \u4ea4\u4e92\u5f0f\u5e94\u7528\u6765\u8bf4\uff0c\u8fd9\u6837\u663e\u7136\u662f\u4e0d\u53ef\u63a5\u53d7\u7684\u3002<\/p>\n<p>\u66f4\u7cdf\u7cd5\u7684\u662f\uff0c\u5982\u679c\u53bb\u770b\u5e38\u89c1\u7684\u529e\u516c\u7f51\u8def\u7531\u5668\uff0c\u4f60\u4f1a\u9707\u60ca\u4e8e\u5b83\u7684 active session low limit \u6709\u591a\u4e48\u4f4e\u3002 \u4f8b\u5982\uff0c\u4e00\u53f0 Juniper SRX 300\u00a0<strong><mark>\u6700\u591a\u652f\u6301 64,000 active sessions<\/mark><\/strong>\u3002 \u4e5f\u5c31\u662f\u8bf4\uff0c<\/p>\n<ul>\n<li>\u5982\u679c\u6211\u4eec\u60f3\u521b\u5efa<strong><mark>\u4e00\u4e2a<\/mark><\/strong>\u6210\u529f\u7684\u7a7f\u900f\u8fde\u63a5\uff0c<strong><mark>\u5c31\u4f1a\u628a\u5b83\u7684\u6574\u5f20 session \u8868\u6253\u7206<\/mark><\/strong>\u00a0\uff08\u56e0\u4e3a\u6211\u4eec\u8981\u66b4\u529b\u63a2\u6d4b 65535 \u4e2a\u7aef\u53e3\uff0c\u6bcf\u6b21\u63a2\u6d4b\u90fd\u662f\u4e00\u6761\u65b0\u8fde\u63a5\u8bb0\u5f55\uff09\uff01 \u8fd9\u663e\u7136\u8981\u6c42\u8fd9\u53f0\u8def\u7531\u5668\u80fd<strong><mark>\u4ece\u5bb9\u4f18\u96c5\u5730\u5904\u7406\u8fc7\u8f7d\u7684\u60c5\u51b5<\/mark><\/strong>\u3002<\/li>\n<li>\u8fd9\u53ea\u662f\u521b\u5efa\u4e00\u6761\u8fde\u63a5\u5e26\u6765\u7684\u5f71\u54cd\uff01\u5982\u679c 20 \u53f0\u673a\u5668\u540c\u65f6\u5bf9\u8fd9\u53f0\u8def\u7531\u5668\u53d1\u8d77\u7a7f\u900f\u5462\uff1f<strong><mark>\u7edd\u5bf9\u7684\u707e\u96be\uff01<\/mark><\/strong><\/li>\n<\/ul>\n<p>\u81f3\u6b64\uff0c\u6211\u4eec\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f\u7a7f\u900f\u4e86\u6bd4\u4e4b\u524d\u66f4\u96be\u4e00\u4e9b\u7684\u7f51\u7edc\u62d3\u6251\u3002\u8fd9\u662f\u4e00\u4e2a\u5f88\u5927\u7684\u6210\u5c31\uff0c\u56e0\u4e3a\u00a0<strong><mark>\u5bb6\u7528\u8def\u7531\u5668\u4e00\u822c\u90fd\u662f easy NAT\uff0chard NAT \u4e00\u822c\u90fd\u662f\u529e\u516c\u7f51\u8def\u7531\u5668\u6216\u4e91 NAT \u7f51\u5173<\/mark><\/strong>\u3002 \u8fd9\u610f\u5473\u7740\u8fd9\u79cd\u65b9\u5f0f\u80fd\u5e2e\u6211\u4eec\u89e3\u51b3<\/p>\n<ul>\n<li>home-to-office\uff08\u5bb6-&gt;\u529e\u516c\u5ba4\uff09<\/li>\n<li>home-to-cloud \uff08\u5bb6-&gt;\u4e91\uff09<\/li>\n<\/ul>\n<p>\u7684\u573a\u666f\uff0c\u4ee5\u53ca\u4e00\u90e8\u5206<\/p>\n<ul>\n<li>office-to-cloud \uff08\u529e\u516c\u5ba4-&gt;\u4e91\uff09<\/li>\n<li>cloud-to-cloud \uff08\u4e91-&gt;\u529e\u516c\u5ba4\uff09<\/li>\n<\/ul>\n<p>\u573a\u666f\u3002<\/p>\n<h2 id=\"74-\u63a7\u5236\u7aef\u53e3\u6620\u5c04port-mapping\u8fc7\u7a0bupnpnat-pmppcp-\u534f\u8bae\">7.4 \u63a7\u5236\u7aef\u53e3\u6620\u5c04\uff08port mapping\uff09\u8fc7\u7a0b\uff1aUPnP\/NAT-PMP\/PCP \u534f\u8bae<\/h2>\n<p>\u5982\u679c\u6211\u4eec\u80fd<strong><mark>\u8ba9 NAT \u8bbe\u5907\u7684\u884c\u4e3a\u7b80\u5355\u70b9<\/mark><\/strong>\uff0c\u4e0d\u8981\u628a\u4e8b\u60c5\u641e\u8fd9\u4e48\u590d\u6742\uff0c\u90a3\u5efa \u7acb\u8fde\u63a5\uff08\u7a7f\u900f\uff09\u5c31\u4f1a\u7b80\u5355\u5f88\u591a\u3002\u771f\u6709\u8fd9\u6837\u7684\u597d\u4e8b\u5417\uff1f\u8fd8\u771f\u6709\uff0c\u6709\u4e13\u95e8\u7684\u4e00\u79cd\u534f\u8bae\u53eb\u00a0<strong><mark>\u7aef\u53e3\u6620\u5c04\u534f\u8bae<\/mark><\/strong>\uff08port mapping protocols\uff09\u3002\u901a\u8fc7\u8fd9\u79cd\u534f\u8bae\u7981\u7528\u6389\u524d\u9762 \u9047\u5230\u7684\u90a3\u4e9b\u4e71\u4e03\u516b\u7cdf\u7684\u4e1c\u897f\u4e4b\u540e\uff0c\u6211\u4eec\u5c06\u5f97\u5230\u4e00\u4e2a\u975e\u5e38\u7b80\u5355\u7684\u201c\u8bf7\u6c42-\u54cd\u5e94\u201d\u3002<\/p>\n<p>\u4e0b\u9762\u662f\u4e09\u4e2a\u5177\u4f53\u7684\u7aef\u53e3\u6620\u5c04\u534f\u8bae\uff1a<\/p>\n<ol>\n<li><a href=\"https:\/\/openconnectivity.org\/developer\/specifications\/upnp-resources\/upnp\/internet-gateway-device-igd-v-2-0\/\" target=\"_blank\" rel=\"noopener\">UPnP IGD<\/a>\u00a0(Universal Plug\u2019n\u2019Play Internet Gateway Device)\u6700\u8001\u7684\u7aef\u53e3\u63a7\u5236\u534f\u8bae\uff0c \u8bde\u751f\u4e8e 1990s \u665a\u671f\uff0c\u56e0\u6b64\u4f7f\u7528\u4e86\u5f88\u591a\u4e0a\u4e16\u7eaa 90 \u5e74\u4ee3\u7684\u6280\u672f \uff08XML\u3001SOAP\u3001<strong><mark>multicast HTTP over UDP \u2014\u2014 \u5bf9\uff0cHTTP over UDP<\/mark><\/strong>\u00a0\uff09\uff0c\u800c\u4e14\u5f88\u96be\u51c6\u786e\u548c\u5b89\u5168\u5730\u5b9e\u73b0\u8fd9\u4e2a\u534f\u8bae\u3002\u4f46\u4ee5\u524d\u5f88\u591a\u8def\u7531\u5668\u90fd\u5185\u7f6e\u4e86 UPnP \u534f\u8bae\uff0c \u73b0\u5728\u4ecd\u7136\u5f88\u591a\u3002\n<p>\u8bf7\u6c42\u548c\u54cd\u5e94\uff1a<\/p>\n<ul>\n<li>\u201c\u4f60\u597d\uff0c\u8bf7\u5c06\u6211\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">lan-ip:port<\/code>\u00a0\u8f6c\u53d1\u5230\u516c\u7f51\uff08WAN\uff09\u201d\uff0c<\/li>\n<li>\u201c\u597d\u7684\uff0c\u6211\u5df2\u7ecf\u4e3a\u4f60\u5206\u914d\u4e86\u4e00\u4e2a\u516c\u7f51\u6620\u5c04\u00a0<code class=\"language-plaintext highlighter-rouge\">wan-ip:port<\/code>\u00a0\u201d\u3002<\/li>\n<\/ul>\n<\/li>\n<li>NAT-PMPUPnP IGD \u51fa\u6765\u51e0\u5e74\u4e4b\u540e\uff0cApple \u63a8\u51fa\u4e86\u4e00\u4e2a\u529f\u80fd\u7c7b\u4f3c\u7684\u534f\u8bae\uff0c\u540d\u4e3a\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc6886\" target=\"_blank\" rel=\"noopener\">NAT-PMP<\/a>\u00a0(NAT Port Mapping Protocol)\u3002\n<p>\u4f46\u4e0e UPnP \u4e0d\u540c\uff0c\u8fd9\u4e2a\u534f\u8bae<strong><mark>\u53ea<\/mark><\/strong>\u505a\u7aef\u53e3\u8f6c\u53d1\uff0c\u4e0d\u7ba1\u662f\u5728\u5ba2\u6237\u7aef\u8fd8\u662f\u670d\u52a1\u7aef\uff0c\u5b9e\u73b0\u8d77\u6765\u90fd\u975e\u5e38\u7b80\u5355\u3002<\/li>\n<li>PCP\u7a0d\u540e\u4e00\u70b9\uff0c\u53c8\u51fa\u73b0\u4e86 NAT-PMP v2 \u7248\uff0c\u5e76\u8d77\u4e86\u4e2a\u65b0\u540d\u5b57<a href=\"https:\/\/tools.ietf.org\/html\/rfc6887\" target=\"_blank\" rel=\"noopener\">PCP<\/a>\u00a0(Port Control Protocol)\u3002<\/li>\n<\/ol>\n<p>\u56e0\u6b64\u8981\u66f4\u597d\u5730\u5b9e\u73b0\u7a7f\u900f\uff0c\u53ef\u4ee5<\/p>\n<ol>\n<li><strong><mark>\u5148\u5224\u65ad\u672c\u5730\u7684\u9ed8\u8ba4\u7f51\u5173\u4e0a\u662f\u5426\u542f\u7528\u4e86 UPnP IGD, NAT-PMP and PCP<\/mark><\/strong>\uff0c<\/li>\n<li>\u5982\u679c\u63a2\u6d4b\u53d1\u73b0\u5176\u4e2d\u4efb\u4f55\u4e00\u79cd\u534f\u8bae\u6709\u54cd\u5e94\uff0c\u6211\u4eec\u5c31<strong><mark>\u7533\u8bf7\u4e00\u4e2a\u516c\u7f51\u7aef\u53e3\u6620\u5c04<\/mark><\/strong>\uff0c\u53ef\u4ee5\u5c06\u8fd9\u7406\u89e3\u4e3a\u4e00\u4e2a<strong><mark>\u52a0\u5f3a\u7248 STUN<\/mark><\/strong>\uff1a\u6211\u4eec\u4e0d\u4ec5\u80fd\u53d1\u73b0\u81ea\u5df1\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u800c\u4e14\u80fd\u6307\u793a\u6211\u4eec\u7684 NAT \u8bbe\u5907\u5bf9\u6211\u4eec\u7684\u901a\u4fe1\u5bf9\u7aef\u53cb\u597d\u4e00\u4e9b \u2014\u2014 \u4f46\u5e76\u4e0d\u662f\u4e3a\u8fd9\u4e2a\u7aef\u53e3\u4fee\u6539\u6216\u6dfb\u52a0\u9632\u706b\u5899\u89c4\u5219\u3002<\/li>\n<li>\u63a5\u4e0b\u6765\uff0c\u4efb\u4f55\u5230\u8fbe\u6211\u4eec NAT \u8bbe\u5907\u7684\u3001\u5730\u5740\u662f\u6211\u4eec\u7533\u8bf7\u7684\u7aef\u53e3\u7684\u5305\uff0c\u90fd\u4f1a\u88ab\u8bbe\u5907\u8f6c\u53d1\u5230\u6211\u4eec\u3002<\/li>\n<\/ol>\n<p>\u4f46\u6211\u4eec<strong><mark>\u4e0d\u80fd\u5047\u8bbe\u8fd9\u4e2a\u534f\u8bae\u4e00\u5b9a\u53ef\u7528<\/mark><\/strong>\uff1a<\/p>\n<ol>\n<li>\u672c\u5730 NAT \u8bbe\u5907\u53ef\u80fd\u4e0d\u652f\u6301\u8fd9\u4e2a\u534f\u8bae\uff1b<\/li>\n<li>\u8bbe\u5907\u652f\u6301\u4f46\u9ed8\u8ba4\u7981\u7528\u4e86\uff0c\u6216\u8005\u6ca1\u4eba\u77e5\u9053\u8fd8\u6709\u8fd9\u4e48\u4e2a\u529f\u80fd\uff0c\u56e0\u6b64\u4ece\u6765\u6ca1\u5f00\u8fc7\uff1b<\/li>\n<li>\u5b89\u5168\u7b56\u7565\u8981\u6c42\u5173\u95ed\u8fd9\u4e2a\u7279\u6027\u3002\u8fd9\u4e00\u70b9\u975e\u5e38\u5e38\u89c1\uff0c\u56e0\u4e3a UPnP \u534f\u8bae\u66fe\u66dd\u51fa\u4e00\u4e9b\u9ad8\u5371\u6f0f\u6d1e\uff08\u540e\u9762\u90fd\u4fee\u590d\u4e86\uff0c\u56e0\u6b64\u5982\u679c\u662f\u8f83\u65b0\u7684\u8bbe\u5907\uff0c\u53ef\u4ee5\u5b89\u5168\u5730\u4f7f\u7528 UPnP \u2014\u2014 \u5982\u679c\u5b9e\u73b0\u6ca1\u95ee\u9898\uff09\u3002 \u4e0d\u5e78\u7684\u662f\uff0c\u67d0\u4e9b\u8bbe\u5907\u7684\u914d\u7f6e\u4e2d\uff0cUPnP, NAT-PMP\uff0cPCP \u662f\u653e\u5728\u4e00\u4e2a\u5f00\u5173\u91cc\u7684\uff08\u53ef\u80fd \u7edf\u79f0\u4e3a \u201cUPnP\u201d \u529f\u80fd\uff09\uff0c\u4e00\u5f00\u5168\u5f00\uff0c\u4e00\u5173\u5168\u5173\u3002\u56e0\u6b64\u5982\u679c\u6709\u4eba\u62c5\u5fc3 UPnP \u7684\u5b89\u5168\u6027\uff0c\u4ed6\u8fde\u53e6 \u5916\u4e24\u4e2a\u4e5f\u7528\u4e0d\u4e86\u3002<\/li>\n<\/ol>\n<p>\u6700\u540e\uff0c\u7ec8\u5f52\u6765\u8bf4\uff0c<strong><mark>\u53ea\u8981\u8fd9\u79cd\u534f\u8bae\u53ef\u7528\uff0c\u5c31\u80fd\u6709\u6548\u5730\u51cf\u5c11\u4e00\u6b21 NAT<\/mark><\/strong>\uff0c\u5927\u5927\u65b9\u4fbf\u5efa\u8fde\u8fc7\u7a0b\u3002 \u4f46\u63a5\u4e0b\u6765\u770b\u4e00\u4e9b\u4e0d\u5e38\u89c1\u7684\u573a\u666f\u3002<\/p>\n<h2 id=\"75-\u591a-nat-\u534f\u5546negotiating-numerous-nats\">7.5 \u591a NAT \u534f\u5546\uff08Negotiating numerous NATs\uff09<\/h2>\n<p>\u76ee\u524d\u4e3a\u6b62\uff0c\u6211\u4eec\u770b\u5230\u7684\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u90fd\u5404\u53ea\u6709\u4e00\u4e2a NAT \u8bbe\u5907\u3002\u5982\u679c\u6709\u591a\u4e2a NAT \u8bbe\u5907\u4f1a \u600e\u4e48\u6837\uff1f\u4f8b\u5982\u4e0b\u9762\u8fd9\u79cd\u62d3\u6251\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-multiple-layers\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-multiple-layers.png\" width=\"1878\" height=\"659\"><\/p>\n<p>\u8fd9\u4e2a\u4f8b\u5b50\u6bd4\u8f83\u7b80\u5355\uff0c\u4e0d\u4f1a\u7ed9\u7a7f\u900f\u5e26\u6765\u592a\u5927\u95ee\u9898\u3002\u5305\u4ece\u5ba2\u6237\u7aef A\u00a0<strong><mark>\u7ecf\u8fc7\u591a\u6b21 NAT<\/mark><\/strong>\u00a0\u5230\u8fbe\u516c\u7f51\u7684\u8fc7\u7a0b\uff0c\u4e0e\u524d\u9762\u5206\u6790\u7684<strong><mark>\u7a7f\u8fc7\u591a\u5c42\u6709\u72b6\u6001\u9632\u706b\u5899<\/mark><\/strong>\u662f\u4e00\u6837\u7684\uff1a<\/p>\n<ul>\n<li>\u989d\u5916\u7684\u8fd9\u5c42\uff08NAT \u8bbe\u5907\uff09<strong><mark>\u5bf9\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u6765\u8bf4\u90fd\u4e0d\u53ef\u89c1<\/mark><\/strong>\uff0c\u6211\u4eec\u7684\u7a7f \u900f\u6280\u672f\u4e5f\u4e0d\u5173\u5fc3\u4e2d\u95f4\u5230\u5e95\u7ecf\u8fc7\u4e86\u591a\u5c11\u5c42\u8bbe\u5907\u3002<\/li>\n<li><strong><mark>\u771f\u6b63\u6709\u5f71\u54cd\u7684\u5176\u5b9e\u53ea\u662f\u6700\u540e\u4e00\u5c42\u8bbe\u5907<\/mark><\/strong>\uff0c\u56e0\u4e3a\u5bf9\u7aef\u9700\u8981\u5728\u8fd9\u4e00\u5c42\u8bbe\u5907\u4e0a \u627e\u5230\u5165\u53e3\u8ba9\u5305\u8fdb\u6765\u3002<\/li>\n<\/ul>\n<p>\u5177\u4f53\u6765\u8bf4\uff0c\u771f\u6b63\u6709\u5f71\u54cd\u7684\u662f\u7aef\u53e3\u8f6c\u53d1\u534f\u8bae\u3002<\/p>\n<ol>\n<li>\u5ba2\u6237\u7aef\u4f7f\u7528\u8fd9\u79cd\u534f\u8bae\u5206\u914d\u7aef\u53e3\u65f6\uff0c\u4e3a\u6211\u4eec\u5206\u914d\u7aef\u53e3\u7684\u662f\u6700\u9760\u8fd1\u5ba2\u6237\u7aef\u7684\u8fd9\u5c42 NAT \u8bbe\u5907\uff1b<\/li>\n<li>\u800c\u6211\u4eec\u671f\u671b\u7684\u662f\u8ba9\u6700\u79bb\u5ba2\u6237\u7aef\u6700\u8fdc\u7684\u90a3\u5c42 NAT \u6765\u5206\u914d\uff0c\u5426\u5219\u6211\u4eec\u5f97\u5230\u7684\u5c31\u662f\u4e00\u4e2a\u7f51\u7edc\u4e2d\u95f4\u5c42\u5206\u914d\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u5bf9\u7aef\u662f\u7528\u4e0d\u4e86\u7684\uff1b<\/li>\n<li>\u4e0d\u5e78\u7684\u662f\uff0c<strong><mark>\u8fd9\u51e0\u79cd\u534f\u8bae\u90fd\u4e0d\u80fd\u9012\u5f52\u5730<\/mark><\/strong>\u544a\u8bc9\u6211\u4eec\u4e0b\u4e00\u5c42 NAT \u8bbe\u5907\u662f\u591a\u5c11 \u2014\u2014 \u867d\u7136\u53ef\u4ee5\u7528 traceroute \u4e4b\u7c7b\u7684\u5de5\u5177\u6765\u63a2\u6d4b\u7f51\u7edc\u8def\u5f84\uff0c\u518d\u52a0\u4e0a \u731c\u8def\u4e0a\u7684\u8bbe\u5907\u662f\u4e0d\u662f NAT \u8bbe\u5907\uff08\u5c1d\u8bd5\u53d1\u9001 NAT \u8bf7\u6c42\uff09 \u2014\u2014 \u4f46\u8fd9\u4e2a\u5c31\u770b\u8fd0\u6c14\u4e86\u3002<\/li>\n<\/ol>\n<p>\u8fd9\u5c31\u662f\u4e3a\u4ec0\u4e48\u4e92\u8054\u7f51\u4e0a\u5145\u65a5\u7740\u5927\u91cf\u7684\u6587\u7ae0\u8bf4\u00a0<strong><mark>double-NAT \u6709\u591a\u7cdf\u7cd5<\/mark><\/strong>\uff0c\u4ee5 \u53ca\u8b66\u544a\u7528\u6237\u4e3a\u4fdd\u6301\u540e\u5411\u517c\u5bb9\u4e0d\u8981\u4f7f\u7528 double-NAT\u3002\u4f46\u5b9e\u9645\u4e0a\uff0cdouble-NAT\u00a0<strong><mark>\u5bf9\u4e8e\u7edd\u5927\u90e8\u5206 \u4e92\u8054\u7f51\u5e94\u7528\u6765\u8bf4\u90fd\u662f\u4e0d\u53ef\u89c1\u7684\uff08\u900f\u660e\u7684\uff09<\/mark><\/strong>\uff0c\u56e0\u4e3a\u5927\u90e8\u5206\u5e94\u7528\u5e76\u4e0d\u9700\u8981\u4e3b\u52a8\u5730\u505a\u8fd9\u79cd NAT \u7a7f \u900f\u3002<\/p>\n<p>\u4f46\u6211\u4e5f\u7edd\u4e0d\u662f\u5728\u5efa\u8bae\u4f60\u5728\u81ea\u5df1\u7684\u7f51\u7edc\u4e2d\u8bbe\u7f6e double-NAT\u3002<\/p>\n<ol>\n<li>\u7834\u574f\u4e86\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u4e4b\u540e\uff0c\u67d0\u4e9b\u89c6\u9891\u6e38\u620f\u7684\u591a\u4eba\uff08multiplayer\uff09\u6a21\u5f0f\u5c31\u4f1a\u65e0\u6cd5\u4f7f\u7528\uff0c<\/li>\n<li>\u4e5f\u53ef\u80fd\u4f1a\u4f7f\u4f60\u7684 IPv6 \u7f51\u7edc\u65e0\u6cd5\u6d3e\u4e0a\u7528\u573a\uff0c\u540e\u8005\u662f\u4e0d\u7528 NAT \u5c31\u80fd\u53cc\u5411\u76f4\u8fde\u7684\u4e00\u4e2a\u597d\u65b9\u6848\u3002<\/li>\n<\/ol>\n<p>\u4f46\u5982\u679c double-NAT \u5e76\u4e0d\u662f\u4f60\u80fd\u63a7\u5236\u7684\uff0c\u90a3\u9664\u4e86\u4e0d\u80fd\u7528\u5230\u8fd9\u79cd\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u4e4b\u5916\uff0c\u5176\u4ed6\u5927\u90e8\u5206\u4e1c\u897f\u90fd\u662f\u4e0d\u53d7\u5f71\u54cd\u7684\u3002<\/p>\n<p>double-NAT \u7684\u6545\u4e8b\u5230\u8fd9\u91cc\u5c31\u7ed3\u675f\u4e86\u5417\uff1f\u2014\u2014 \u5e76\u6ca1\u6709\uff0c\u800c\u4e14\u66f4\u5927\u578b\u7684 double-NAT \u573a\u666f\u5c06\u5c55\u73b0\u5728\u6211\u4eec\u9762\u524d\u3002<\/p>\n<h2 