How NAT Works


How can you get away with telling lies?

Network Address Translation (or NAT) is a form of lying. It's something that firewalls, or routers in general, can do about IP addresses.

Using a NAT Firewall

Let's say that you have a cable modem, or a DSL interface. And you just connect your computer to the Internet. Dangerous if you're using Windows, but a lot of people do this. Your connection to the world might look something like this, where modem is your cable modem or DSL interface:

+----+    +-------+
| PC +----+ modem +----> ISP ---> The World
+----+    +-------+

Well, that's how you see it from your house. Using my connection as an example, it's a bit more detailed:


                       (-----------------------------)    (----------)
                       (    insightbb.com network    )    (          )
+----+    +-------+    (                             )    ( Internet )     Other ISPs
| PC +----+ modem +----+       really att.com        +----+ backbone +---> and  thus
+----+    +-------+    ( 74.128.0.0 - 74.143.255.255 )    (          )     The World
                       (  CIDR:       74.128.0.0/12  )    (----------)
                       (-----------------------------)

For an explanation of IP addresses, the slash notation, CIDR blocks, and more, see either:
— My TCP/IP page, or
— 3com's great white paper, referenced on my TCP/IP page

Now, if you find your PC's IP addressing, using the commands described on my page of TCP/IP commands, we can update the diagram:


                       (------------------)    (----------)
                       (      My ISP      )    (          )
+----+    +-------+    (                  )    ( Internet )     Other ISPs
| PC +----+ modem +---[+]  74.128.0.0/12  +----+ backbone +---> and  thus
+----+^   +-------+   ^( 74.128.0.0 --    )    (          )     The World
      |               |(   74.142.255.255 )    (----------)
      |               |(------------------)
      |               |
74.140.45.188      74.140.44.1
                   My default router, see the network commands to find this
		   Runs DHCP (Dynamic Host Configuration Protocol)
		   to assign IP address/netmask, default gateway,
		   and DNS servers to your computer

It is just one hop from my host to my default gateway, which means, in network-speak, that we're adjacent. Verify this with the following, changing the IP to that of your default gateway:
traceroute 74.140.44.1
Or, if you're stuck using Windows:
tracert 74.140.44.1
The important thing is that the modem isn't there in terms of IP addresses. While it does crucial things with signals, it isn't really part of the networking topology as far as networks and routing are concerned.

Now you go to the store and buy one of those "SOHO" (Small Office / Home Office) router/firewall boxes. Just about US$20-40. What's in it? Quite a bit, actually. The router box itself really contains all this:

<-Interior             Exterior->
 +-----------------------------+
 |    +------+  +----------+   |
 |]---+      |  |  Linux   |   |
 |    |      +--+  or BSD  +--[|
 |]---+      |  | firewall |   |
 |    |      |  +----------+   |
 |]---+      |                 |   Firewall does:
 |    |      | 5-port          |    * NAT
 |]---+      |Ethernet         |    * Filtering rules
 |    +------+ switch          |    * DHCP client on its exterior side
 |4 Ethernet ports exposed     |    * DHCP server on its interior side
 +-----------------------------+

On its exterior port, the firewall is a DHCP client, and acts just like your PC did to get an IP connection to the world.

On its interior side, it's a DHCP server for a private IP address space. According to RFC 1918, the private blocks of IP addresses are:

Class CIDR Block IP Address Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255

So you plug your NAT firewall into where your PC used to go, and your PC into one of the firewall's Ethernet jacks. And other computers, and/or other Ethernet switches, into the other ports. So now you have something like the below:


       192.168.0.0/16
      internal network
          (-----)                            (----------------)   (----------)
    PC1---+     )   Firewall                 (     My ISP     )   (          )
          (     )   +-------+   +-------+    (                )   ( Internet )    Other ISPs
    PC2---+ LAN +---+  NAT  +---+ modem +---[+] 74.128.0.0/12 +---+ backbone +--> and  thus
          (     )  ^+-------+^  +-------+   ^(                )   (          )    The World
    PC3---+     )  |         |              |(                )   (----------)
          (     )  |         |              |(----------------)
 switch---+     )  |         |              |
 ||||||   (     )  |      74.140.45.188      74.140.44.1
 ||||||   (-----)  |      Firewall's         Firewall's default router
 ||||||            |      external
PC4-PC16           |      IP address
         192.168.0.254
      All PCs' default
      gateway, and the
     firewall's internal
         IP address.

Benefits

So what about that "telling lies" analogy?

The NAT device is lying about the internal network. It pretends that the internet network doesn't exist, and that the firewall is really everything you have inside. And remember:

How can I do this for free with a Linux machine?

Run a shell script like the following at boot time to enable NAT:

# Turn on IP forwarding (routing)
echo '1' > /proc/sys/net/ipv4/ip_forward
# Figure out what the external IP address is.
# This assumes that eth0 is the external port.
EXT_IPADDR=`ifconfig eth0 | grep 'inet addr' | cut -d : -f 2 | awk '{print $1}'`
# Turn on NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ${EXT_IPADDR}

The kernel maintains the "NAT table", the list of currently masqueraded connections. Put another way, it keeps track of the lies it's telling and keeps them consistent. You can view the NAT table by displaying a kernel data structure:

cat /proc/net/ip_conntrack

At the SIGGRAPH Conference in Los Angeles in 2005, we used one Linux host with a 3 GHz CPU to do address translation for the entire conference site.

The Linux machine was handling over 9500 simultaneous network connections, and the CPU was still something over 99.5% idle.

We did this because a $15,000 Cisco router did not have the needed performance. Cisco routers are extremely good at routing, which can be done in hardware. NAT takes processing, and routers really don't have very powerful CPUs. Last I heard, the Los Angeles Conference Center was looking into Linux...


Home Page Site Map Public Key E-Mail
Use /bin/vi! Hosted on OpenBSD
Hosted on Apache Valid XHTML 1.1! Valid CSS!
© Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here