Network Address Translation (or NAT) is a form of lying. It's something that firewalls, or routers in general, can do about IP addresses.
Let's say that you have a cable modem, or a DSL interface. And you just connect your computer to the Internet. Dangerous if you're using Windows, but a lot of people do this. Your connection to the world might look something like this, where modem is your cable modem or DSL interface:
+----+ +-------+ | PC +----+ modem +----> ISP ---> The World +----+ +-------+
Well, that's how you see it from your house. Using my connection as an example, it's a bit more detailed:
(-----------------------------) (----------)
( insightbb.com network ) ( )
+----+ +-------+ ( ) ( Internet ) Other ISPs
| PC +----+ modem +----+ really att.com +----+ backbone +---> and thus
+----+ +-------+ ( 74.128.0.0 - 74.143.255.255 ) ( ) The World
( CIDR: 74.128.0.0/12 ) (----------)
(-----------------------------)
For an explanation of IP addresses, the slash notation,
CIDR blocks, and more, see either:
— My TCP/IP page, or
— 3com's great white paper, referenced on my TCP/IP page
Now, if you find your PC's IP addressing, using the commands described on my page of TCP/IP commands, we can update the diagram:
(------------------) (----------)
( My ISP ) ( )
+----+ +-------+ ( ) ( Internet ) Other ISPs
| PC +----+ modem +---[+] 74.128.0.0/12 +----+ backbone +---> and thus
+----+^ +-------+ ^( 74.128.0.0 -- ) ( ) The World
| |( 74.142.255.255 ) (----------)
| |(------------------)
| |
74.140.45.188 74.140.44.1
My default router, see the network commands to find this
Runs DHCP (Dynamic Host Configuration Protocol)
to assign IP address/netmask, default gateway,
and DNS servers to your computer
It is just one hop from my host to my default gateway,
which means, in network-speak, that we're adjacent.
Verify this with the following, changing the IP to that
of your default gateway:
traceroute 74.140.44.1
Or, if you're stuck using Windows:
tracert 74.140.44.1
The important thing is that the modem isn't there
in terms of IP addresses.
While it does crucial things with signals,
it isn't really part of the networking topology
as far as networks and routing are concerned.
Now you go to the store and buy one of those "SOHO" (Small Office / Home Office) router/firewall boxes. Just about US$20-40. What's in it? Quite a bit, actually. The router box itself really contains all this:
<-Interior Exterior-> +-----------------------------+ | +------+ +----------+ | |]---+ | | Linux | | | | +--+ or BSD +--[| |]---+ | | firewall | | | | | +----------+ | |]---+ | | Firewall does: | | | 5-port | * NAT |]---+ |Ethernet | * Filtering rules | +------+ switch | * DHCP client on its exterior side |4 Ethernet ports exposed | * DHCP server on its interior side +-----------------------------+
On its exterior port, the firewall is a DHCP client, and acts just like your PC did to get an IP connection to the world.
On its interior side, it's a DHCP server for a private IP address space. According to RFC 1918, the private blocks of IP addresses are:
| Class | CIDR Block | IP Address Range |
| A | 10.0.0.0/8 | 10.0.0.0 - 10.255.255.255 |
| B | 172.16.0.0/12 | 172.16.0.0 - 172.31.255.255 |
| C | 192.168.0.0/16 | 192.168.0.0 - 192.168.255.255 |
So you plug your NAT firewall into where your PC used to go, and your PC into one of the firewall's Ethernet jacks. And other computers, and/or other Ethernet switches, into the other ports. So now you have something like the below:
192.168.0.0/16
internal network
(-----) (----------------) (----------)
PC1---+ ) Firewall ( My ISP ) ( )
( ) +-------+ +-------+ ( ) ( Internet ) Other ISPs
PC2---+ LAN +---+ NAT +---+ modem +---[+] 74.128.0.0/12 +---+ backbone +--> and thus
( ) ^+-------+^ +-------+ ^( ) ( ) The World
PC3---+ ) | | |( ) (----------)
( ) | | |(----------------)
switch---+ ) | | |
|||||| ( ) | 74.140.45.188 74.140.44.1
|||||| (-----) | Firewall's Firewall's default router
|||||| | external
PC4-PC16 | IP address
192.168.0.254
All PCs' default
gateway, and the
firewall's internal
IP address.
The NAT device is lying about the internal network. It pretends that the internet network doesn't exist, and that the firewall is really everything you have inside. And remember:
Run a shell script like the following at boot time to enable NAT:
# Turn on IP forwarding (routing)
echo '1' > /proc/sys/net/ipv4/ip_forward
# Figure out what the external IP address is.
# This assumes that eth0 is the external port.
EXT_IPADDR=`ifconfig eth0 | grep 'inet addr' | cut -d : -f 2 | awk '{print $1}'`
# Turn on NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ${EXT_IPADDR}
The kernel maintains the "NAT table", the list of currently masqueraded connections. Put another way, it keeps track of the lies it's telling and keeps them consistent. You can view the NAT table by displaying a kernel data structure:
cat /proc/net/ip_conntrack
At the SIGGRAPH Conference in Los Angeles in 2005, we used one Linux host with a 3 GHz CPU to do address translation for the entire conference site.
The Linux machine was handling over 9500 simultaneous network connections, and the CPU was still something over 99.5% idle.
We did this because a $15,000 Cisco router did not have the needed performance. Cisco routers are extremely good at routing, which can be done in hardware. NAT takes processing, and routers really don't have very powerful CPUs. Last I heard, the Los Angeles Conference Center was looking into Linux...
| Home Page | Site Map | Public Key |
|
|
|
|
|
|
| © Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache. Root password available here | ||||