id=\"76-\u8fd0\u8425\u5546\u7ea7-nat-\u5e26\u6765\u7684\u95ee\u9898\">7.6 \u8fd0\u8425\u5546\u7ea7 NAT \u5e26\u6765\u7684\u95ee\u9898<\/h2>\n<p>\u5373\u4f7f\u7528 NAT \u6765\u89e3\u51b3 IPv4 \u5730\u5740\u4e0d\u591f\u7684\u95ee\u9898\uff0c\u5730\u5740\u4ecd\u7136\u662f\u4e0d\u591f\u7528\u7684\uff0cISP\uff08\u4e92\u8054\u7f51\u670d\u52a1\u63d0\u4f9b\u5546\uff09 \u663e\u7136 \u65e0\u6cd5\u4e3a\u6bcf\u4e2a\u5bb6\u5ead\u90fd\u5206\u914d\u4e00\u4e2a\u516c\u7f51 IP \u5730\u5740\u3002\u90a3\u600e\u4e48\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u5462\uff1fISP \u7684\u505a\u6cd5\u662f<strong><mark>\u4e0d\u591f\u4e86\u5c31\u518d\u5d4c\u5957\u4e00\u5c42 NAT<\/mark><\/strong>\uff1a<\/p>\n<ol>\n<li>\u5bb6\u7528\u8def\u7531\u5668\u5c06\u4f60\u7684\u5ba2\u6237\u7aef SNAT \u5230\u4e00\u4e2a \u201cintermediate\u201d IP \u7136\u540e\u53d1\u9001\u5230\u8fd0\u8425\u5546\u7f51\u7edc\uff0c<\/li>\n<li>ISP\u2019s network \u4e2d\u7684 NAT \u8bbe\u5907\u518d\u5c06\u8fd9\u4e9b intermediate IPs \u6620\u5c04\u5230\u5c11\u91cf\u7684\u516c\u7f51 IP\u3002<\/li>\n<\/ol>\n<p>\u540e\u9762\u8fd9\u79cd NAT \u5c31\u79f0\u4e3a\u201c\u8fd0\u8425\u5546\u7ea7 NAT\u201d\uff08<strong><mark>carrier-grade NAT<\/mark><\/strong>\uff0c\u6216\u79f0\u7535\u4fe1\u7ea7 NAT\uff09\uff0c\u7f29\u5199 CGNAT\u3002\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-cgnat-1\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-cgnat-1.png\" width=\"1934\" height=\"894\"><\/p>\n<p>CGNAT \u5bf9 NAT \u7a7f\u900f\u6765\u8bf4\u662f\u4e00\u4e2a\u5927\u9ebb\u70e6\u3002<\/p>\n<ul>\n<li>\u5728\u6b64\u4e4b\u524d\uff0c\u529e\u516c\u7f51\u7528\u6237\u8981\u5feb\u901f\u5b9e\u73b0 NAT \u7a7f\u900f\uff0c\u53ea\u9700\u5728\u4ed6\u4eec\u7684\u8def\u7531\u5668\u4e0a\u624b\u52a8\u8bbe\u7f6e\u7aef\u53e3\u6620\u5c04\u5c31\u884c\u4e86\u3002<\/li>\n<li>\u4f46\u6709\u4e86 CGNAT \u4e4b\u540e\u5c31\u4e0d\u7ba1\u7528\u4e86\uff0c\u56e0\u4e3a\u4f60\u65e0\u6cd5\u63a7\u5236\u8fd0\u8425\u5546\u7684 CGNAT\uff01<\/li>\n<\/ul>\n<p>\u597d\u6d88\u606f\u662f\uff1a\u8fd9\u5176\u5b9e\u662f double-NAT \u7684\u4e00\u4e2a\u5c0f\u53d8\u79cd\uff0c\u56e0\u6b64\u524d\u9762\u4ecb\u7ecd\u7684\u89e3\u51b3\u65b9\u5f0f\u5927\u90e8\u5206\u8fd8\u4ecd\u7136\u662f\u9002\u7528\u7684\u3002 \u67d0\u4e9b\u4e1c\u897f\u53ef\u80fd\u4f1a\u65e0\u6cd5\u6309\u9884\u671f\u5de5\u4f5c\uff0c\u4f46\u53ea\u8981\u80af\u7ed9 ISP \u4ea4\u94b1\uff0c\u8fd9\u4e9b\u4e5f\u90fd\u80fd\u89e3\u51b3\u3002 \u9664\u4e86 port mapping protocols\uff0c\u5176\u4ed6\u6211\u4eec\u5df2\u7ecf\u4ecb\u7ecd\u7684\u6240\u6709\u4e1c\u897f\u5728 CGNAT \u91cc\u90fd\u662f\u9002\u7528\u7684\u3002<\/p>\n<h3 id=\"\u65b0\u6311\u6218\u540c\u4e00-cgnat-\u4fa7\u76f4\u8fdestun-\u4e0d\u53ef\u7528\">\u65b0\u6311\u6218\uff1a\u540c\u4e00 CGNAT \u4fa7\u76f4\u8fde\uff0cSTUN \u4e0d\u53ef\u7528<\/h3>\n<p>\u4f46\u6211\u4eec\u786e\u5b9e\u9047\u5230\u4e86\u4e00\u4e2a\u65b0\u6311\u6218\uff1a\u5982\u4f55\u76f4\u8fde\u4e24\u4e2a\u5728\u540c\u4e00 CGNAT \u4f46\u4e0d\u540c\u5bb6\u7528\u8def\u7531\u5668\u4e2d\u7684\u5bf9\u7aef\u5462\uff1f\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-cgnat-2\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-cgnat-2.png\" width=\"1929\" height=\"879\"><\/p>\n<p><strong><mark>\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0cSTUN \u5c31\u65e0\u6cd5\u6b63\u5e38\u5de5\u4f5c\u4e86<\/mark><\/strong>\uff1aSTUN \u770b\u5230\u7684\u662f\u5ba2\u6237\u7aef\u5728\u516c\u7f51\uff08CGNAT \u540e\u9762\uff09\u770b\u5230\u7684\u5730\u5740\uff0c \u800c\u6211\u4eec\u60f3\u83b7\u5f97\u7684\u662f\u5728 \u201cmiddle network\u201d \u4e2d\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u8fd9\u624d\u662f\u5bf9\u7aef\u771f\u6b63\u9700\u8981\u7684\u5730\u5740\uff0c<\/p>\n<h3 id=\"\u89e3\u51b3\u65b9\u6848\u5982\u679c\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u80fd\u7528\u4e00\u7aef\u505a\u7aef\u53e3\u6620\u5c04\">\u89e3\u51b3\u65b9\u6848\uff1a\u5982\u679c\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u80fd\u7528\uff1a\u4e00\u7aef\u505a\u7aef\u53e3\u6620\u5c04<\/h3>\n<p>\u600e\u4e48\u529e\u5462\uff1f<\/p>\n<p>\u5982\u679c\u4f60\u60f3\u5230\u4e86\u7aef\u53e3\u6620\u5c04\u534f\u8bae\uff0c\u90a3\u606d\u559c\uff0c\u7b54\u5bf9\u4e86\uff01<strong><mark>\u5982\u679c peer \u4e2d\u4efb\u4f55\u4e00\u4e2a NAT \u652f\u6301\u7aef\u53e3\u6620\u5c04\u534f\u8bae<\/mark><\/strong>\uff0c \u5bf9\u6211\u4eec\u5c31\u80fd\u5b9e\u73b0\u7a7f\u900f\uff0c\u56e0\u4e3a\u5b83\u5206\u914d\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u6b63\u662f\u5bf9\u7aef\u6240\u9700\u8981\u7684\u4fe1\u606f\u3002<\/p>\n<p>\u8fd9\u91cc\u8bbd\u523a\u7684\u662f\uff1adouble-NAT\uff08\u6307 CGNAT\uff09\u7834\u574f\u4e86\u7aef\u53e3\u6620\u5c04\u534f\u8bae\uff0c\u4f46\u5728\u8fd9\u91cc\u53c8\u6551\u4e86\u6211\u4eec\uff01 \u5f53\u7136\uff0c\u6211\u4eec\u5047\u8bbe\u8fd9\u4e9b\u534f\u8bae\u4e00\u5b9a\u53ef\u7528\uff0c\u56e0\u4e3a CGNAT ISP \u503e\u5411\u4e8e\u5728\u5b83\u4eec\u7684\u5bb6\u7528\u8def\u7531\u5668\u4fa7\u5173\u95ed \u8fd9\u4e9b\u529f\u80fd\uff0c\u5df2\u907f\u514d\u8f6f\u4ef6\u5f97\u5230\u201c\u9519\u8bef\u7684\u201d\u7ed3\u679c\uff0c\u4ea7\u751f\u6df7\u6dc6\u3002<\/p>\n<h3 id=\"\u89e3\u51b3\u65b9\u6848\u5982\u679c\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u4e0d\u80fd\u7528nat-hairpin-\u6a21\u5f0f\">\u89e3\u51b3\u65b9\u6848\uff1a\u5982\u679c\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u4e0d\u80fd\u7528\uff1aNAT hairpin \u6a21\u5f0f<\/h3>\n<p>\u5982\u679c\u4e0d\u8d70\u8fd0\uff0cNAT \u4e0a\u6ca1\u6709\u7aef\u53e3\u6620\u5c04\u529f\u80fd\u600e\u4e48\u529e\uff1f<\/p>\n<p>\u8ba9\u6211\u4eec\u56de\u5230\u57fa\u4e8e STUN \u7684\u6280\u672f\uff0c\u770b\u4f1a\u53d1\u751f\u4ec0\u4e48\u3002\u4e24\u7aef\u5728 CGNAT \u7684\u540c\u4e00\u4fa7\uff0c\u5047\u8bbe STUN \u544a\u8bc9\u6211\u4eec A \u7684\u5730\u5740\u662f\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234<\/code>\uff0cB \u7684\u5730\u5740\u662f\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:5678<\/code>\u3002<\/p>\n<p>\u90a3\u4e48\u63a5\u4e0b\u6765\u7684\u95ee\u9898\u662f\uff1a\u5982\u679c A \u5411\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:5678<\/code>\u00a0\u53d1\u5305\u4f1a\u600e\u4e48\u6837\uff1f\u671f\u671b\u7684 CGNAT \u884c\u4e3a\u662f\uff1a<\/p>\n<ol>\n<li>\u6267\u884c A \u7684 NAT \u6620\u5c04\u89c4\u5219\uff0c\u5373\u5bf9\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:1234 -&gt; 2.2.2.2:5678<\/code>\u00a0\u8fdb\u884c SNAT\u3002<\/li>\n<li>\u6ce8\u610f\u5230\u76ee\u7684\u5730\u5740\u00a0<code class=\"language-plaintext highlighter-rouge\">2.2.2.2:5678<\/code>\u00a0\u5339\u914d\u5230\u7684\u662f B \u7684\u5165\u5411 NAT \u6620\u5c04\uff0c\u56e0\u6b64\u63a5\u7740\u5bf9\u8fd9\u4e2a\u5305\u6267\u884c DNAT\uff0c\u5c06\u76ee\u7684 IP \u6539\u6210 B \u7684\u79c1\u6709\u5730\u5740\u3002<\/li>\n<li>\u901a\u8fc7 