Network Address Translation (or NAT) is a form of lying. It's something that firewalls, or routers in general, can do with the IP addresses in headers of packets they forward. The result is that details of the interior network are hidden, because the device doing NAT is effectively lying, masquerading as through it simultaneously was all the hosts inside the networks it is hiding.
Let's say that you have a cable modem, or a DSL interface. And you just connect your computer to the Internet. Dangerous if you're using Windows, but a lot of people do this. Your connection to the world might look something like this, where modem is your cable modem or DSL interface:
+----+ +-------+ | PC +----+ modem +----> ISP ---> The World +----+ +-------+
Well, that's how you see it from your house. Using my connection as an example, it's a bit more detailed:
(-------------------------) (------)
( ) ( )
+----+ +-------+ ( comcast.net network ) ( Internet ) Other ISPs
| PC +----+ modem +----+ +----+ backbone +---> and thus
+----+ +-------+ ( 98.192.0.0 - 98.255.255.255 ) ( ) The World
( CIDR: 98.192.0.0/10 ) (------)
(-------------------------)
Firefox users may find that "monospace" isn't really a constant-width
font, and Courier works much better for ASCII art.
For an explanation of IP addresses, the slash notation,
CIDR blocks, and more, see either:
— My TCP/IP page, or
— 3com's great white paper, referenced on my TCP/IP page
Now, if you find your PC's IP addressing, using the commands described on my page of TCP/IP commands, we can update the diagram:
(---------------) (------)
( My ISP ) ( )
+----+ +-------+ ( ) ( Internet ) Other ISPs
| PC +----+ modem +---[+] 98.192.0.0/10 +----+ backbone +---> and thus
+----+^ +-------+ ^( 98.192.0.0 -- ) ( ) The World
| | ( 98.255.255.255 ) (------)
| | (---------------)
| |
98.192.96.47 98.192.96.1
My default router, see the network commands to find this address.
It runs DHCP (Dynamic Host Configuration Protocol)
to assign IP address/netmask, default gateway,
and DNS servers to the computer
It is just one hop from my host to my default gateway,
which means, in network-speak, that we're adjacent.
Verify this with the following command, changing the IP address
to that of your default gateway:
traceroute 98.192.96.1
Or, if you're stuck using Windows:
tracert 98.192.96.1
The important thing is that the modem isn't there
in terms of IP addresses.
While it does crucial things with signals,
it isn't really part of the networking topology
as far as networks and routing are concerned.
Now you go to the store and buy one of those "SOHO" (Small Office / Home Office) router/firewall boxes. They only cost about US$ 20-40. What's in it? Quite a bit, actually. A typical router box really contains all this:
<-Interior Exterior-> +--------------------------------------+ | +------+ +----------+ +------+ | |]---+ | | Linux | |cable | | | | +--+ or BSD +--+or DSL|-[| |]---+ | | firewall | |modem | | | | | +----------+ +------+ | |]---+ | | Firewall does: | | | 5-port | * NAT |]---+ |Ethernet | * Filtering rules | +------+ switch | * DHCP client on its exterior side |4 Ethernet ports exposed | * DHCP server on its interior side +--------------------------------------+
D-Link TM-G5240 802.11g wireless router, Cisco EZXS88W 8-port Ethernet switch, and MFJ-1278 multi-mode data controller. Small Internet access routers like this D-Link unit implement NAT.
On its exterior port, the firewall is a DHCP client, and acts just like your PC did to get an IP connection to the world.
On its interior side, the firewall is a DHCP server for a private IP address space used inside your organization. RFC 1918 specifies a set of private blocks of IP addresses.
| Class | CIDR Block | IP Address Range |
| A | 10.0.0.0/8 | 10.0.0.0 - 10.255.255.255 |
| B | 172.16.0.0/12 | 172.16.0.0 - 172.31.255.255 |
| C | 192.168.0.0/16 | 192.168.0.0 - 192.168.255.255 |
So you plug your NAT firewall into where your PC used to go, and your PC into one of the firewall's Ethernet jacks. And other computers, and/or other Ethernet switches, into the other ports. So now you have something like the below:
192.168.0.0/16
internal network
(-----) Firewall (------------) (------)
PC1---+ ) +---------------------+ ( My ISP ) ( )
( ) |+-------+ +-------+| ( ) ( Internet ) Other ISPs
PC2---+ LAN +----+ NAT +---+ modem +----[+] 74.128.0.0/12 +---+ backbone +--> and thus
( ) ^|+-------+^ +-------+| ^( ) ( ) The World
PC3---+ ) |+---------|-----------+ | ( ) (------)
( ) | | | (------------)
switch---+ ) | | |
|||||| ( ) | 98.192.96.47 98.192.96.1
|||||| (-----) | Firewall's Firewall's default router,
|||||| | external the next hop toward the
PC4-PC16 | IP address core of the Internet
192.168.0.254
All PCs' default
gateway, and the
firewall's internal
IP address.
The NAT device is lying about the internal network. It pretends that the internet network doesn't exist, and that the firewall is really everything you have inside. And remember:
Run a shell script like the following at boot time to enable NAT. Make sure you get this right, it really matters where you use regular quote characters (ASCII 0x27, typically just to the left of the <Enter> key, at least on US keyboards) and where you use back-quote characters (ASCII 0x60, typically somewhere in the upper left region of the keyboard, at least on US keyboards).
# Turn on IP forwarding (routing)
echo '1' > /proc/sys/net/ipv4/ip_forward
# Figure out what the external IP address is.
# This assumes that eth0 is the external port.
EXT_IPADDR=`ifconfig eth0 | grep 'inet addr' | cut -d : -f 2 | awk '{print $1}'`
# Turn on NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ${EXT_IPADDR}
Linux machine running NAT at the Los Angeles Conference Center. Overworked Cisco routers in the background could not handle the load.
The kernel maintains the "NAT table", the list of currently masqueraded connections. Put another way, it keeps track of the lies it's telling and keeps them consistent. You can view the NAT table by displaying a kernel data structure:
cat /proc/net/ip_conntrack
At the SIGGRAPH Conference in Los Angeles in 2005, we used one Linux host with a 3 GHz CPU to do address translation for the entire conference site.
The Linux machine was handling over 9500 simultaneous network connections and its CPU was still something over 99% idle.
We did this because a $15,000 Cisco router did not have the needed performance. Cisco routers are extremely good at routing, which can be done in hardware. NAT takes processing, and routers traditionally have not had very powerful CPUs. The last I heard, the Los Angeles Conference Center was looking into Linux. And, Cisco seems to be moving away from slower Motorola CPUs to IA64 systems, basically PC motherboards.
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Mar 2010. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |