httpwebtcpp2phole-punching

Can a HTTP/HTTPS server be hosted on the port which was opened after TCP hole punching?


Let us consider scenario where client A is behind NAT A and client B is behind NAT B. TCP hole punching happens which open a port on both the sides for communication. Can Client A host a http/https server on the open port?


Solution

  • TCP hole punching works only for the specific TCP connection which can be established because a) both sides somehow know the source port of the peer up-front and b) start a TCP handshake with the peer at the same time. Only then a NAT state is established which is also only valid for this specific connection (source IP,port and destination IP,port).

    An external client will not match the existing NAT state because source IP,port do not match the existing state. A new state will also not be created from inside just because there is some web server listing. So while the web server could be hosted behind the NAT it will not be reachable from outside the NAT.