Network Address Translation(NAT): A Useful Tool for IPV4 Address Translation

In this tutorial, I will take you through the understanding of Network Address Translation. NAT(Network Address Translation) is used either extend the limited IPv4 address space or to conceal the true IPv4 addresses of a device by using substitute IPv4 addresses in packet headers. NAT is usually performed by customer-edge (site) routers or hubs, and is more sophisticated today than the older methods of simply using private RFC 1918 addresses whenever one liked.

Network Address Translation(NAT): A Useful Tool for IPV4 Address Translation 1

Also Read: 100 Best Networking Interview Questions

Understanding Network Address Translation

Many firewalls use a technique called network address translation (NAT) to hide the actual IP address of a host from the outside world. When that’s the case, the NAT device must use a globally unique IP to represent the host to the Internet; behind the firewall, however, the host can use any IP address it wants. As packets cross the firewall, the NAT device translates the private IP address to the public IP address, and vice versa.

One of the benefits of NAT is that it helps slow down the rate at which the IP address space is assigned because a NAT device can use a single public IP address for more than one host. It does this by keeping track of outgoing packets so that it can match up incoming packets with the correct host. To understand how this process works, consider this sequence of steps:

A host whose private address is 192.168.1.100 sends a request to 216.58.192.4, which happens to be www.google.com. The NAT device changes the source IP address of the packet to 208.23.110.22, the IP address of the firewall. That way, Google will send its reply back to the firewall router. The NAT records that 192.168.1.100 sent a request to 216.58.192.4.

Now another host, at address 192.168.1.107, sends a request to 23.54.240.121, which happens to be www.microsoft.com. The NAT device changes the source of this request to 208.23.110.22 so that Microsoft will reply to the firewall router. The NAT records that 192.168.1.107 sent a request to 23.54.240.121.

A few seconds later, the firewall receives a reply from 216.58.192.4. The destination address in the reply is 208.23.110.22, the address of the firewall. To determine to whom to forward the reply, the firewall checks its records to see who’s waiting for a reply from 216.58.192.4. It discovers that 192.168.1.100 is waiting for that reply, so it changes the destination address to 192.168.1.100 and sends the packet on.

Actually, the process is a little more complicated than that because it’s very likely that two or more users may have pending requests from the same public IP. In that case, the NAT device uses other techniques to figure out to which user each incoming packet should be delivered.

Four Types of NAT(Network Address Translation)

NAT is still a popular thing to do on a network. There are even the following four slightly different versions of NAT that are supported in many routers, and most are known by a number of unofficial names.

• Unidirectional NAT (outbound or “traditional” NAT)

• Bidirectional NAT (inbound or “two-way” NAT)

• Port-based (“overloaded” NAT, or NAPT or PAT)

• Overlapping NAT (“twice NAT”)

All of these methods are a little different, but all involve use of the same terms to describe the addresses that are translated. An address can be inside or outside, based on whether it is used on the local LAN (inside) or on the Internet (outside). Addresses can also be local or global, based on whether they are drawn from the private RFC 1918 address ranges (local) or publicly registered or obtained from an ISP (global).

Advantages and Disadvantages of NAT

Today, NAT still offers advantages, but these often have to be balanced against some disadvantages, especially when coupled with current security practices. The advantages to using NAT follow:

Address sharing: A small number of IP addresses can support a larger pool of devices.

Ease of expansion: If the number of hosts grows beyond the public IPv4 space assigned, it’s easy to add hosts.

Local control: Administrators essentially run their own private piece of the public Internet.

Easy ISP changeover: When host addresses are private, public ISP addresses can be changed more easily.

Mainly transparent: Usually, only a handful of devices have to know the NAT rules for a site.

Security: Oversold, but still seen as an advantage. Hackers don’t know the “real” client’s IP address, true, but the true targets are often servers and the NAT “firewalls” themselves.

These NAT pluses have to be balanced against the current list of disadvantages.

Complexity: NAT adds management complexity and makes even routine troubleshooting more difficult.

Public address sensitivity: Private addresses are favored by hackers. Some applications and devices raise flags when presented with private addresses. (One FTP application used for this book insisted on needing to know the “real” public network IP address of the host before it would work properly!)

Application compatibility issues: NAT() is not totally transparent. Applications such as FTP, which embed IP addresses and port numbers in data (such as the PASV and PORT messages), must be handled with special care by NAT routers.

Poor host accessibility: NAT makes it difficult to contact local devices from the outside world. NAT is not a good solution for Web sites, FTP servers, or even peer protocols (VoIP) running on a local LAN.

Performance concerns: The burden of hundreds of simultaneous Internet access users today often degrades NAT router performance for its main task: routing packets.

Security: Both a plus and a minus. Modern protocols such as IPSec raise alarms when packet fields are changed between end systems. You can still combine NAT and IPsec (carefully), but keeping NAT as a “security feature” in addition to IPSec can be tricky.

To check the NAT Rules in Linux, you can run below command:-

[root@localhost ~]# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
RETURN all -- 192.168.122.0/24 224.0.0.0/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24

Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0


Also Read: Networking for Dummies

Reference: The Illustrated Network

Leave a Reply