How to directly connect to devices behind NAT from the internet?

Question

We have an IP address on the global internet: "A"

We only have access to "A".

We have a network behind a router that does NAT: 192.168.1.0/24

There is a client behind that NAT: "B"

We don't have access to "B" and the "NAT" router.

Goal: reach the "B" directly with "A".

We cannot use port forwarding or UPnP, etc.

Question: what is the trick to reach "B"? A trick that could be avoided if the router had a stateful firewall, not just NAT!

We are thinking that when "B" browses the web, it will go out to the internet. When it is receiving replies, the router that does the NAT needs to decide which NATed IP did "B" have? (there could be more machines behind the NATed network). For this the NAT router uses the port information too. Maybe if we/they are using UDP, we can try all non-privileged ports with the IP "A" to send a packet to "B"?

The NAT router is just a simply soho router. (original problem: trying to prove that NAT is not a firewall, but we need an evidence for it)

score 5 · Answer 1 · edited Apr 13 '17 at 12:37

5

In a simple answer (if I'm understanding this correctly), yes. You can accomplish this by utilizing reverse SSH tunneling.

You'll need to setup the tunnel on "B" first utilizing socks proxying (can be done through Putty), then you'll need to route your traffic through "A" for the requests.

When the responses return, they'll be directed through "A", back to "B"; esentially reaching "B directly with A".

Here are some additional resources for accomplishing this: http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel https://unix.stackexchange.com/questions/46235/how-does-reverse-ssh-tunneling-work

edited Apr 13 '17 at 12:37

Community

1

answered Mar 28 '17 at 20:37

c1ph3rflux

97
5

updated the question with which device we have access, thank you!! – Marina Ala Mar 29 '17 at 06:59
this answer no longer answers the question given that B is not under control – schroeder Mar 29 '17 at 10:11

schroeder · Answer 2 · 2017-03-29T10:12:20.693

Actually, your plan could work, depending on how the NAT device works.

Typically, NAT devices map the internal IP and source port to the destination IP and port so that it only allows that IP and port to communicate back to the internal IP. This makes NAT a very crude and poor stateful firewall.

But this function is not a mandated part of NAT, which means any vendor can choose to implement this approach, or not.

That means that it is theoretically possible to be able to scan a NAT device's ports and discover the internal network if the devices on the internal network respond to connection attempts. That's a big series of 'ifs'. But worthwhile.

So, yes, NAT alone is insufficient, because you do not know how NAT was implemented. A stateful firewall provides defence-in-depth to cover this potential unknown hole. NAT is not a security technology and should not be treated as a protection mechanism.

score 0 · Answer 3 · answered Sep 07 '19 at 15:07

you can use AnyDesk (version 5.2+) which allow you to set up TCP connection between clients.

I used it for connecting my client PC to a Team Foundation Server (TFS) over the internet. The server and client are behind NAT. I set the local and remote ports to '8080' and I can connect to server from client using this address on client: 'http://localhost:8080/tfs/'

Reference: TCP-Tunneling-AnyDesk

How to directly connect to devices behind NAT from the internet?

3 Answers3

Related