|
|
 |
| GNAT |
| Gateway Network Address
Translator |
|
GNAT
is a high performance network address
translator (NAT) designed for use in an embedded
environment. Its core engine maps internal IP addresses to
external ones using port translation (NAPT) based on
pre-defined mapping rules. With support for bidirectional
NAT, static and dynamic rule mappings, and reference
Application Level Gateways ALGs such as FTP, GNAT can be
used as a tiny, yet flexible functional component in
embedded networking devices seeking to isolate a private
network from a public one and increase the private IP
address space available while using a single or few public
IP addresses. It also finds use in separating traffic
between an in-system network (e.g. one based on an
ethernet backplane) from an external one. GNAT's small
footprint, low latency and robustness make it the NAT of
choice in embedded networking applications.
|
|
|
|
|
|
|
|
|
|
|
|
GNAT Operation
GNAT typically
operates on a gateway or router between an internal and
external network and helps to conserve IP addresses. It
does this by creating "local" networks, which are
connected to the Internet using a single routable
(public) IP address. GNAT maintains an address
translation table containing active mappings of
internal/external IP addresses and port numbers. These
mappings are created dynamically based on rule-matching
when a packet makes its way through GNAT. Based on the
mappings, each IP datagram sent out with an internal IP
source address has the source address field replaced by
the appropriate external IP address and is re-injected
into the packet stream. This process is reversed when a
packet is received, since the mappings allow GNAT to
determine the original requestor to which the packet
should be forwarded. This makes possible a many-to-one
address mapping, since many internal IP addresses can be
mapped to one external IP address. Mappings are
automatically deleted after a pre-configured inactivity
time period. |
|
 |
Customization
Flexibility |
 |
 |
 |
|
 |
Support for port number ranges. |
|
|
Configurable timeout and NAT table size. |
|
|
Extensible architecture to support Application
Level Gateways (ALGs). |
|
|
Support for selectively disabling the incoming
or outgoing direction on each interface. |
|
|
Available in full-source format. |
|
|
Customization hooks and callouts. |
|
|
 |
 |
 |
 |
|
|
|
|
Inbound & Outbound Mappings |
|
GNAT includes a redirection command to
redirect inbound packets to a specified internal IP address.
This allows external devices to initiate connections to internal
NAT-ed nodes which may be necessary if the internal nodes are
running servers (such as ftp, http, etc.), which require access
from the outside. Besides inbound mapping, GNAT also supports
redirection in the outgoing direction to allow services such as
DNS port forwarding from the internal network. |
|
|
|
Local Network Security |
|
A useful feature of GNAT is its ability to
hide private IP addresses on its internal side. The nodes on the
internal network may freely establish connections with external
nodes. However, connections from the external side may be
blocked or made possible with GNAT in a controlled manner. GNAT
can allow just a few connections, or even no connections, to be
established in this direction. GNAT thus offers security by
assigning nodes on the internal network non-routable private IP
addresses that cannot be easily accessed from potential threats
on the outside. |
|
|
|
Dynamic Firewall Interface |
|
GNAT private IP address hiding complements
the perimeter security of IP packet filtering firewalls. A
unique feature of GNAT allows the association of a NAT mapping
with a firewall rule. When the NAT entry is created, it also
opens a firewall window. This allows for a convenient way to
enable a dynamic firewall rule, allowing activity at specific
ports when a connection is initiated from the internal side. The
firewall window is closed when the NAT entry expires. |
|
|
|
Application Level Gateways |
|
Some TCP/IP protocols embed addressing
information in the payload of packets. For example, during an
"active" FTP connection, the client informs the server of its IP
address & port number and then waits for the server to open a
connection to that address. GNAT has to monitor these packets
and modify them on the fly to replace the client's IP address
(which is on the internal network) with the NAT-ed address. This
requires defining specialized application level gateway modules
(ALGs) for every protocol that uses IP addresses in packet
payloads. GNAT supplies an implementation of the FTP ALG which
can be used as a reference for any other protocols that require
a specialized ALG. |
|
|
|
 |
|
|
|
Portable Private Networks |
|
GNAT’s setup of a "local" network on its
internal side, with its own private IP address scheme,
allows for maximum address portability since this network
can be connected to any external network without any IP
address change for the internal nodes. This is particularly
useful in embedded environments where the "local" network
may be part of a single embedded system. GNAT allows such
applications to refer to the internal addresses without
reference to the external IP address in use, which may
change based on DHCP assignment, or inclusion of the
embedded devices in a customer network. |
|
|
|
Management Framework |
|
GNAT supports a customizable management
interface presented through a string-based command layer,
which can be easily controlled through a web-server or
structured data files such as XML or via a CLI. Support for
rule numbering provides ease of overriding at any level.
Management of nodes on the internal network is also eased,
since they can be assigned private IP addresses that do not
change even if the external IP address changes based on
connection to different external networks. |
|
|
|
|
|
