UbuntuHelp:ServersBehindNAT
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
- title Configuring servers to work behind NAT firewalls
目录
Introduction
This page gives a general description of how to configure your NAT router to make servers on your Linux computer visible on the Internet. Home wireless routers are an example of NAT routers. It is assumed that you have already set your server up to work over a local network.
Background
The Internet can only handle a finite number of computers being online at once, up to a theoretical maximum of a little over 4 billion world-wide. That sounds like a lot, but we would need far more to make first-class citizens of all PCs, laptops, Internet-enabled phones, and other modern gadgets. One trick that has been developed in recent years is Network Address Translation, which allows one computer to give Internet access to all the other computers on its private network. Network address translation allows tens or hundreds of computers to use the Internet at once, while only using one of the 4 billion available Internet addresses. Network Address Translation ("NAT") has allowed the Internet to keep growing for many years, but setting up a server behind NAT requires extra work. To see why this is necessary, consider the following situation: Alice and Bob live in the same house. They have one laptop each, and connect to the Internet through a wireless router. First, Alice tries to access www.ubuntu.com, which works fine - the router sees her connect to the web server, and passes the server's responses back to her. Then, Alice and Bob both set up web servers of their own, and ask Carol to access their web servers from her house. This doesn't work, because Network Address Translation means that Carol can only see the router. When Carol tries to connect to the router's web page, it has no way of knowing whether to forward the connection to Alice or Bob's laptop. To make it possible to access servers behind a NAT router, you have to give your router rules for deciding where connections should be forwarded to. In the above example, Alice could tell the router that ordinary attempts to connect to the web server should be sent to Bob's computer, but that requests on an alternate port should go to Alice's computer. That way, Carol would normally see web pages on Bob's computer, but could see Alice's computer if she knew which alternate port Alice was using.
Technical details
Every computer on the Internet has an Internet address (sometimes called an IP address). This address is a series of four numbers between 0 and 255, usually written in so-called "dotted quad" notation, like 1.2.3.4 or 255.254.253.252. Some address have special meanings, like 0.0.0.0, which is used as a placeholder where it wouldn't make sense to use a real address. Other IP addresses are reserved for special uses, like those that start with 192.168., which you can use freely on a private network, but which must never be seen on the public Internet. Each computer on the Internet has a little over 65,000 "TCP ports" and a little over 65,000 "UDP ports" that other computers can connect to. So when you downloaded this web page, your computer connected to help.ubuntu.com's secure HTTP port (TCP port number 443) and asked for the page called /community/ServersBehindNAT. See Wikipedia's list of TCP and UDP port numbers for information about uses of particular port numbers. TCP and UDP are network protocols with very different uses, but you don't need to know anything about those differences in order to set a NAT router up. Network Address Translation involves a network of computers, usually a private network where computers have addresses like 192.168.0.1 or 192.168.2.100, and a single gateway computer with a public IP address. The gateway computer rewrites ("translates") references to private addresses in outgoing messages to its public address, and translates its public address back to private addresses in incoming messages.
Procedure
In order to set a rule telling your router to forward a port, you need to know the following things:
- what the IP address of your router is
- what IP address your computer uses when talking to your router
- which TCP or UDP port your server listens to on your computer
- what TCP or UDP port you'd like your router to forward connections from
- How to configure your router
Once you've set up your server to work over a local network, it's easy to find your IP address and what port(s) your server listens on. In GNOME, you can find both from the Network Tools application, available in System > Administration > Network Tools. Otherwise, you'll have to use the command line.
