I don't entirely understand the difference between NAT, port forwarding, and proxy servers.

If I'm not mistaken, the difference between NAT and port forwarding is that in NAT, it assigns a new port for the outgoing packet and then puts the old port back into the response packet while port forwarding just sends the packet through with the same port. If I'm wrong on this, please fill me in.

However, the difference between proxy and NAT escapes me entirely. Could anyone enlighten me?


This should be an easy one.

Here we go ...

NAT is a straight IP socket translator working at Layers 3 and 4. You can do one for one mappings, or use external address pools, or use a single external address and use something called port multiplexing, or overload if you are a cisco buff. You can send any IP protocol through a NAT box (well almost, there are always exceptions to anything!). The NAT box does not, and does not need to understand anything about the traffic except its IP socket info.

A proxy server is an application gateway working at Layer 7, which accesses things on your behalf. e.g if you want to browse via a proxy server, your browser asks the proxy server for a page, the proxy server understands html and relays your request as if it had come from the proxy itself, hence performing the required private/public address changes in the process. (which is why people confuse it with NAT)

Once you build this intelligence into the Proxy you can use it to cache pages, speeding up access and to filter ads and shite that you don't need. The downside to Proxying is that you cannot access anything via a proxy that the proxy does not itself understand.

If you want to access anything other than HTTP SMTP and NNTP and standard stuff like that you have to use something called SOCKS, which is a method of tunneling things through a proxy as long as the proxy supports it.

Proxy servers are a mixed blessing if you ask me.

Hope this helps

Okay, that all made total sense. I had forgotten that proxys were high-level. I've only read about them, never actually dealt with one.

Is SOCKS something like NAT through a proxy? (and thus lower-level than standard proxy activity)

Sort of yes, I'm not particulary familiar with SOCKS I jsut know what its used for. The problem with SOCKS is that the applications you are using must also understand SOCKS to get through the SOCKS proxy.

I have seen a couple of programs calls SOCKS wrappers which you execute non SOCKS programs inside of which then allows them to use SOCKS. Its all a bit horrible to be honest, I would tend to use proxy servers for what they are good for and let anything else NAT out via a firewall, bypassing the proxy altogether (just my personal preference). Some security buffs would probably object to this though.

Ah.

Was I correct about the difference between NAT and port forwarding? (in original post)

I'll take a crack at that, and baldy can pipe in if I'm way off.

NAT does assign a new reply port (at least in the linux kernel), it uses this to match the request to the NAT table so it can send the reply back to the original source. So if X sends a request out to port 80, reply at port 5000 this will go through NAT and be changed to something like reply at 4000, then when the NAT system gets the packet back on port 4000 it looks in it's table for port 4000 and finds the info for changing the packet to get it back to X. NAT keeps a table of reply ports so it can look up how to change the port (and possibly the IP) back before sending the data to the original client.

see http://www.netfilter.org/unreliable-...inuxdoc-2.html

With port forwarding you set up a static port such as "every time I get a request at port 80, pass it to machine X"

SOCKS is just a proxy standard AFAIK.

AFAIK although a proxy works at a higher layer there are transparent proxies which act just like NAT as far as the client is concerned. And in the end even a regular proxy acts a lot like NAT just that some of the lower network level changes are done by the proxy client and passed along at a higher level. This, and the fact that the english language definition of proxy fits what NAT does is the reason that many people including myself sometimes use the terms interchangably.

Well, a proxy server does achieve the same result with respect to translation of addresses, but really the internal tcp stream and the external tcp stream are two different streams. In nat it is the same stream with the addresses altered on the way out.

Same visible result, totally different mechanism. If you scoped out the tcp on either side of a proxy server they wouldn't match. All the segment numbering window sizing etc would be different.

A port forwarder listens on a port, then diverts a udp or tcp session that comes into that port to a different end point. I don't think port forwarding is that intelligent. What would happen if two tcp connections came into your destination-port listerner from the same source port, I don't know. It would probably not work.

Nat on the other was designed to do that sort of stuff.

I think port forwarding it just a primitive form of NAT.

I feel enlightened

So NAT just modifies incoming/outgoing packets and a proxy recreates them. Even though the effect is almost the same the method is entirly different.

With NAT I know you can turn on port forwarding, so say if your web server was inside your NAT firewall you could still have it serve web pages to the outside. I don't know if that helps define the difference though.

Yep the effect is almost the same, but with the upshot that everything you do is probably cached on the proxy, so be carefull!

I see where the port forwarding reference comes from. You can port forward without NAT you see, I have a nifty util for Win and there's one for Linux too that allows incomming connections to your machine to be transparently bounced to somewhere else. If you want to be invisible on a windows domain you can forward all references to ports 137 and 138 to another machine so if someone does an nbtstat to find out who you are, they end up looking at a server or something.

If you are natting out to the internet, then the only real address on the outside is the routers address, and normally the nating router will be port multiplexing, so there are basically there is only one public address and no well known listeners available to connect to. If you try to browse to the router ip on port 80, you should (if the router is configured right) get nothing as the router isn't listening.

Port forwarding then allows you to get the router to listen to port 80 for instance on its outside IP address and when it see's an incomming connection it forwards it to a private address on the same (or optionally a different) port. Thus allowing internal services to be accessed by the only public address that exists on your network.

If I sound clued up about this its cos I do it for a living