CGNAT \u7684 internal \u63a5\u53e3\uff08\u800c\u4e0d\u662f public \u63a5\u53e3\uff0c\u5bf9\u5e94\u516c\u7f51\uff09\u5c06\u5305\u53d1\u7ed9 B\u3002<\/li>\n<\/ol>\n<p>\u8fd9\u79cd NAT \u884c\u4e3a\u6709\u4e2a\u4e13\u95e8\u7684\u672f\u8bed\uff0c\u53eb\u00a0<strong><mark>hairpinning<\/mark><\/strong>\uff08\u76f4\u8bd1\u4e3a\u53d1\u5361\uff0c\u610f\u601d \u662f\u50cf\u53d1\u5361\u4e00\u6837\uff0c\u6cbf\u7740\u4e00\u8fb9\u4e0a\u53bb\uff0c\u7136\u540e\u4ece\u53e6\u4e00\u8fb9\u7ed5\u56de\u6765\uff09\uff0c<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"hairpin-icon\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/hairpin-icon.png\" width=\"200\" height=\"200\"><\/p>\n<p>\u5927\u5bb6\u5e94\u8be5\u731c\u5230\u7684\u4e00\u4e2a\u4e8b\u5b9e\u662f\uff1a<strong><mark>\u4e0d\u662f\u6240\u4ee5 NAT \u90fd\u652f\u6301 hairpin \u6a21\u5f0f<\/mark><\/strong>\u3002 \u5b9e\u9645\u4e0a\uff0c\u5927\u91cf well-behaved NAT \u8bbe\u5907\u90fd\u4e0d\u652f\u6301 hairpin \u6a21\u5f0f\uff0c<\/p>\n<ul>\n<li>\u56e0\u4e3a\u5b83\u4eec\u90fd\u6709\u00a0<strong><mark>\u201c\u53ea\u6709 src_ip \u662f\u79c1\u6709\u5730\u5740\u4e14 dst_ip \u662f\u516c\u7f51\u5730\u5740\u7684\u5305\u624d\u4f1a\u7ecf\u8fc7\u6211\u201d<\/mark><\/strong>\u00a0\u4e4b\u7c7b\u7684\u5047\u8bbe\u3002<\/li>\n<li>\u56e0\u6b64\u5bf9\u4e8e\u8fd9\u79cd\u76ee\u7684\u5730\u5740\u4e0d\u662f\u516c\u7f51\u3001\u9700\u8981\u8ba9\u8def\u7531\u5668\u628a\u5305\u518d\u8f6c\u56de\u5185\u7f51\u7684\u5305\uff0c\u5b83\u4eec\u4f1a<strong><mark>\u76f4\u63a5\u4e22\u5f03<\/mark><\/strong>\u3002<\/li>\n<li>\u8fd9\u4e9b\u903b\u8f91\u751a\u81f3\u662f\u76f4\u63a5\u5b9e\u73b0\u5728\u8def\u7531\u82af\u7247\u4e2d\u7684\uff0c\u56e0\u6b64\u9664\u975e\u5347\u7ea7\u786c\u4ef6\uff0c\u5426\u5219\u5355\u9760\u8f6f\u4ef6\u7f16\u7a0b\u65e0\u6cd5\u6539\u53d8\u8fd9\u79cd\u884c\u4e3a\u3002<\/li>\n<\/ul>\n<p>Hairpin \u662f\u6240\u6709 NAT \u8bbe\u5907\u7684\u7279\u6027\uff08\u652f\u6301\u6216\u4e0d\u652f\u6301\uff09\uff0c\u5e76\u4e0d\u662f CGNAT \u72ec\u6709\u7684\u3002<\/p>\n<ol>\n<li>\u5728\u5927\u90e8\u5206\u60c5\u51b5\u4e0b\uff0c\u8fd9\u4e2a\u7279\u6027\u5bf9\u6211\u4eec\u7684 NAT \u7a7f\u900f\u76ee\u7684\u6765\u8bf4\u90fd\u662f\u65e0\u6240\u8c13\u7684\uff0c\u56e0\u4e3a\u6211\u4eec\u671f\u671b\u4e2d\u00a0<strong><mark>\u4e24\u4e2a LAN NAT \u8bbe\u5907\u4f1a\u76f4\u63a5\u901a\u4fe1\uff0c\u4e0d\u4f1a\u518d\u5411\u4e0a\u7ed5\u5230\u5b83\u4eec\u7684\u9ed8\u8ba4\u7f51\u5173 CGNAT \u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898<\/mark><\/strong>\u3002Hairpin \u7279\u6027\u53ef\u6709\u53ef\u65e0\u8fd9\u4ef6\u4e8b\u6709\u70b9\u9057\u61be\uff0c\u8fd9\u53ef\u80fd\u4e5f\u662f\u4e3a\u4ec0\u4e48 hairpin \u529f\u80fd\u7ecf\u5e38 broken \u7684\u539f\u56e0\u3002<\/li>\n<li>\u4e00\u65e6\u5fc5\u987b\u6d89\u53ca\u5230 CGNAT\uff0c\u90a3 hairpinning \u5bf9\u8fde\u63a5\u6027\u6765\u8bf4\u5c31\u81f3\u5173\u91cd\u8981\u4e86\u3002Hairpinning \u4f7f\u5185\u7f51\u8fde\u63a5\u7684\u884c\u4e3a\u4e0e\u516c\u7f51\u8fde\u63a5\u7684\u884c\u4e3a\u5b8c\u6210\u4e00\u81f4\uff0c\u56e0\u6b64\u6211\u4eec\u65e0\u9700\u5173\u5fc3\u76ee\u7684 \u5730\u5740\u7c7b\u578b\uff0c\u4e5f\u4e0d\u7528\u77e5\u6653\u81ea\u5df1\u662f\u5426\u5728\u4e00\u53f0 CGNAT \u540e\u9762\u3002<\/li>\n<\/ol>\n<p><strong><mark>\u5982\u679c hairpinning \u548c port mapping protocols \u90fd\u4e0d\u53ef\u7528\uff0c\u90a3\u53ea\u80fd\u964d\u7ea7\u5230\u4e2d\u7ee7\u6a21\u5f0f\u4e86<\/mark><\/strong>\u3002<\/p>\n<h2 id=\"77-\u5168-ipv6-\u7f51\u7edc\u7406\u60f3\u4e4b\u5730\u4f46\u5e76\u975e\u95ee\u9898\u5168\u65e0\">7.7 \u5168 IPv6 \u7f51\u7edc\uff1a\u7406\u60f3\u4e4b\u5730\uff0c\u4f46\u5e76\u975e\u95ee\u9898\u5168\u65e0<\/h2>\n<p>\u884c\u6587\u81f3\u6b64\uff0c\u4e00\u4e9b\u8bfb\u8005\u53ef\u80fd\u5df2\u7ecf\u5bf9\u7740\u5c4f\u5e55\u5486\u54ee\uff1a<strong><mark>\u4e0d\u8981\u518d\u7528 IPv4 \u4e86\uff01<\/mark><\/strong>\u00a0\u82b1\u8fd9\u4e48\u591a\u65f6\u95f4\u7cbe\u529b\u89e3\u51b3\u8fd9\u4e9b\u6ca1\u610f\u4e49\u7684\u4e1c\u897f\uff0c\u8fd8\u4e0d\u5982\u76f4\u63a5\u6362\u6210 IPv6\uff01<\/p>\n<ul>\n<li>\u7684\u786e\uff0c\u4e4b\u6240\u4ee5\u6709\u8fd9\u4e9b\u4e71\u4e03\u516b\u7cdf\u7684\u4e1c\u897f\uff0c\u5c31\u662f\u56e0\u4e3a IPv4 \u5730\u5740\u4e0d\u591f\u4e86\uff0c\u6211\u4eec<strong><mark>\u4e00\u76f4\u5728\u7528\u8d8a\u6765\u8d8a\u590d\u6742\u7684 NAT \u6765\u7ed9 IPv4 \u7eed\u547d<\/mark><\/strong>\u3002<\/li>\n<li>\u5982\u679c IP \u5730\u5740\u591f\u7528\uff0c\u65e0\u9700 NAT \u5c31\u80fd\u8ba9\u4e16\u754c\u4e0a\u7684\u6bcf\u4e2a\u8bbe\u5907\u90fd\u6709\u4e00\u4e2a\u81ea\u5df1\u7684\u516c\u7f51 IP \u5730\u5740\uff0c\u8fd9\u4e9b\u95ee\u9898\u4e0d\u5c31\u89e3\u51b3\u4e86\u5417\uff1f<\/li>\n<\/ul>\n<p>\u7b80\u5355\u6765\u8bf4\uff0c\u662f\u7684\uff0c\u8fd9\u4e5f\u6b63\u662f IPv6 \u80fd\u505a\u7684\u4e8b\u60c5\u3002\u4f46\u662f\uff0c\u4e5f\u53ea\u8bf4\u5bf9\u4e86\u4e00\u534a\uff1a\u5728\u7406\u60f3\u7684\u5168 IPv6 \u4e16\u754c\u4e2d\uff0c\u6240\u6709\u8fd9\u4e9b\u4e1c\u897f\u4f1a\u53d8\u5f97\u66f4\u52a0\u7b80\u5355\uff0c\u4f46\u6211\u4eec\u9762\u4e34\u7684<strong><mark>\u95ee\u9898\u5e76\u4e0d\u4f1a\u5b8c\u5168\u6d88\u5931<\/mark><\/strong>\u00a0\u2014\u2014 \u56e0\u4e3a<strong><mark>\u6709\u72b6\u6001\u9632\u706b\u5899\u4ecd\u7136\u8fd8\u662f\u5b58\u5728\u7684<\/mark><\/strong>\u3002<\/p>\n<ul>\n<li>\u529e\u516c\u5ba4\u4e2d\u7684\u7535\u8111\u53ef\u80fd\u6709\u4e00\u4e2a\u516c\u7f51 IPv6 \u5730\u5740\uff0c\u4f46\u4f60\u4eec\u516c\u53f8\u80af\u5b9a\u4f1a\u67b6\u8bbe\u4e00\u4e2a\u9632\u706b\u5899\uff0c\u53ea\u5141\u8bb8 \u4f60\u7684\u7535\u8111\u4e3b\u52a8\u8bbf\u95ee\u516c\u7f51\uff0c\u800c\u4e0d\u5141\u8bb8\u53cd\u5411\u4e3b\u52a8\u5efa\u8fde\u3002<\/li>\n<li>\u5176\u4ed6\u8bbe\u5907\u4e0a\u7684\u9632\u706b\u5899\u4e5f\u4ecd\u7136\u5b58\u5728\uff0c\u5e94\u7528\u7c7b\u4f3c\u7684\u89c4\u5219\u3002<\/li>\n<\/ul>\n<p>\u56e0\u6b64\uff0c\u6211\u4eec\u4ecd\u7136\u4f1a\u7528\u5230<\/p>\n<ol>\n<li>\u672c\u6587\u6700\u5f00\u59cb\u4ecb\u7ecd\u7684\u9632\u706b\u5899\u7a7f\u900f\u6280\u672f\uff0c\u4ee5\u53ca<\/li>\n<li>\u5e2e\u52a9\u6211\u4eec\u83b7\u53d6\u81ea\u5df1\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u4fe1\u606f\u7684\u65c1\u8def\u4fe1\u9053<\/li>\n<li>\u4ecd\u7136\u9700\u8981\u5728\u67d0\u4e9b\u573a\u666f\u4e0b fallback \u5230\u4e2d\u7ee7\u6a21\u5f0f\uff0c\u4f8b\u5982 fallback \u5230\u6700\u901a\u7528\u7684 HTTP \u4e2d\u7ee7 \u534f\u8bae\uff0c\u4ee5\u7ed5\u8fc7\u67d0\u4e9b\u7f51\u7edc\u7981\u6b62 outbound UDP \u7684\u95ee\u9898\u3002<\/li>\n<\/ol>\n<p>\u4f46\u6211\u4eec\u73b0\u5728\u53ef\u4ee5\u629b\u5f03\u00a0<strong><mark>STUN\u3001\u751f\u65e5\u6096\u8bba\u3001\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u3001hairpin<\/mark><\/strong>\u00a0\u7b49\u7b49\u4e1c\u897f\u4e86\u3002 \u8fd9\u662f\u4e00\u4e2a\u597d\u6d88\u606f\uff01<\/p>\n<h3 