Design And Implementation Of Port Triggering Function On NAT Gateway

To solve the problems of shortage in IPv4 address space and enhancement in LAN security, a methond was adopted in ADSL routers to connect to the Internet for most of the small office and home users. The method based on the NAT(network address translation) mode. The Linux system is a free open source operating system, and also for the easiness to extend and reduction in the kernel, high efficiency and many other advantages, so most embedded systems, such as NAT Gateway, is based Linux Kernel .Althought the method of adopting NAT mode in network gateway solved the shortage of IPv4 addresses and also increased LAN security to some certain degree, at the same time the method also bring some problems to the host computer which hidden behind the NAT Gateway, and some software in the Lan hosts which behind the NAT routers will not work very well, because in this way the communication between the external network and local Lan hosts can only be initiated by the internal host, and the external network host is unable to take the initiative to communicate with the host in the Lan network.For example, when using a software named IRC, in the first the IRC client behind the NAT Gateway will connect to the server located in the external network on TCP port 6667 for IRC server to assure the user account's username and password, and after confirmation the server will connect to the IRC client on TCP port 113 to establish a connections to exchange data. Normally it's ok, but in NAT mode, the server's data can't reach to the IRC client behind the NAT Gateway.Based on the Linux Kernel in version 2.6, a method was designed and implemented in this paper——the Port Priggering kernel module. This Kernel module was based on the NETFILTER framework in Linux kernel, and it use the hook functions in NETFILTER and CONNTRACK module to detect the outward flow of data packets, and after detecting the datagram, it will use NAT module to translate the datagram from external network data packets to reach the Lan network. Comparing to current resolvent ,this implementation is more concise , and if for some while, the NAT Gateway can't detect the flow of outward datagram, the external server's datagram can't reach to the internal host, and the connection from the external server to internal host will be closed to ensure the internal network security.