NAT

From LQWiki
Jump to: navigation, search

NAT is an acronym for Network Address Translation. Originally developed by CISCO. Its purpose is to act as a gateway for a LAN to an external network (usually the internet). Simply put multiple hosts on the internal private LAN can access the external network by sending a request to the NAT gateway (usually a router) which replaces the source address of the TCP/IP packet, this means to the outside world every host on the internal network appears as one with the external IP address of the NAT device; this is known as IP masquerading.

NAT performs a one to one mapping (many to one is achieved using PAT) of address space. Each internal address - usually a private unregistered address - is translated to a public IP assigned by an ISP. NAT can perform mapping for a specified range of public IP addresses if multiple available. However, only as many hosts on the internal network as there are public addresses can access the external network (the variant PAT is used to connect multiple hosts through a single IP).

External IP addresses are assigned two ways:

  • Statically - Where each internal IP is given an external IP address manually. This is suitable for making servers available externally.
  • Dynamically - Where the external address is assigned on the fly from a defined table of possible IP addresses.

So what are the practical uses of NAT?

  • Security - As the inside network is effectively invisible to the outside world security is increased, plus there is only one point of entry to the network to secure. For this reason a NAT device is often referred to as a firewall but a firewall does not automatically mean that it performs network address translations.
  • Allowing multiple computers to connect to external network but only specific machines, such as webservers keeping all other hosts seperate from external network.

To find out if you are behind a NAT, see http://www.amibehindnat.com.

NAT is often problematic when you need to accept external connection directly to your host. This is when you have a server running on your computer listening on a socket, for example if you want to host a web server or share files via p2p. In that case you'll need to configure your NAT device to redirect certains port (port forwarding) to a certain internal computer.

Nowadays routers support the uPnP protocol that makes this task easier, but sometimes you'll still need to get your hands on the router configuration.

Configuring a NAT

In Linux this is done with iptables.

Here is quick start to get source NAT up and running. Needed information is the external network device (e.g. eth0) and the public IP (e.g. 1.2.3.4). Fill in these two items in the following commands:

# echo "1" > /proc/sys/net/ipv4/ip_forward
# iptables --table nat --append POSTROUTING --out-interface $NETWORK_DEVICE --jump SNAT --to-source $PUBLIC_IP

Now configure the machine(s) one the LAN to use this one as the gateway. This should get it working quickly, test it out. If it works it's time to think about security, e.g. add a --source to limit the machines for which NAT is performed. For more complete example see:

See also