id=\"\u5168\u7403-ipv4ipv6-\u90e8\u7f72\u73b0\u72b6\">\u5168\u7403 IPv4\/IPv6 \u90e8\u7f72\u73b0\u72b6<\/h3>\n<p>\u53e6\u4e00\u4e2a\u66f4\u52a0\u4e25\u5cfb\u7684\u73b0\u5b9e\u95ee\u9898\u662f\uff1a\u5f53\u524d\u5e76\u4e0d\u662f\u4e00\u4e2a\u5168 IPv6 \u4e16\u754c\u3002\u76ee\u524d\u4e16\u754c\u4e0a<\/p>\n<ul>\n<li>\u5927\u90e8\u5206\u8fd8\u662f IPv4\uff0c<\/li>\n<li><a href=\"https:\/\/www.google.com\/intl\/en\/ipv6\/statistics.html\" target=\"_blank\" rel=\"noopener\">\u5927\u7ea6 33% \u662f IPv6<\/a>\uff0c\u800c\u4e14\u5206\u5e03\u6781\u5ea6\u4e0d\u5747\u5300\uff0c\u56e0\u6b64\u67d0\u4e9b \u901a\u4fe1\u5bf9\u6240\u5728\u7684\u53ef\u80fd\u662f 100% IPv6\uff0c\u4e5f\u53ef\u80fd\u662f 0%\uff0c\u6216\u4e8c\u8005\u4e4b\u95f4\u3002<\/li>\n<\/ul>\n<p>\u4e0d\u5e78\u7684\u662f\uff0c\u8fd9\u610f\u5473\u7740\uff0cIPv6 **<mark>\u8fd8**\u65e0\u6cd5\u4f5c\u4e3a\u6211\u4eec\u7684\u89e3\u51b3\u65b9\u6848\u3002 \u5c31\u76ee\u524d\u6765\u8bf4\uff0c\u5b83\u53ea\u662f\u6211\u4eec\u7684\u5de5\u5177\u7bb1\u4e2d\u7684\u4e00\u4e2a\u5907\u9009\u3002\u5bf9\u4e8e\u67d0\u4e9b peer \u6765\u8bf4\uff0c\u5b83\u7b80\u76f4\u662f\u5b8c\u7f8e\u5de5 \u5177\uff0c\u4f46\u5bf9\u5176\u4ed6 peer \u6765\u8bf4\uff0c\u5b83\u662f\u7528\u4e0d\u4e86\u7684\u3002\u5982\u679c\u76ee\u6807\u662f\u201c\u4efb\u4f55\u60c5\u51b5\u4e0b\u90fd\u80fd\u7a7f\u900f\uff08\u8fde\u63a5\uff09 \u6210\u529f\u201d\uff0c\u90a3\u6211\u4eec\u5c31\u4ecd\u7136\u9700\u8981 IPv4+NAT \u90a3\u4e9b\u4e1c\u897f\u3002<\/mark><\/p>\n<h3 id=\"\u65b0\u573a\u666fnat64dns64\">\u65b0\u573a\u666f\uff1aNAT64\/DNS64<\/h3>\n<p>IPv4\/IPv6 \u5171\u5b58\u4e5f\u5f15\u51fa\u4e86\u4e00\u4e2a\u65b0\u7684\u573a\u666f\uff1aNAT64 \u8bbe\u5907\u3002<\/p>\n<p align=\"center\"><img loading=\"lazy\" decoding=\"async\" title=\"nat-ipv6\" src=\"https:\/\/aichh.com\/wp-content\/uploads\/2024\/05\/nat-ipv6.png\" width=\"1865\" height=\"806\"><\/p>\n<p>\u524d\u9762\u4ecb\u7ecd\u7684\u90fd\u662f NAT44 \u8bbe\u5907\uff1a\u5b83\u4eec\u5c06\u4e00\u4e2a IPv4 \u5730\u5740\u8f6c\u6362\u6210\u53e6\u4e00 IPv4 \u5730\u5740\u3002 NAT64 \u4ece\u540d\u5b57\u53ef\u4ee5\u770b\u51fa\uff0c\u662f\u5c06\u4e00\u4e2a\u5185\u4fa7 IPv6 \u5730\u5740\u8f6c\u6362\u6210\u4e00\u4e2a\u5916\u4fa7 IPv4 \u5730\u5740\u3002 \u5229\u7528 DNS64 \u8bbe\u5907\uff0c\u6211\u4eec\u80fd\u5c06 IPv4 DNS \u5e94\u7b54\u7ed9 IPv6 \u7f51\u7edc\uff0c\u8fd9\u6837\u5bf9\u7ec8\u7aef\u6765\u8bf4\uff0c\u5b83\u770b\u5230\u7684\u5c31\u662f\u4e00\u4e2a \u5168 IPv6 \u7f51\u7edc\uff0c\u800c\u4ecd\u7136\u80fd\u8bbf\u95ee IPv4 \u516c\u7f51\u3002<\/p>\n<blockquote><p>Incidentally, you can extend this naming scheme indefinitely. There have been some experiments with NAT46; you could deploy NAT66 if you enjoy chaos; and some RFCs use NAT444 for carrier-grade NAT.<\/p><\/blockquote>\n<p>\u5982\u679c\u9700\u8981\u5904\u7406 DNS \u95ee\u9898\uff0c\u90a3\u8fd9\u79cd\u65b9\u5f0f\u5de5\u4f5c\u826f\u597d\u3002\u4f8b\u5982\uff0c\u5982\u679c\u8fde\u63a5\u5230 google.com\uff0c\u5c06\u8fd9\u4e2a\u57df\u540d\u89e3\u6790\u6210 IP \u5730\u5740\u7684\u8fc7\u7a0b\u4f1a\u6d89\u53ca\u5230 DNS64 \u8bbe\u5907\uff0c\u5b83\u53c8\u4f1a\u8fdb\u4e00\u6b65 involve NAT64 \u8bbe\u5907\uff0c\u4f46\u540e\u4e00\u6b65\u5bf9\u7528\u6237\u6765\u8bf4\u662f\u65e0\u611f\u77e5\u7684\u3002<\/p>\n<p>\u4f46<strong><mark>\u5bf9\u4e8e NAT \u548c\u9632\u706b\u5899\u7a7f\u900f\u6765\u8bf4\uff0c\u6211\u4eec\u4f1a\u5173\u5fc3\u6bcf\u4e2a\u5177\u4f53\u7684 IP \u5730\u5740\u548c\u7aef\u53e3<\/mark><\/strong>\u3002<\/p>\n<h3 id=\"\u89e3\u51b3\u65b9\u6848clat-customer-side-translator\">\u89e3\u51b3\u65b9\u6848\uff1aCLAT (Customer-side transLATor)<\/h3>\n<p>\u5982\u679c\u8bbe\u5907\u652f\u6301 CLAT (Customer-side translator \u2014 from Customer XLAT)\uff0c\u90a3\u6211\u4eec\u5c31\u5f88\u5e78\u8fd0\uff1a<\/p>\n<ul>\n<li><strong><mark>CLAT \u5047\u88c5\u64cd\u4f5c\u7cfb\u7edf\u6709\u76f4\u63a5 IPv4 \u8fde\u63a5\uff0c\u800c\u80cc\u540e\u4f7f\u7528\u7684\u662f NAT64<\/mark><\/strong>\uff0c\u4ee5\u5bf9\u5e94\u7528\u7a0b\u5e8f\u65e0\u611f\u77e5\u3002 \u5728\u6709 CLAT \u7684\u8bbe\u5907\u4e0a\uff0c\u6211\u4eec\u65e0\u9700\u505a\u4efb\u4f55\u7279\u6b8a\u7684\u4e8b\u60c5\u3002<\/li>\n<li>CLAT\u00a0<strong><mark>\u5728\u79fb\u52a8\u8bbe\u5907\u4e0a\u975e\u5e38\u5e38\u89c1<\/mark><\/strong>\uff0c\u4f46\u5728\u684c\u9762\u7535\u8111\u3001\u7b14\u8bb0\u672c\u548c\u670d\u52a1\u5668\u4e0a\u975e\u5e38\u5c11\u89c1\uff0c \u56e0\u6b64\u5728\u540e\u8005\u4e0a\uff0c\u5fc5\u987b\u81ea\u5df1\u505a CLAT \u505a\u7684\u4e8b\u60c5\uff1a\u68c0\u6d4b NAT64+DNS64 \u7684\u5b58\u5728\uff0c\u7136\u540e\u6b63\u786e\u5730\u4f7f\u7528\u5b83\u4eec\u3002<\/li>\n<\/ul>\n<h3 id=\"\u89e3\u51b3\u65b9\u6848clat-\u4e0d\u5b58\u5728\u65f6\u624b\u52a8\u7a7f\u900f-nat64-\u8bbe\u5907\">\u89e3\u51b3\u65b9\u6848\uff1aCLAT \u4e0d\u5b58\u5728\u65f6\uff0c\u624b\u52a8\u7a7f\u900f NAT64 \u8bbe\u5907<\/h3>\n<ol>\n<li>\u9996\u5148\u68c0\u6d4b\u662f\u5426\u5b58\u5728 NAT64+DNS64\u3002\u65b9\u6cd5\u5f88\u7b80\u5355\uff1a\u5411\u00a0<code class=\"language-plaintext highlighter-rouge\">ipv4only.arpa.<\/code>\u00a0\u53d1\u9001\u4e00\u4e2a DNS \u8bf7\u6c42\u3002\u8fd9\u4e2a\u57df\u540d\u4f1a\u89e3\u6790 \u5230\u4e00\u4e2a\u5df2\u77e5\u7684\u3001\u56fa\u5b9a\u7684 IPv4 \u5730\u5740\uff0c\u800c\u4e14\u662f<strong><mark>\u7eaf IPv4 \u5730\u5740<\/mark><\/strong>\u3002\u5982\u679c\u5f97\u5230\u7684 \u662f\u4e00\u4e2a IPv6 \u5730\u5740\uff0c\u5c31\u53ef\u4ee5\u5224\u65ad\u6709 DNS64 \u670d\u52a1\u5668\u505a\u4e86\u8f6c\u6362\uff0c\u800c\u5b83\u5fc5\u7136\u4f1a\u7528\u5230 NAT64\u3002\u8fd9\u6837 \u5c31\u80fd\u5224\u65ad\u51fa NAT64 \u7684\u524d\u7f00\u662f\u591a\u5c11\u3002<\/li>\n<li>\u6b64\u540e\uff0c\u8981\u5411 IPv4 \u5730\u5740\u53d1\u5305\u65f6\uff0c\u53d1\u9001\u683c\u5f0f\u4e3a<code class=\"language-plaintext highlighter-rouge\">{NAT64 prefix + IPv4 address}<\/code>\u00a0\u7684 IPv6 \u5305\u3002 \u7c7b\u4f3c\u5730\uff0c\u6536\u5230\u6765\u6e90\u683c\u5f0f\u4e3a\u00a0<code class=\"language-plaintext highlighter-rouge\">{NAT64 prefix + IPv4 address}<\/code>\u00a0\u7684\u5305\u65f6\uff0c\u5c31\u662f IPv4 \u6d41\u91cf\u3002<\/li>\n<li>\u63a5\u4e0b\u6765\uff0c\u901a\u8fc7 NAT64 \u7f51\u7edc\u4e0e STUN \u901a\u4fe1\u6765\u83b7\u53d6\u81ea\u5df1\u5728 NAT64 \u4e0a\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u63a5 \u4e0b\u6765\u5c31\u56de\u5230\u7ecf\u5178\u7684 NAT \u7a7f\u900f\u95ee\u9898\u4e86 \u2014\u2014 \u9664\u4e86\u9700\u8981\u591a\u505a\u4e00\u70b9\u70b9\u4e8b\u60c5\u3002<\/li>\n<\/ol>\n<p>\u5e78\u8fd0\u7684\u662f\uff0c\u5982\u4eca\u7684\u5927\u90e8\u5206 v6-only \u7f51\u7edc\u90fd\u662f\u79fb\u52a8\u8fd0\u8425\u5546\u7f51\u7edc\uff0c\u800c\u51e0\u4e4e\u6240\u6709\u624b\u673a\u90fd\u652f\u6301 CLAT\u3002 \u8fd0\u8425 v6-only \u7f51\u7edc\u7684 ISPs \u4f1a\u5728\u4ed6\u4eec\u7ed9\u4f60\u7684\u8def\u7531\u5668\u4e0a\u90e8\u7f72 