Traditionally, hosts behind a NAT device have no way of opening additional ports for special services such as FTP or SIP. This causes a series of problems such as inaudible audio in the case of SIP or rejected connections in FTP. UPnP allows us to open ports from the client side. This feature can also be useful in certain scenarios where we want to put a socket on listen and connect from the outside. Without UPnP, this connection would be rejected by the NAT device.
We install the necessary Python libraries:
emerge -av dev-python/miniupnpc
The script in question is as follows:
vi upnp.py
import miniupnpc
upnp = miniupnpc.UPnP()
upnp.discoverdelay = 10
upnp.discover()
upnp.selectigd()
port = 4321
# addportmapping(external-port, protocol, internal-host, internal-port, description, remote-host)
upnp.addportmapping(port, 'TCP', upnp.lanaddr, port, 'testing', '')
We run it:
python upnp.py
We put the socket on listen:
nc -l -p 4321
We connect from the outside, going through the NAT:
telnet WANIP 4321
Trying WANIP...
Connected to WANIP.
Escape character is '^]'.
This demonstrates that NAT does not protect us from certain more complex attacks like this one.