close

==========What Is My IP原理==========

要查自己上網的合法IP,必先懂NAT

請見拓樸:

01.png

SSH模擬「What Is My IP」:

02.png

win7是SSH client、ubuntu是SSH server,R1也就是各位家裡的分享器;

win7去ssh連線ubuntu,IP是100.1.1.1並輸入帳號密碼,成功登入SSH server,在ubuntu下命令「w」或「who」,能夠看到誰登入這台伺服器,從範例中能看到我從200.2.2.2上來,也就是R1的g1/0,卻不是192.168.1.1,這是因為對外網而言,NAT路由器僅僅是1部主機。

那麼再將SSH換作What Is My IP,道理不變,只是SSH換成HTTP,伺服器看到我的合法IP也必然是200.2.2.2,除非從你的電腦到遠方伺服器中間繞送多層NAT路由器,那麼你的合法IP就是離自己最遠的、最外層的NAT路由器;但不一定是離伺服器最近的NAT路由器,因為是從我能上網的角度來看這件事,而不是從架設伺服器的角度,例如配置私有IP,然後在路由器設定NAT轉址,轉TCP 22、80進來到特定主機。

 

==========隱藏IP原理==========

IP可能被隱藏嗎?就目前的計算機標準、網路技術而言,怎麼可能隱藏IP?儘管目前上市的各廠路由器出廠預設不檢查來源IP,只看目的IP比對路由表中的精準條目再決定網卡轉發出去,然而IP封包繞送到目標主機了,但是來源IP卻被隱藏、看不到了!就回不去了!變成去包可達、回包不可達。

在此不討論群組廣播來源樹、共享樹演算法,雖然那個現象類似IP隱藏,但意義截然不同;另外單播反向路徑轉發uRPF(unicast Routing Path Forwarding),它不只是針對IP隱藏而是預防IP欺騙阻斷服務攻擊

其實IP隱藏有很多種方法,但是觀念都差不多,我介紹其中1種:掛VPN啟用代理服務

1-1.png

1-3.png

(1)找網路上免費VPN伺服器做測試,並在電腦上安裝VPN網卡與對方連線;通常對方會提供帳號密碼和主機名稱,PPTP(TCP 1723)最初由微軟開發,不過後來與L2TP(UDP 1701)都成為標準,不用擔心選哪個好,因為預設都是自動協商。

(2)若連上了,你可以到「What Is My IP」,通常就是VPN伺服器IP,在微軟可以用「nslookup 伺服器名稱」查詢;若連不上,但是ping得通有ICMP echo reply封包,或許對方關閉服務,也可能把你的連線踢出去了。

(3)請參考拓樸,掛VPN前,合法IP應該是209.165.1.2,掛VPN後,合法IP應該是176.126.231.217,雖然VPN是基於L3路由繞送(封包過得去回得來),但是建立VPN後因為流量都走VPN網卡,所以到What Is My IP就會變成VPN伺服器去問我的IP。

(4)但是先不論商業、免費VPN,網路夠不夠快、穩定或安全,通常VPN是有需求才會連,然而我指的VPN是對於終端使用者,而不是路由器。

掛VPN前,你的主機ARP表應該只有同網段,即192.168.1.254、R1內網網卡的MAC;掛VPN後,請參考下圖

1-2.png

清楚看到ARP表很大!這是因為VPN代理,我的主機上網瀏覽google、youtube、facebook都好,會送出ARP請求,VPN伺服器會將對方IP還我透過ARP回覆,逛越多網站,ARP表越大,對主機效能當然越不好,占用記憶體空間相當可觀。

多數網路設備基於安全考量,預設會關閉代理功能,不然我要問什麼都往閘道丟封包就好啦!回主題,所以不是真的隱藏IP,而是請其他主機代理。

最後,若在使用者電腦使用PPPoE上網,也會得到相似結果。順道說明,為何下指令「arp -a」看不到實體位址?這是因為PPP是點對點類型的直連網路架構,電腦認為這些IP網路直接過去就到了,所以不需要MAC地址。而我是PPPoE客戶端,另一端是PPPoE電信端。

==========What Is My IP principles==========

For rookie engineers; Must know NAT technology before query public IP address of self.

First image is topology, next is simulate 「What Is My IP」 by SSH.

The win7 is SSH client, ubuntu is SSH server, and R1 is IP router.

The win7's IP address is 100.1.1.1 to link ubuntu by ssh, input username and password that login SSH server successly.
I can view some user login server and source IP address after input command 「w」or「who」 on ubuntu.
Example: I login server from address 200.2.2.2 , R1's interface g1/0 too. But IP address isn't 192.168.1.1 . For external network so NAT router is one host.

And then, swap SSH for HTTP(What Is My IP) can view public IP address is 200.2.2.2 of mine. Unless from client to server that packets were routing over multiple NAT router.
So your public IP address is NAT router farthest from self. But it is may not NAT router nearest from server.
Because it is from client surfing the Internet point of view, isn't from buidling server point of view.
Such as I set private IP address on server, next set NAT translation on router. Example:TCP 22, TCP 80 are transfer to special host.

 

==========Hide IP principles==========

Can IP address hide? According to computer standard and network technology currently. It is impossible!
Although default router is not check source IP address in packet. It check destination IP address to match accurate entry from route table, and forwarding over corresponding interface.
However, IP packets were routing to remote host. But unknown source IP address, as forth reachable and back unreachable.

I don't discuss source tree, share tree algorithms of multicast. Although they are resemble hide source IP address, but different meaning.
Another is uRPF(unicast Reverse Path Forwarding), it have prevent source IP address spoof, DoS and DDoS attack.

Actually, a lot of methods can hide source IP address. Similar concepts and them, I will introduce 1 method:VPN connection and enable proxy service.

The image show free VPN server, next is topology.

(1)I need free VPN server to test on the Internet, and install VPN interface to link VPN server; It may provide username, password, and hostname(or domain name).
PPTP(TCP 1723) was developed by Microsoft. L2TP(UDP 1701) and it were become standard now. Don't worry choose which protocol, because client and server will auto negotiation.

(2)You can access 「What Is My IP」 if connect to VPN server successfully. It is VPN server address in fact. Input command 「nslookup [domain name]」 on Windows;
If connect to VPN server fail, ping it and receive ICMP echo reply packet. It may disable the VPN service, or break your session.

(3)According to topology. Before VPN connection, public IP address is 209.165.1.2. After VPN connection, public IP address is 176.126.231.217.
Although VPN connection is based L3 routing(packet can forth reachable and back reachable). However after building VPN connection, traffic will select VPN interface.
So I go to access 「What Is My IP」, that is VPN server's IP address to access 「What Is My IP」.

(4)No matter business or free VPN, and bandwidth, stable connection or security. The VPN service demands is condition. I mean for end-user, not router.
Before VPN connection, ARP table has same network record, such as 192.168.1.254, R1's internal network MAC address. Refer next image after VPN connection.

The cmd on windows.

You can see ARP table is very large. Because VPN proxy service, I have access to google, youtube, facebook and so on. I can send ARP request to VPN server , and then send ARP carry target IP address reply for me.
But access more and more website, ARP table will growing up!

So it is not hide source IP address in fact. Actually, it is be a client of proxy function.

Last, If user computer to access Internet by PPPoE, get similar result also. By the way to explain, the command 「arp -a」 why not see physical addresses?
PPP(Point-to-Point Protocol) is Point-to-Point network type. The computer thinks these IP networks that can directly.
So the computer is not need MAC address. I'm client end for PPPoE, another end is telecommunication.

arrow
arrow
    全站熱搜

    Chin 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