CLAT\uff0c\u56e0\u6b64\u6700\u540e\u4f60\u5176\u5b9e\u4e0d\u9700\u8981\u505a\u4ec0\u4e48\u4e8b\u60c5\u3002 \u4f46\u5982\u679c\u60f3\u5b9e\u73b0 100% \u7a7f\u900f\uff0c\u5c31\u9700\u8981\u89e3\u51b3\u8fd9\u79cd\u8fb9\u8fb9\u89d2\u89d2\u7684\u95ee\u9898\uff0c\u5373\u5fc5\u987b\u663e\u5f0f\u652f\u6301\u4ece v6-only \u7f51\u7edc\u8fde\u63a5 v4-only \u5bf9\u7aef\u3002<\/p>\n<h2 id=\"78-\u5c06\u6240\u6709\u89e3\u51b3\u65b9\u5f0f\u96c6\u6210\u5230-ice-\u534f\u8bae\">7.8 \u5c06\u6240\u6709\u89e3\u51b3\u65b9\u5f0f\u96c6\u6210\u5230 ICE \u534f\u8bae<\/h2>\n<h3 id=\"\u9488\u5bf9\u5177\u4f53\u573a\u666f\u8be5\u9009\u62e9\u54ea\u79cd\u7a7f\u900f\u65b9\u5f0f\">\u9488\u5bf9\u5177\u4f53\u573a\u666f\uff0c\u8be5\u9009\u62e9\u54ea\u79cd\u7a7f\u900f\u65b9\u5f0f\uff1f<\/h3>\n<p>\u81f3\u6b64\uff0c\u6211\u4eec\u7684 NAT \u7a7f\u900f\u4e4b\u65c5\u7ec8\u4e8e\u5feb\u7ed3\u675f\u4e86\u3002\u6211\u4eec\u5df2\u7ecf\u8986\u76d6\u4e86\u6709\u72b6\u6001\u9632\u706b\u5899\u3001\u7b80\u5355\u548c\u9ad8\u7ea7 NAT\u3001IPv4 \u548c IPv6\u3002\u53ea\u8981\u5c06\u4ee5\u4e0a\u89e3\u51b3\u65b9\u5f0f\u90fd\u5b9e\u73b0\u4e86\uff0cNAT \u7a7f\u900f\u7684\u76ee\u7684\u5c31\u8fbe\u5230\u4e86\uff01<\/p>\n<p>\u4f46\u662f\uff0c<\/p>\n<ul>\n<li>\u5bf9\u4e8e\u7ed9\u5b9a\u7684 peer\uff0c\u5982\u4f55\u5224\u65ad\u6539\u7528\u54ea\u79cd\u65b9\u5f0f\u5462\uff1f<\/li>\n<li>\u5982\u4f55\u5224\u65ad\u8fd9\u662f\u4e00\u4e2a\u7b80\u5355\u6709\u72b6\u6001\u9632\u706b\u5899\u7684\u573a\u666f\uff0c\u8fd8\u662f\u8be5\u7528\u5230\u751f\u65e5\u6096\u8bba\u7b97\u6cd5\uff0c\u8fd8\u662f\u9700\u8981\u624b\u52a8\u5904\u7406 NAT64 \u5462\uff1f<\/li>\n<li>\u8fd8\u662f\u901a\u4fe1\u53cc\u65b9\u5728\u4e00\u4e2a WiFi \u7f51\u7edc\u4e0b\uff0c\u8fde\u9632\u706b\u5899\u90fd\u6ca1\u6709\uff0c\u56e0\u6b64\u4e0d\u9700\u8981\u4efb\u4f55\u64cd\u4f5c\u5462\uff1f<\/li>\n<\/ul>\n<p><strong><mark>\u65e9\u671f NAT \u7a7f\u900f<\/mark><\/strong>\u6bd4\u8f83\u7b80\u5355\uff0c\u80fd\u8ba9\u6211\u4eec<strong><mark>\u7cbe\u786e\u5224\u65ad\u51fa peer \u4e4b\u95f4\u7684\u8def\u5f84\u7279\u70b9<\/mark><\/strong>\uff0c\u7136\u540e\u9488\u5bf9\u6027\u5730\u91c7\u7528\u76f8\u5e94\u7684\u89e3\u51b3\u65b9\u5f0f\u3002 \u4f46\u540e\u9762\uff0c\u7f51\u7edc\u5de5\u7a0b\u5e08\u548c NAT \u8bbe\u5907\u5f00\u53d1\u5de5\u7a0b\u5e08\u5f15\u5165\u4e86\u4e00\u4e9b\u65b0\u7406\u5ff5\uff0c\u7ed9\u8def\u5f84\u5224\u65ad\u9020\u6210\u5f88\u5927\u56f0\u96be\u3002\u56e0\u6b64 \u6211\u4eec\u9700\u8981\u7b80\u5316\u5ba2\u6237\u7aef\u4fa7\u7684\u601d\u8003\uff08\u5224\u65ad\u903b\u8f91\uff09\u3002<\/p>\n<p>\u8fd9\u5c31\u8981\u63d0\u5230 Interactive Connectivity Establishment (ICE\uff0c\u4ea4\u6362\u5f0f\u8fde\u63a5\u5efa\u7acb) \u534f\u8bae\u4e86\u3002 \u4e0e STUN\/TURN \u7c7b\u4f3c\uff0cICE \u6765\u81ea<strong><mark>\u7535\u4fe1\u9886\u57df<\/mark><\/strong>\uff0c\u56e0\u6b64\u5176 RFC \u5145\u6ee1\u4e86 SIP\u3001SDP\u3001\u4fe1\u4ee4\u4f1a\u8bdd\u3001\u62e8\u53f7\u7b49\u7b49\u7535\u8bdd\u672f\u8bed\u3002 \u4f46\u5982\u679c\u5ffd\u7565\u8fd9\u4e9b\u9886\u57df\u672f\u8bed\uff0c\u6211\u4eec\u4f1a\u770b\u5230\u5b83<strong><mark>\u63cf\u8ff0\u4e86\u4e00\u4e2a\u6781\u5176\u4f18\u96c5\u7684\u5224\u65ad\u6700\u4f73\u8fde\u63a5\u8def\u5f84\u7684\u7b97\u6cd5<\/mark><\/strong>\u3002<\/p>\n<p>\u771f\u7684\uff1f\u8fd9\u4e2a\u7b97\u6cd5\u662f\uff1a<strong><mark>\u6bcf\u79cd\u65b9\u6cd5\u90fd\u8bd5\u4e00\u904d\uff0c\u7136\u540e\u9009\u62e9\u6700\u4f73\u7684\u90a3\u4e2a\u65b9\u6cd5<\/mark><\/strong>\u3002\u5c31\u662f\u8fd9\u4e2a\u7b97\u6cd5\uff0c\u60ca\u559c\u5417\uff1f<\/p>\n<p>\u6765\u66f4\u6df1\u5165\u5730\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7b97\u6cd5\u3002<\/p>\n<h3 id=\"ice-interactive-connectivity-establishment-\u7b97\u6cd5\">ICE (Interactive Connectivity Establishment) \u7b97\u6cd5<\/h3>\n<p>\u8fd9\u91cc\u7684\u8ba8\u8bba\u4e0d\u4f1a\u4e25\u683c\u9075\u5faa ICE spec\uff0c\u56e0\u6b64\u5982\u679c\u662f\u5728\u81ea\u5df1\u5b9e\u73b0\u4e00\u4e2a\u53ef\u4e92\u64cd\u4f5c\u7684 ICE \u5ba2\u6237\u7aef\uff0c\u5e94\u8be5\u901a\u8bfb<a href=\"https:\/\/tools.ietf.org\/html\/rfc8445\">RFC 8445<\/a>, \u6839\u636e\u5b83\u7684\u63cf\u8ff0\u6765\u5b9e\u73b0\u3002\u8fd9\u91cc\u5ffd\u7565\u6240\u6709\u7535\u4fe1\u672f\u8bed\uff0c\u53ea\u5173\u6ce8\u6838\u5fc3\u7684\u7b97\u6cd5\u903b\u8f91\uff0c \u5e76\u63d0\u4f9b\u51e0\u4e2a\u5728 ICE \u89c4\u8303\u5141\u8bb8\u8303\u56f4\u7684\u7075\u6d3b\u5efa\u8bae\u3002<\/p>\n<ol>\n<li>\u4e3a\u5b9e\u73b0\u548c\u67d0\u4e2a peer \u7684\u901a\u4fe1\uff0c\u9996\u5148\u9700\u8981\u786e\u5b9a\u6211\u4eec\u81ea\u5df1\u7528\u7684\uff08\u5ba2\u6237\u7aef\u4fa7\uff09\u8fd9\u4e2a socket \u7684\u5730\u5740\uff0c \u8fd9\u662f\u4e00\u4e2a\u5217\u8868\uff0c\u81f3\u5c11\u5e94\u8be5\u5305\u62ec\uff1a\n<ol>\n<li>\u6211\u4eec\u81ea\u5df1\u7684 IPv6\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:ports<\/code><\/li>\n<li>\u6211\u4eec\u81ea\u5df1\u7684 IPv4 LAN\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:ports<\/code>\uff08\u5c40\u57df\u7f51\u5730\u5740\uff09<\/li>\n<li>\u901a\u8fc7 STUN \u670d\u52a1\u5668\u83b7\u53d6\u5230\u7684\u6211\u4eec\u81ea\u5df1\u7684 IPv4 WAN\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:ports<\/code>\uff08<strong><mark>\u516c\u7f51\u5730\u5740<\/mark><\/strong>\uff0c\u53ef\u80fd\u4f1a\u7ecf\u8fc7 NAT64 \u8f6c\u6362\uff09<\/li>\n<li>\u901a\u8fc7\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u83b7\u53d6\u5230\u7684\u6211\u4eec\u81ea\u5df1\u7684 IPv4 WAN\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff08NAT \u8bbe\u5907\u7684<strong><mark>\u7aef\u53e3\u6620\u5c04\u534f\u8bae\u5206\u914d\u7684\u516c\u7f51\u5730\u5740<\/mark><\/strong>\uff09<\/li>\n<li>\u8fd0\u8425\u5546\u63d0\u4f9b\u7ed9\u6211\u4eec\u7684 endpoints\uff08\u4f8b\u5982\uff0c<strong><mark>\u9759\u6001\u914d\u7f6e\u7684\u7aef\u53e3\u8f6c\u53d1<\/mark><\/strong>\uff09<\/li>\n<\/ol>\n<\/li>\n<li>\u901a\u8fc7\u65c1\u8def\u4fe1\u9053\u4e0e peer \u4e92\u6362\u8fd9\u4e2a\u5217\u8868\u3002\u4e24\u8fb9\u90fd\u62ff\u5230\u5bf9\u65b9\u7684\u5217\u8868\u540e\uff0c\u5c31\u5f00\u59cb\u4e92\u76f8\u63a2\u6d4b\u5bf9\u65b9\u63d0\u4f9b\u7684\u5730\u5740\u3002\u00a0<strong><mark>\u5217\u8868\u4e2d\u5730\u5740\u6ca1\u6709\u4f18\u5148\u7ea7<\/mark><\/strong>\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u5bf9\u65b9\u7ed9\u7684\u4e86 15 \u4e2a\u5730\u5740\uff0c\u90a3\u6211\u4eec\u5e94\u8be5\u628a\u8fd9 15 \u4e2a\u5730\u5740\u90fd\u63a2\u6d4b\u4e00\u904d\u3002\u8fd9\u4e9b<strong><mark>\u63a2\u6d4b\u5305\u6709\u4e24\u4e2a\u76ee\u7684<\/mark><\/strong>\uff1a\n<ol>\n<li><strong><mark>\u6253\u5f00\u9632\u706b\u5899\uff0c\u7a7f\u900f NAT<\/mark><\/strong>\uff0c\u4e5f\u5c31\u662f\u672c\u6587\u4e00\u76f4\u5728\u4ecb\u7ecd\u7684\u5185\u5bb9\uff1b<\/li>\n<li><strong><mark>\u5065\u5eb7\u68c0\u6d4b<\/mark><\/strong>\u3002\u6211\u4eec\u5728\u4e0d\u65ad\u4ea4\u6362\uff08\u6700\u597d\u662f\u5df2\u8ba4\u8bc1\u7684\uff09\u201cping\/pong\u201d \u5305\uff0c\u6765\u68c0\u6d4b\u67d0\u4e2a\u7279\u5b9a\u7684\u8def\u5f84\u662f\u4e0d\u662f\u7aef\u5230\u7aef\u901a\u7684\u3002<\/li>\n<\/ol>\n<\/li>\n<li>\u6700\u540e\uff0c\u4e00\u5c0f\u4f1a\u513f\u4e4b\u540e\uff0c\u4ece\u53ef\u7528\u7684\u5907\u9009\u5730\u5740\u4e2d\uff08\u6839\u636e\u67d0\u4e9b\u6761\u4ef6\uff09\u9009\u62e9\u201c\u6700\u4f73\u201d\u7684\u90a3\u4e2a\uff0c\u4efb\u52a1\u5b8c\u6210\uff01<\/li>\n<\/ol>\n<p>\u8fd9\u4e2a\u7b97\u6cd5\u7684\u4f18\u7f8e\u4e4b\u5904\u5728\u4e8e\uff1a\u53ea\u8981\u9009\u62e9\u6700\u4f73\u7ebf\u8def\uff08\u5730\u5740\uff09\u7684\u7b97\u6cd5\u662f\u6b63\u786e\u7684\uff0c\u90a3\u5c31\u603b\u80fd\u83b7\u5f97\u6700\u4f73\u8def\u5f84\u3002<\/p>\n<ul>\n<li>ICE \u4f1a\u9884\u5148\u5bf9\u8fd9\u4e9b\u5907\u9009\u5730\u5740\u8fdb\u884c\u6392\u5e8f\uff08\u901a\u5e38\uff1aLAN &gt; WAN &gt; WAN+NAT\uff09\uff0c\u4f46\u7528\u6237\u4e5f\u53ef\u4ee5\u81ea\u5df1\u6307\u5b9a\u8fd9\u4e2a\u6392\u5e8f\u884c\u4e3a\u3002<\/li>\n<li>\u4ece v0.100.0 \u5f00\u59cb\uff0cTailscale \u4ece\u539f\u6765\u7684 hardcode \u4f18\u5148\u7ea7\u5207\u6362\u6210\u4e86\u6839\u636e round-trip latency \u7684\u65b9\u5f0f\uff0c\u5b83\u5927\u90e8\u5206\u60c5\u51b5\u4e0b\u6392\u5e8f\u7684\u7ed3\u679c\u548c\u00a0<code class=\"language-plaintext highlighter-rouge\">LAN &gt; WAN &gt; WAN+NAT<\/code>\u00a0\u662f\u4e00\u81f4\u7684\u3002 \u4f46\u76f8\u6bd4\u4e8e\u9759\u6001\u6392\u5e8f\uff0c\u6211\u4eec\u662f\u52a8\u6001\u8ba1\u7b97\u6bcf\u6761\u8def\u5f84\u5e94\u8be5\u5c5e\u4e8e\u54ea\u4e2a\u7c7b\u522b\u3002<\/li>\n<\/ul>\n<p>ICE spec \u5c06\u534f\u8bae\u7ec4\u7ec7\u4e3a\u4e24\u4e2a\u9636\u6bb5\uff1a<\/p>\n<ol>\n<li>\u63a2\u6d4b\u9636\u6bb5<\/li>\n<li>\u901a\u4fe1\u9636\u6bb5<\/li>\n<\/ol>\n<p>\u4f46\u4e0d\u4e00\u5b9a\u8981\u4e25\u683c\u9075\u5faa\u8fd9\u4e24\u4e2a\u6b65\u9aa4\u7684\u987a\u5e8f\u3002\u5728 Tailscale\uff0c<\/p>\n<ul>\n<li>\u6211\u4eec\u53d1\u73b0\u66f4\u4f18\u7684\u8def\u5f84\u4e4b\u540e\u5c31\u4f1a\u81ea\u52a8\u5207\u6362\u8fc7\u53bb\uff0c<\/li>\n<li>\u6240\u6709\u7684\u8fde\u63a5\u90fd\u662f\u5148\u9009\u62e9 DERP \u6a21\u5f0f\uff08\u4e2d\u7ee7\u6a21\u5f0f\uff09\u3002\u8fd9\u610f\u5473\u7740\u8fde\u63a5\u7acb\u5373\u5c31\u80fd\u5efa\u7acb\uff08<strong><mark>\u4f18\u5148\u7ea7\u6700\u4f4e\u4f46 100% \u80fd\u6210\u529f\u7684\u6a21\u5f0f<\/mark><\/strong>\uff09\uff0c\u7528\u6237\u4e0d\u7528\u4efb\u4f55\u7b49\u5f85\uff0c<\/li>\n<li>\u7136\u540e\u5e76\u884c\u8fdb\u884c\u8def\u5f84\u53d1\u73b0\u3002\u901a\u5e38\u51e0\u79d2\u949f\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u80fd\u53d1\u73b0\u4e00\u6761\u66f4\u4f18\u8def\u5f84\uff0c\u7136\u540e\u5c06\u73b0\u6709\u8fde\u63a5\u900f\u660e\u5347\u7ea7\uff08upgrade\uff09\u8fc7\u53bb\u3002<\/li>\n<\/ul>\n<p>\u4f46\u6709\u4e00\u70b9\u9700\u8981\u5173\u5fc3\uff1a\u975e\u5bf9\u79f0\u8def\u5f84\u3002ICE \u82b1\u4e86\u4e00\u4e9b\u7cbe\u529b\u6765\u4fdd\u8bc1\u901a\u4fe1\u53cc\u65b9\u9009\u62e9\u7684\u662f\u76f8\u540c\u7684\u7f51\u7edc \u8def\u5f84\uff0c\u8fd9\u6837\u624d\u80fd\u4fdd\u8bc1\u8fd9\u6761\u8def\u5f84\u4e0a\u6709\u53cc\u5411\u6d41\u91cf\uff0c\u80fd\u4fdd\u6301\u9632\u706b\u5899\u548c NAT \u8bbe\u5907\u7684\u8fde\u63a5\u4e00\u76f4\u5904\u4e8e open \u72b6\u6001\u3002 \u81ea\u5df1\u5b9e\u73b0\u7684\u8bdd\uff0c\u5176\u5b9e\u5e76\u4e0d\u9700\u8981\u82b1\u540c\u6837\u5927\u7684\u7cbe\u529b\u6765\u5b9e\u73b0\u8fd9\u4e2a\u4fdd\u8bc1\uff0c\u4f46\u9700\u8981\u786e\u4fdd\u4f60\u6240\u6709\u4f7f\u7528\u7684\u6240\u6709\u8def\u5f84\u4e0a\uff0c\u90fd\u6709\u53cc\u5411\u6d41\u91cf\u3002 \u8fd9\u4e2a\u76ee\u6807\u5c31\u5f88\u7b80\u5355\u4e86\uff0c\u53ea\u9700\u8981\u5b9a\u671f\u5728\u6240\u6709\u5df2\u4f7f\u7528\u7684\u8def\u5f84\u4e0a\u53d1 ping\/pong \u5c31\u884c\u4e86\u3002<\/p>\n<h3 id=\"\u5065\u58ee\u6027\u4e0e\u964d\u7ea7\">\u5065\u58ee\u6027\u4e0e\u964d\u7ea7<\/h3>\n<p>\u8981\u5b9e\u73b0\u5065\u58ee\u6027\uff0c\u8fd8\u9700\u8981\u68c0\u6d4b\u5f53\u524d\u5df2\u9009\u62e9\u7684\u8def\u5f84\u662f\u5426\u5df2\u7ecf\u5931\u8d25\u4e86\uff08\u4f8b\u5982\uff0cNAT \u8bbe\u5907\u7ef4\u62a4\u6e05\u6389\u4e86\u6240\u6709\u72b6\u6001\uff09\uff0c \u5982\u679c\u5931\u8d25\u4e86\u5c31\u8981<strong><mark>\u964d\u7ea7\uff08downgrade\uff09\u5230\u5176\u4ed6\u8def\u5f84<\/mark><\/strong>\u3002\u8fd9\u91cc\u6709\u4e24\u79cd\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>\u6301\u7eed\u63a2\u6d4b\u6240\u6709\u8def\u5f84\uff0c\u7ef4\u62a4\u4e00\u4e2a\u964d\u7ea7\u65f6\u4f1a\u7528\u7684\u5907\u7528\u5730\u5740\u5217\u8868\uff1b<\/li>\n<li><strong><mark>\u76f4\u63a5\u964d\u7ea7\u5230\u4fdd\u5e95\u7684\u4e2d\u7ee7\u6a21\u5f0f<\/mark><\/strong>\uff0c\u7136\u540e\u518d\u901a\u8fc7\u8def\u5f84\u63a2\u6d4b\u5347\u7ea7\u5230\u66f4\u597d\u7684\u8def\u5f84\u3002\u8003\u8651\u5230\u53d1\u751f\u964d\u7ea7\u7684\u6982\u7387\u662f\u975e\u5e38\u5c0f\u7684\uff0c\u56e0\u6b64\u8fd9\u79cd\u65b9\u5f0f\u53ef\u80fd\u662f<strong><mark>\u66f4\u7ecf\u6d4e<\/mark><\/strong>\u7684\u3002<\/li>\n<\/ol>\n<h2 id=\"79-\u5b89\u5168\">7.9 \u5b89\u5168<\/h2>\n<p>\u6700\u540e\u9700\u8981\u63d0\u5230\u5b89\u5168\u3002<\/p>\n<p>\u672c\u6587\u7684\u6240\u6709\u5185\u5bb9\u90fd\u5047\u8bbe\uff1a\u6211\u4eec\u4f7f\u7528\u7684<strong><mark>\u4e0a\u5c42\u534f\u8bae\u5df2\u7ecf\u6709\u4e86\u81ea\u5df1\u7684\u5b89\u5168\u673a\u5236<\/mark><\/strong>\uff08 \u4f8b\u5982 QUIC \u534f\u8bae\u6709 TLS \u8bc1\u4e66\uff0cWireGuard \u534f\u8bae\u6709\u81ea\u5df1\u7684\u516c\u94a5\uff09\u3002 \u5982\u679c\u8fd8\u6ca1\u6709\u5b89\u5168\u673a\u5236\uff0c\u90a3\u663e\u7136\u662f\u8981\u7acb\u5373\u8865\u4e0a\u7684\u3002\u4e00\u65e6\u52a8\u6001\u5207\u6362\u8def\u5f84\uff0c<strong><mark>\u57fa\u4e8e IP \u7684\u5b89\u5168\u673a\u5236\u5c31\u662f\u65e0\u7528\u7684\u4e86<\/mark><\/strong>\u00a0\uff08IP \u534f\u8bae\u6700\u5f00\u59cb\u5c31\u6ca1\u600e\u4e48\u8003\u8651\u5b89\u5168\u6027\uff09\uff0c\u81f3\u5c11\u8981\u6709<strong><mark>\u7aef\u5230\u7aef\u7684\u8ba4\u8bc1<\/mark><\/strong>\u3002<\/p>\n<ul>\n<li>\u4e25\u683c\u6765\u8bf4\uff0c\u5982\u679c\u4e0a\u5c42\u534f\u8bae\u6709\u5b89\u5168\u673a\u5236\uff0c\u90a3\u5373\u4f7f\u6536\u5230\u662f\u6b3a\u9a97\u6027\u7684 ping\/pong \u6d41\u91cf\uff0c\u95ee\u9898\u90fd\u4e0d\u5927\uff0c \u6700\u574f\u7684\u60c5\u51b5\u4e5f\u5c31\u662f<strong><mark>\u653b\u51fb\u8005\u8bf1\u5bfc\u4e24\u7aef\u901a\u8fc7\u4ed6\u4eec\u7684\u7cfb\u7edf\u6765\u4e2d\u7ee7\u6d41\u91cf<\/mark><\/strong>\u3002 \u800c\u6709\u4e86\u7aef\u5230\u7aef\u5b89\u5168\u673a\u5236\uff0c\u8fd9\u5e76\u4e0d\u662f\u4e00\u4e2a\u5927\u95ee\u9898\uff08\u53d6\u51b3\u4e8e\u4f60\u7684\u5a01\u80c1\u6a21\u578b\uff09\u3002<\/li>\n<li>\u4f46\u51fa\u4e8e\u8c28\u614e\u8003\u8651\uff0c\u6700\u597d\u8fd8\u662f\u5bf9\u8def\u5f84\u53d1\u73b0\u7684\u5305\u4e5f\u505a\u8ba4\u8bc1\u548c\u52a0\u5bc6\u3002\u5177\u4f53\u5982\u4f55\u505a\u53ef\u4ee5\u54a8\u8be2\u4f60\u4eec\u7684\u5e94\u7528\u5b89\u5168\u5de5\u7a0b\u5e08\u3002<\/li>\n<\/ul>\n<h1 