NAT功能与分类

NAT的分类，比较早的有STUN(RFC3489)定义的四种类型：

Full Cone: A full cone NAT is one where all requests from the      same internal IP address and port are mapped to the same external      IP address and port.  Furthermore, any external host can send a      packet to the internal host, by sending a packet to the mapped      external address.   Restricted Cone: A restricted cone NAT is one where all requests      from the same internal IP address and port are mapped to the same      external IP address and port.  Unlike a full cone NAT, an external      host (with IP address X) can send a packet to the internal host      only if the internal host had previously sent a packet to IP      address X.   Port Restricted Cone: A port restricted cone NAT is like a      restricted cone NAT, but the restriction includes port numbers.      Specifically, an external host can send a packet, with source IP      address X and source port P, to the internal host only if the      internal host had previously sent a packet to IP address X and      port P.   Symmetric: A symmetric NAT is one where all requests from the      same internal IP address and port, to a specific destination IP      address and port, are mapped to the same external IP address and      port.  If the same host sends a packet with the same source      address and port, but to a different destination, a different      mapping is used.  Furthermore, only the external host that      receives a packet can send a UDP packet back to the internal host.

但是，这个定义有许多的歧义的地方，造成了混乱，于是又颁布了个新的文档RFC4787来定义NAT的行为,废除了之前的对NAT的分类
RFC4787中，介绍了NAT的功能，将NAT功能分为两部分: mapping 和filtering
mapping指数据包出去时，如何映射为外网的ip+port;
filtering指当外面的数据包到达NAT时,决定是否将数据包转发进入内网pc.
The following address and port mapping behavior are defined:
      Endpoint-Independent Mapping:
         The NAT reuses the port mapping for subsequent packets sent
         from the same internal IP address and port (X:x) to any
         external IP address and port.  Specifically, X1’:x1’ equals
         X2’:x2’ for all values of Y2:y2.
     Address-Dependent Mapping:
         The NAT reuses the port mapping for subsequent packets sent
         from the same internal IP address and port (X:x) to the same
         external IP address, regardless of the external port.
         Specifically, X1’:x1’ equals X2’:x2’ if and only if, Y2 equals
         Y1.
      Address and Port-Dependent Mapping:
         The NAT reuses the port mapping for subsequent packets sent
         from the same internal IP address and port (X:x) to the same
         external IP address and port while the mapping is still active.
         Specifically, X1’:x1’ equals X2’:x2’ if and only if, Y2:y2

         equals Y1:y1.

The key behavior to describe is what criteria are used by the NAT to
   filter packets originating from specific external endpoints.
      Endpoint-Independent Filtering:
         The NAT filters out only packets not destined to the internal
         address and port X:x, regardless of the external IP address and
         port source (Z:z).  The NAT forwards any packets destined to
         X:x.  In other words, sending packets from the internal side of
         the NAT to any external IP address is sufficient to allow any
         packets back to the internal endpoint.
      Address-Dependent Filtering:
         The NAT filters out packets not destined to the internal
         address X:x.  Additionally, the NAT will filter out packets
         from Y:y destined for the internal endpoint X:x if X:x has not
         sent packets to Y:any previously (independently of the port
         used by Y).  In other words, for receiving packets from a
         specific external endpoint, it is necessary for the internal
         endpoint to send packets first to that specific external
         endpoint’s IP address.
      Address and Port-Dependent Filtering:
         This is similar to the previous behavior, except that the
         external port is also relevant.  The NAT filters out packets
         not destined for the internal address X:x.  Additionally, the
         NAT will filter out packets from Y:y destined for the internal
         endpoint X:x if X:x has not sent packets to Y:y previously.  In
         other words, for receiving packets from a specific external
         endpoint, it is necessary for the internal endpoint to send
         packets first to that external endpoint’s IP address and port.

测试 NAT类型的工具:
    1. http://nattest.net.in.tum.de/test.php
     2. winstun,测试时使用stun服务器stun.iptel.org