Port Forwarding; Protecting Against A Syn Flood Attack - Siemens RUGGEDCOM ROX II User Manual

Chapter 5
Setup and Configuration
Table: RFC1918 Reserved IP Address Blocks
IP Network/Mask
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
When a packet from a host on the internal network reaches the NAT gateway, its source address and source
TCP/UDP port number are recorded. The address and port number is translated to the public IP address and
an unused port number on the public interface. When the Internet host replies to the internal host's packet, it is
addressed to the NAT gateway's external IP address at the translation port number. The NAT gateway searches
its tables and makes the opposite changes it made to the outgoing packet. NAT then forwards the reply packet to
the internal host.
Translation of ICMP packets happens in a similar fashion, but without the source port modification.
NAT can be used in static and dynamic modes. Static NAT (SNAT) masks the private IP addresses by translating
each internal address to a unique external address. Dynamic NAT translates all internal addresses to one or more
external addresses.
Section 5.17.1.4

Port Forwarding

Port forwarding, also known as redirection, allows traffic coming from the Internet to be sent to a host behind the
NAT gateway.
Previous examples have described the NAT process when connections are made from the Intranet to the
Internet. In those examples, addresses and ports were unambiguous.
When connections are attempted from the Internet to the Intranet, the NAT gateway will have multiple hosts on
the Intranet that could accept the connection. It needs additional information to identify the specific host to accept
the connection.
Suppose that two hosts, 192.168.1.10 and 192.168.1.20 are located behind a NAT gateway having a public
interface of 213.18.101.62. When a connection request for http port 80 arrives at 213.18.101.62, the NAT
gateway could forward the request to either of the hosts (or could accept it itself). Port forwarding configuration
could be used to redirect the requests to port 80 to the first host.
Port forwarding can also remap port numbers. The second host may also need to answer http requests. As
connections to port 80 are directed to the first host, another port number (such as 8080) can be dedicated to the
second host. As requests arrive at the gateway for port 8080, the gateway remaps the port number to 80 and
forwards the request to the second host.
Port forwarding also takes the source address into account. Another way to solve the above problem could be
to dedicate two hosts 200.0.0.1 and 200.0.0.2 and have the NAT gateway forward requests on port 80 from
200.0.0.1 to 192.168.1.10 and from 200.0.0.2 to 192.168.1.20.
Section 5.17.1.5

Protecting Against a SYN Flood Attack

RUGGEDCOM ROX II responds to SYN packets according to the TCP standard by replying with a SYN-ACK
packet for open ports and an RST packet for closed ports. If the device is flooded by a high frequency of SYN
packets, the port being flooded may become unresponsive.
270
Address Range
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
RUGGEDCOM ROX II
CLI User Guide
Port Forwarding