0

For example, a computer behind a NAT router uses Skype. Skype uses port 4000 to send packets to a server to establish indirect connections with other Skype clients.

Since Skype had sent a packet to the server first, the server can obviously send packets back to the router that utilizes NAT.

My question is, considering the router is using NAT, is that server allowed to send packets to any open/forwarded ports that the NAT has, or only port 4000?

I know that Skype servers are not malicious at all, it was only an example

Improve this question
1
  • Two quick points: if your machine has a buffer overflow vulnerability, then the response from a malicious site could infect your machine. Plus, when you connect to a malicious site, it knows that your IP is active, so it can scan for open ports and try to exploit known vulnerabilities on any ports it finds.
    – AFH
    Commented Mar 14, 2015 at 16:44

2 Answers 2

Reset to default
0

For incoming traffic initiated by others: A malicious host can always send data to any port of your router (Port Scanning). If the port is not forwarded, your router may decide whether dropping the unsolicited packet or politely respond that the connection is invalid. If the port was forwarded, that it will reach the end host behind the router.

For outgoing traffic initiated by your host: There is no rule on which origin port you must use to communicate with the Skype Relay Server. Also, on your end host, Skype might use TCP 4000 but NAT might actually use another port to send the message, say port A. The Skype server only see port A, not port 4000. If Skype server responds to a port other than A, then the situation described in "For incoming traffic" applies. If Skype server responds back to port A, then NAT routes this back to your host by sending to port 4000.

To clarify: The NAT (Network Address Translator) is your router. And don't confuse the part "For incoming traffic" as the network response to your host. It actually means the external server is the first who talks to your host so as to establish a connection.

Improve this answer
4
  • I don't think this answers the question as it ignores established/related !
    – davidgo
    Commented Mar 14, 2015 at 2:16
  • How is that? At most you may say it is not an exhaustive answer. The OP did not asked for listening port which your answer largely revolves around. But I would not say you did not answer the question as it provided supplementary info.
    – guest
    Commented Mar 14, 2015 at 14:10
  • @guest According to Wikipedia (not a reliable source, but still interesting) it claims that "An external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:any. "Any" means the port number doesn't matter." Why isn't it "iAddr:any" instead of "iAddr:iPort"?
    – Raffat
    Commented Mar 14, 2015 at 15:45
  • @Raffat i meant the same as Wiki. i wrote "any port of your router" that is "eAddr" but not the end host "iAddr".
    – guest
    Commented Mar 14, 2015 at 16:01
0

The simple answer is "it can only send packets (to the client behind the NAT router) to the port that sent the packet". This is largely but not entirely correct though.

The answer depends on the way IPTables is set up, the port in question and the modules used. Simple nat devices would only allow mapping traffic to the same port that it came from, however not all devices are so simple. In linux and other OS's you get "Stateful firewalls", where typically uses "Established and related" ports, along with various modules which look at connection states - so for example if an outbound FTP request is made (port 21), the router may also open up port 20 for data if the FTP module is loaded. It may also be possible to for FTP to open other ports, and a malicious server might be able to do this to access an arbitrary high numbered port. Some common tracking modules which might be leveraged include FTP, SIP, Netbios, PPTP, gre, tftp, h323, irc. There is a bug CVE-2014-8160 which may allow arbitrary bypassing of the firewall when using connection tracking under certain conditions - possibly in the way you contemplate.

It would be pretty difficult for a malicious server to open up other ports, but may not be impossible. Of-course, you would need something vulnerable listening on the other ports - and (under Linux), you could mitigate this risk by ensuring your connection tracking rules come after rules denying general access on those ports.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .