NAT is rewriting a packet’s source and destination address as it passed through a router or firewall. There are many reasons why an administrator might want to rewrite an IP packet’s source or destination address. The most common reason by far is to access the internet using a private IP address.
Today, practically all private businesses and home networks use private IP addresses. There is no need to use real IP addresses except on the Internet-facing external WAN. Sometimes, an administrator may use private addressing within a DMZ for web servers and other semi-private resources purely for performance.
So why can’t these private-addresses work on the Internet?
These internal IP addresses are not unique. Private address blocks were IANA’s (International Assigning Number Authority) tactic to slow down the depletion and possible exhaustion of the IPv4 address range. By handing out these private address blocks for use within private networks, then real IP addresses could be preserved for when they were required on the Internet.
The private address blocks IANA made available for administrators to freely use in their networks are:
Administrators were free to use these addresses at will and subnet to their hearts desire, because no one else would see these addresses outside of the network boundaries. These addresses were once perfectly legitimate addresses. What happened is that (by assigning them for public use) they were no longer unique. Hundreds if not millions of small networks were using the same IP address range. Private addresses on the Internet are designated by IANA. All gateway routers are configured by default to filter them out on the egress interfaces. If any private addressed packets do escape into the wild, they are dropped at the next hop router anyway.
NAT is a solution to this problem, because NAT facilitates a way for private addressed hosts to access the Internet. NAT, by rewriting the source address with a “real” IP address, which it cleverly borrows from the external WAN interface, ensures the packets are now compliant and able to traverse the Internet.
NAT in Practice
In the following scenario, there is a small private network that has three computers: one is a Linux server, which will be configured as a router to allow all three machines to share the one ADSL internet connection.
|Host Name||IP Address||Gateway|
|Linux01||Ethernet 0 = 192.168.1.1 (DHCP server)Ethernet 1 = 188.8.131.52||0/0/0/0184.108.40.206|
|Windows-01||192.168.1.2 (DHCP client)||192.168.1.1|
|Windows-02||192.168.1.3 (DHCP client)||192.168.1.1|
Step 1 – When configuring NAT on a Linux box, the administrator should ensure that some prerequisites are already configured or at least installed on the Linux distribution. These are iptables and the packet filter framework called Netfilter. With Netfilter installed and two or more network interfaces, the administrator can configure the Linux box using the command set iptables to act like a router and perform NAT.
# IMPORTANT: Activate IP-forwarding in the kernel! # Disabled by default! $> echo "1" > /proc/sys/net/ipv4/ip_forward # Load various modules. Usually they are already loaded # (especially for newer kernels), in that case # the following commands are not needed. # Load iptables module: $> modprobe ip_tables # activate connection tracking # (connection's status are taken into account) $> modprobe ip_conntrack # Special features for IRC: $> modprobe ip_conntrack_irc # Special features for FTP: $> modprobe ip_conntrack_ftp
Now the iptables module is loaded and configured to forward IP packets.
The next step is to configure iptables rules to rewrite incoming IP packets source address with the external IP address of the internet interface.
Step 2 – # Connect a LAN to the internet $> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
The syntax here is as follows
- –t = select NAT Table for configuration.
- -A = append a rule to the postrouting chain
- – o eth = 1append a rule for packets that leave the external network interface Ethernet 1
- -j Masquerade = the action that should take place to masquerade the packets, ie rewrite the IP address as the packets are forwarded out the interface with the address of Ethernet 1
Step 3 –
The other local Windows clients point to the Linux box’s internal Ethernet interface 192.168.1.1 as the default gateway via DHCP.
Packets with a source address in the (192.16.1.x) range arriving from the other network hosts on the internal interface (Ethernet 0) will be routed out the (Ethernet 1) to the Internet with a source address of 220.127.116.11
All that remains is to check the configuration by browsing the internet from the Windows clients.
Other NAT Actions
The scenario above is a very common reason for implementing NAT within a network. In this case, the Linux router rewrote the source address of the packets leaving the network with the public IP address of the external interface Eth-1.
However there are other options available:
In the following the table selection, the command and the match pattern#
will be abbreviated using [...]#
Source-NAT: Change sender to 18.104.22.168$>
iptables [...] -j SNAT --to-source 22.214.171.124#
Mask: Change sender to outgoing network interface$>
iptables [...] -j MASQUERADE#
Destination-NAT: Change receipient to 126.96.36.199, port 22$>
iptables [...] -j DNAT --to-destination 188.8.131.52:22#
Redirect to local port 8080$>
iptables [...] -j REDIRECT --to-ports 8080
The Options above are:
- SNAT = Source NAT – this is similar to the example above except a specific IP address is supplied rather than an interface
- DNAT = Destination NAT – this rewrites the address of the Destination address with a supplied address
- Redirect – this is referred to as port redirection, this is helpful when accessing an internet host on a private address from the internet.