How NAT Works

How can you get away with telling lies?

Make certain that your lie is somewhat plausible.
Above all, make certain that you are consistent in your lying.

Network Address Translation (or NAT) is a form of lying. It's something that firewalls, or routers in general, can do with the IP addresses in headers of packets they forward. The result is that details of the interior network are hidden, because the device doing NAT is effectively lying, masquerading as through it simultaneously was all the hosts inside the networks it is hiding.

Using a NAT Firewall

Let's say that you have a cable modem, or a DSL interface. And you just connect your computer to the Internet. Dangerous if you're using Windows, but a lot of people do this. Your connection to the world might look something like this, where modem is your cable modem or DSL interface:

Well, that's how you see it from your house. Using my connection as an example, the reality is a bit more detailed:

For an explanation of IP addresses, the slash notation, CIDR blocks, and more, see — my TCP/IP page.

Now, if you find your PC's IP addressing, using the commands described on my page of TCP/IP commands, we can update the diagram:

It is just one hop from my host to my default gateway, which means, in network-speak, that we're adjacent. Verify this with the following command, changing the IP address to that of your default gateway:
traceroute 24.12.170.1
Or, if you're stuck using Windows:
tracert 24.12.170.1
The important thing is that the modem isn't there in terms of IP addresses. While it does crucial things with signals, it isn't really part of the networking topology as far as networks and routing are concerned.

Now you go to the store and buy one of those "SOHO" (Small Office / Home Office) router/firewall boxes. They only cost about US$ 20-40. What's in it? Quite a bit, actually. A typical router box really contains all this:

Using a NAT firewall: the interior of the cable/DSL router/firewall.

D-Link TM-G5240 WLAN 802.11g wireless router, Cisco EZXS88W Ethernet switch, MFJ-1278 multi-mode data controller.

D-Link TM-G5240 802.11g wireless router, Cisco EZXS88W 8-port Ethernet switch, and MFJ-1278 multi-mode data controller. Small Internet access routers like this D-Link unit implement NAT.

On its exterior port, the firewall is a DHCP client, and acts just like your PC did to get an IP connection to the world.

Internally, the firewall does NAT and applies stateful packet filtering rules.

On its interior side, the firewall is a DHCP server for a private IP address space used inside your organization. RFC 1918 specifies a set of private blocks of IP addresses.

Class	CIDR Block	IP Address Range
A	`10.0.0.0/8`	`10.0.0.0 - 10.255.255.255`
B	`172.16.0.0/12`	`172.16.0.0 - 172.31.255.255`
C	`192.168.0.0/16`	`192.168.0.0 - 192.168.255.255`

So you plug your NAT firewall into where your PC used to go, and your PC into one of the firewall's Ethernet jacks. And other computers, and/or other Ethernet switches, into the other ports. So now you have something like the below:

Using a NAT firewall: internal Ethernet switches, the interior of the cable/DSL router/firewall, ISP, and Internet backbone.

Benefits

You could have up to 16,777,214 hosts on your internal network, if you used the 10.0.0.0/8 IP network. But you only need one external IP address.
2²⁴ = 16,777,216
Minus two unusable addresses, hostid all 0's or all 1's:
2²⁴ - 2 = 16,777,214
No one outside can tell anything about your internal topology. You could have lots of routers and networks inside. From the outside it appears that you have only one very busy host, the exterior port of the NAT firewall.
Your internal addresses are not routable. The reserved RFC 1918 addresses are not routable. If an attacker managed to figure out your internal IP address, his packets would not go toward you but toward the core of the Internet. They would eventually hit a core router, one of the routers on the backbone. The core routers have no default routes, they have to know where everything is. And they don't have routes for 10/8, 172.16/12, or 192.168/16 — those networks effectively do not exist according to the routing tables of the public Internet.

So what about that "telling lies" analogy?

The NAT device is lying about the internal network. It pretends that the internet network doesn't exist, and that the firewall is really everything you have inside. And remember:

Make certain that your lie is somewhat plausible.
The NAT device claims that all traffic is from/to its external port, which is a routable address.
Above all, make certain that you are consistent in your lying.
The NAT device keeps track of the multiple connections it is masquerading on behalf of internal hosts. If you care about the details:
- It uses unique source TCP ports, thus unique client sockets, for every masqueraded connection. So yes, to be terribly pedantic, it is doing both NAT and PAT (Port Address Translation) simultaneously.
- Based on the destination port of the inbound packet, it can figure out which, if any, existing connection the packet belongs to. It can then change the TCP and IP headers accordingly before sent the packet across the interior LAN. The external socket (IP/port) maps onto an interior socket (IP/port) according to the current translation table.
- But what about UDP traffic, like DNS lookups, or streaming audio? While there is no connection in the TCP sense, it also does the necessary tricks with UDP ports.

How can I do this for free with a Linux machine?

Run a shell script like the following at boot time to enable NAT. Make sure you get this right, it really matters where you use regular quote characters (ASCII 0x27, typically just to the left of the <Enter> key, at least on US keyboards) and where you use back-quote characters (ASCII 0x60, typically somewhere in the upper left region of the keyboard, at least on US keyboards).

# Turn on IP forwarding (routing)
echo '1' > /proc/sys/net/ipv4/ip_forward
# Figure out what the external IP address is.
# This assumes that eth0 is the external port.
EXT_IPADDR=`ifconfig eth0 | grep 'inet addr' | cut -d : -f 2 | awk '{print $1}'`
# Turn on NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ${EXT_IPADDR}

Linux firewall running NAT at the Los Angeles Conference Center.

Linux machine running NAT at the Los Angeles Conference Center. Overworked Cisco routers in the background could not handle the load.

The kernel maintains the "NAT table", the list of currently masqueraded connections. Put another way, it keeps track of the lies it's telling and keeps them consistent. You can view the NAT table by displaying a kernel data structure:

cat /proc/net/ip_conntrack

At the SIGGRAPH Conference in Los Angeles in 2005, we used one Linux host with a 3 GHz CPU to do address translation for the entire conference site.

The Linux machine was handling over 9500 simultaneous network connections and its CPU was still something over 99% idle.

We did this because a $15,000 Cisco router did not have the needed performance. Cisco routers are extremely good at routing, which can be done in hardware. NAT takes processing, and routers traditionally have not had very powerful CPUs. The last I heard, the Los Angeles Conference Center was looking into Linux. And, Cisco has moved away from slower Motorola CPUs to IA64 systems, basically PC motherboards.

Back to the networking page

Home

Unix/Linux

Networking

Cybersecurity

Travel

Technical

Radio

Site Map

Contact