Network Tools
GNOME's Network Tools application is a collection of utilities to help with common network management jobs. The first step is to find the IP address of your router. Go to the Netstat tab, press the Routing Table Information button and click Netstat. This will give you a list of all the rules your computer uses to decide where to send messages. Look down the list for a row with 0.0.0.0 in the leftmost column ("Destination"). This row tells your computer where to send messages destined for the public Internet, and the second column in that row ("Gateway") is the IP address of your router, which is probably something like 192.168.0.1 or 192.168.1.254. The rightmost column in the row ("Interface") tells you which device your computer uses to connect to your router, which is probably eth0 or eth1, and which you will need to know for the second step. The second step is to find the IP address your computer uses to talk to the router. Go to the Devices tab, click the Network device drop down list, and click on the device with the name you saw at the end of step one. This will give you a list of addresses for that interface. Look down the list for a row with "IPv4" in the leftmost column ("Protocol"). This row tells you the address your computer normally uses, as opposed to its IPv6 address, which is for a next-generation protocol that isn't widely used yet. The second column in the row ("IP Address") is the IP address your computer uses to talk to the router. The third step is to find the TCP or UDP port your server listens on. This sometimes takes a bit of guesswork. Go to the Port Scan tab, click on the Network address text box, type in the address your computer uses to talk to the router, and click Scan. After a few seconds, this will give you a list of services on your computer, and the ports they are listening on. Look down the list for a row with the name of the service you want in the rightmost column ("Service"). This row tells you the port number for the service you to make available. The leftmost column in the row ("Port") is the port number you want. Now you have your router's IP address, your IP address, and your port, you are ready to configure your router.
Command line
If you don't have access to GNOME's Network Tools, you can find the information you need on the command-line. If you're not sure what a command-line is, the CommandlineHowto is a gentle introduction. Once you have got to a command-line, paste the following in, then press enter:
#!sh
netstat -r -n |\
sed -e "s/^0\.0\.0\.0 *\([0-9.]*\).*/\nYour router's IP address is: \1/p" -e d ; \
\
ifconfig $(netstat -r -n |\
sed -e "s/^0\.0\.0\.0 *.* \([^ ]*\)/\1/p" -e d \
) |\
sed -e 's/ *inet addr:\([0-9.]*\).*/Your IP address is: \1/p' -e d ;
This will print your router's IP address and the IP address your computer uses when talking to your router. Next, type the following in, press enter, and type your password if necessary:
sudo netstat --inet -lpn |\
sed \
-e '1 s/.*/\nPick your port number from the from the following list of names\nNumber\tName/p' \
-e 's/[^:]*:\([0-9]*\).*LISTEN *[^\/]*\/\(.*\)/\1\t\2/p' -e d
This will print a list that looks something like:
Pick your port number from the from the following list of names Number Name 3306 mysqld 6543 mythbackend 143 dovecot 80 apache2 6544 mythbackend 631 cupsd 25 master 21018 skype
This gives a list of services available on your computer - pick the port number for the one that you want. When you've picked the port you want, you are ready to configure your router.
Configuring your router
Modern routers are fairly easy to configure, but all have slightly different interfaces. You will need to consult your router's manual for exact guidance. Most modern routers can be configured through a web browser. To go to your router's home page, open a new tab in your browser and type in your router's IP address. If a page about your router doesn't appear, you will need to find another way of configuring your router. Although most routers have an information page that anyone can view, you will need to log in to change settings - again, consult your manual to find the details you need to provide. Once you have logged in, you will need to find a page for configuring which ports to forward. Some routers have this information in a Virtual Servers page - if your router has a different name for it, please add that name to this document so that other people will know what to do. When you have found the right page, you need to type in the IP address of your computer and the port your server listens on. You also need to type in the port that the router should listen on. It's best for the router to listen on the same port as your server, but you should choose a port with a similar-looking number if the port you want is in use. For example, web servers normally listen on port 80, but common alternative ports for web servers include 8000 and 8080. When you have typed your information in, save your changes and log out.
Finish
You should now be able to connect to your computer through your router's public IP address. If you don't know what that address is, you can normally find it from the router's home page. If you had to use an alternate port in the last setting, you will need to tell programs to use that port. For example, if your router's public IP address is 1.2.3.4 and you put your web server on port 8080, web browsers would have to go to http://1.2.3.4:8080/ in order to get to you.