id=\"8-\u7ed3\u675f\u8bed\">8 \u7ed3\u675f\u8bed<\/h1>\n<p>\u6211\u4eec\u7ec8\u4e8e\u5b8c\u6210\u4e86 NAT \u7a7f\u900f\u7684\u76ee\u6807\uff01<\/p>\n<p>\u5982\u679c\u5b9e\u73b0\u4e86\u4ee5\u4e0a\u63d0\u5230\u7684\u6240\u6709\u6280\u672f\uff0c\u4f60\u5c06\u5f97\u5230\u4e00\u4e2a\u4e1a\u5185\u9886\u5148\u7684 NAT \u7a7f\u900f\u8f6f\u4ef6\uff0c\u80fd\u5728\u7edd\u5927\u591a\u6570\u573a\u666f\u4e0b\u5b9e\u73b0\u7aef\u5230\u7aef\u76f4\u8fde\u3002 \u5982\u679c\u76f4\u8fde\u4e0d\u4e86\uff0c\u8fd8\u53ef\u4ee5\u964d\u7ea7\u5230\u4fdd\u5e95\u7684\u4e2d\u7ee7\u6a21\u5f0f\uff08\u5bf9\u4e8e\u957f\u5c3e\u6765\u8bf4\u53ea\u80fd\u9760\u4e2d\u7ee7\u4e86\uff09\u3002<\/p>\n<p>\u4f46\u8fd9\u4e9b\u5de5\u4f5c\u76f8\u5f53\u590d\u6742\uff01\u5176\u4e2d\u4e00\u4e9b\u95ee\u9898\u7814\u7a76\u8d77\u6765\u5f88\u6709\u610f\u601d\uff0c\u4f46\u5f88\u96be\u505a\u5230\u5b8c\u5168\u6b63\u786e\uff0c\u5c24\u5176\u662f\u90a3\u4e9b \u975e\u5e38\u8fb9\u8fb9\u89d2\u89d2\u7684\u573a\u666f\uff0c\u771f\u6b63\u51fa\u73b0\u7684\u6982\u7387\u6781\u5c0f\uff0c\u4f46\u89e3\u51b3\u5b83\u4eec\u6240\u9700\u82b1\u8d39\u7684\u7ecf\u5386\u53c8\u6781\u5927\u3002 \u4e0d\u8fc7\uff0c\u8fd9\u79cd\u5de5\u4f5c\u53ea\u9700\u8981\u505a\u4e00\u6b21\uff0c\u4e00\u65e6\u89e3\u51b3\u4e86\uff0c\u4f60\u5c31\u5177\u5907\u4e86\u67d0\u79cd\u8d85\u7ea7\u80fd\u529b\uff1a \u63a2\u7d22\u4ee4\u4eba\u6fc0\u52a8\u7684\u3001\u76f8\u5bf9\u8fd8\u6bd4\u8f83\u5d2d\u65b0\u7684<strong><mark>\u7aef\u5230\u7aef\u5e94\u7528<\/mark><\/strong>\uff08peer-to-peer applications\uff09\u4e16\u754c\u3002<\/p>\n<h2 id=\"81-\u8de8\u516c\u7f51-\u7aef\u5230\u7aef\u76f4\u8fde\">8.1 \u8de8\u516c\u7f51 \u7aef\u5230\u7aef\u76f4\u8fde<\/h2>\n<p><strong><mark>\u53bb\u4e2d\u5fc3\u5316\u8f6f\u4ef6<\/mark><\/strong>\u9886\u57df\u4e2d\u7684\u8bb8\u591a\u6709\u8da3\u60f3\u6cd5\uff0c\u7b80\u5316\u4e4b\u540e\u5176\u5b9e\u90fd\u53d8\u6210\u4e86\u00a0<strong><mark>\u8de8\u8fc7\u516c\u7f51\uff08\u4e92\u8054\u7f51\uff09\u5b9e\u73b0\u7aef\u5230\u7aef\u76f4\u8fde<\/mark><\/strong>\u00a0\u8fd9\u4e00\u95ee\u9898\uff0c\u5f00\u59cb\u65f6\u53ef\u80fd\u89c9\u5f97\u5f88\u7b80\u5355\uff0c\u4f46\u771f\u6b63\u505a\u624d \u53d1\u73b0\u6bd4\u60f3\u8c61\u4e2d\u96be\u591a\u4e86\u3002\u73b0\u5728\u77e5\u9053\u5982\u4f55\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u4e86\uff0c\u52a8\u624b\u5f00\u505a\u5427\uff01<\/p>\n<h2 id=\"82-\u7ed3\u675f\u8bed\u4e4b-tl-dr\">8.2 \u7ed3\u675f\u8bed\u4e4b TL; DR<\/h2>\n<p>\u5b9e\u73b0\u5065\u58ee\u7684 NAT \u7a7f\u900f\u9700\u8981\u4e0b\u5217\u57fa\u7840\uff1a<\/p>\n<ol>\n<li>\u4e00\u79cd\u57fa\u4e8e UDP \u7684\u534f\u8bae\uff1b<\/li>\n<li>\u80fd\u5728\u7a0b\u5e8f\u5185\u76f4\u63a5\u8bbf\u95ee socket\uff1b<\/li>\n<li>\u6709\u4e00\u4e2a\u4e0e peer \u901a\u4fe1\u7684\u65c1\u8def\u4fe1\u9053\uff1b<\/li>\n<li>\u82e5\u5e72 STUN \u670d\u52a1\u5668\uff1b<\/li>\n<li>\u4e00\u4e2a\u4fdd\u5e95\u7528\u7684\u4e2d\u7ee7\u7f51\u7edc\uff08\u53ef\u9009\uff0c\u4f46\u5f3a\u70c8\u63a8\u8350\uff09<\/li>\n<\/ol>\n<p>\u7136\u540e\u9700\u8981\uff1a<\/p>\n<ol>\n<li>\u904d\u5386\u6240\u6709\u7684\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff1b<\/li>\n<li>\u67e5\u8be2 STUN \u670d\u52a1\u5668\u6765\u83b7\u53d6\u81ea\u5df1\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\u00a0\u4fe1\u606f\uff0c\u4ee5\u53ca\u5224\u65ad\u81ea\u5df1\u8fd9\u4e00\u4fa7\u7684 NAT \u7684\u201c\u96be\u5ea6\u201d\uff08difficulty\uff09\uff1b<\/li>\n<li>\u4f7f\u7528 port mapping \u534f\u8bae\u6765\u83b7\u53d6\u66f4\u591a\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:ports<\/code>\uff1b<\/li>\n<li>\u68c0\u67e5 NAT64\uff0c\u901a\u8fc7\u5b83\u83b7\u53d6\u81ea\u5df1\u7684\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff1b<\/li>\n<li>\u5c06\u81ea\u5df1\u7684\u6240\u6709\u516c\u7f51\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:ports<\/code>\u00a0\u4fe1\u606f\u901a\u8fc7\u65c1\u8def\u4fe1\u9053\u4e0e peer \u4ea4\u6362\uff0c\u4ee5\u53ca\u67d0\u4e9b\u52a0\u5bc6\u79d8\u94a5\u6765\u4fdd\u8bc1\u901a\u4fe1\u5b89\u5168\uff1b<\/li>\n<li>\u901a\u8fc7\u4fdd\u5e95\u7684\u4e2d\u7ee7\u65b9\u5f0f\u4e0e\u5bf9\u65b9\u5f00\u59cb\u901a\u4fe1\uff08\u53ef\u9009\uff0c\u8fd9\u6837\u8fde\u63a5\u80fd\u5feb\u901f\u5efa\u7acb\uff09<\/li>\n<li>\u5982\u679c\u6709\u5fc5\u8981\/\u60f3\u8fd9\u4e48\u505a\uff0c\u63a2\u6d4b\u5bf9\u65b9\u7684\u63d0\u4f9b\u7684\u6240\u6709\u00a0<code class=\"language-plaintext highlighter-rouge\">ip:port<\/code>\uff0c\u4ee5\u53ca\u6267\u884c\u751f\u65e5\u653b\u51fb\uff08birthday attacks\uff09\u6765\u7a7f\u900f harder NAT\uff1b<\/li>\n<li>\u53d1\u73b0\u66f4\u4f18\u8def\u5f84\u4e4b\u540e\uff0c\u900f\u660e\u5347\u7ea7\u5230\u8be5\u8def\u5f84\uff1b<\/li>\n<li>\u5982\u679c\u5f53\u524d\u8def\u5f84\u65ad\u4e86\uff0c\u964d\u7ea7\u5230\u5176\u4ed6\u53ef\u7528\u7684\u8def\u5f84\uff1b<\/li>\n<li>\u786e\u4fdd\u6240\u6709\u4e1c\u897f\u90fd\u662f\u52a0\u5bc6\u7684\uff0c\u5e76\u4e14\u6709\u7aef\u5230\u7aef\u8ba4\u8bc1\u3002<\/li>\n<\/ol>\n<p>via:https:\/\/arthurchiao.art\/blog\/how-nat-traversal-works-zh\/<\/p>\n","protected":false},"excerpt":{"rendered":"\u8bd1\u8005\u5e8f \u672c\u6587\u7ffb\u8bd1\u81ea 2020 \u5e74\u7684\u4e00\u7bc7\u82f1\u6587\u535a\u5ba2\uff1a\u00a0How NAT traversal works\u3002 \u8bbe\u60f3\u8fd9\u6837\u4e00\u4e2a\u95ee\u9898\uff1a\u5728\u5317\u4eac\u548c\u4e0a\u6d77\u5404\u6709\u4e00\u53f0\u5c40\u57df\u7f51\u7684\u673a\u5668\uff08\u4f8b\u5982\u4e00\u53f0\u662f\u5bb6\u91cc\u7684\u53f0\u5f0f\u673a\uff0c\u4e00 \u53f0\u662f\u8fde\u63a5\u5230\u661f\u5df4\u514b W \u00b7\u00b7\u00b7","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[149,373,374],"class_list":["post-1390","post","type-post","status-publish","format-standard","hentry","category-jiaocheng","tag-nat","tag-373","tag-374"],"views":113,"_links":{"self":[{"href":"https:\/\/aichh.com\/api\/wp\/v2\/posts\/1390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aichh.com\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aichh.com\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aichh.com\/api\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aichh.com\/api\/wp\/v2\/comments?post=1390"}],"version-history":[{"count":3,"href":"https:\/\/aichh.com\/api\/wp\/v2\/posts\/1390\/revisions"}],"predecessor-version":[{"id":1415,"href":"https:\/\/aichh.com\/api\/wp\/v2\/posts\/1390\/revisions\/1415"}],"wp:attachment":[{"href":"https:\/\/aichh.com\/api\/wp\/v2\/media?parent=1390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aichh.com\/api\/wp\/v2\/categories?post=1390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aichh.com\/api\/wp\/v2\/tags?post=1390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}