Rack of Ethernet switches.

How NAT Works

NAT is Network Address Translation

You can very effectively protect your network from active attack with Network Address Translation or NAT. You assign your internal addresses from one or more of the reserved blocks defined in RFC 1918 — 10/8, 172.16/12, and 192.168/16. Those represent 16,277,216, 1,048,576, and 65,536 possible IPv4 addresses, respectively.

You then configure one or more border routers to do what's called IP masquerading, each hiding all the internal addresses behind one or more external IP addresses used by the exterior port of the router.

You can make all the connections you want from inside to out, but there is no way for a host on the outside to establish a connection to one of your inside hosts as those address blocks aren't routable out on the Internet. (Unless, of course, you go out of your way to set up static port forwarding, where some combination of IP address and TCP or UDP port on the exterior side of the NAT router is always mapped to some IP address and TCP or UDP port on the interior server.)

How can you get away with telling lies?

  1. Make certain that your lie is somewhat plausible.
  2. Above all, make certain that you are consistent in your lying.

Network Address Translation (or IP masquerading) is a form of lying. It's something that firewalls, or routers in general, can do with the IP addresses in headers of packets they forward. The result is that details of the interior network are hidden, because the device doing NAT is effectively lying, masquerading as though it simultaneously was all of the hosts inside the networks it is hiding. To distant servers, your entire organization looks like one extremely busy host.

Using a NAT Firewall

Let's say that you have a cable modem or a DSL interface, and you just connect your computer to the Internet. This is dangerous if you're using Windows, but a lot of people do this. Your connection to the world might look something like this picture, where modem is your cable modem or DSL interface:

Using a NAT firewall: your PC, modem, your ISP, and the Internet.

Well, that's how you see it from your house. Using my connection as an example, the reality is a bit more detailed. For an explanation of IP addresses, the slash notation, CIDR blocks and more, see my TCP/IP page.

Using a NAT firewall: your PC, modem, your ISP, and the Internet.

Now, if you find your PC's IP addressing, using the commands described on my page of TCP/IP commands, we can add network addresses to the diagram, as seen below.

It is just one hop from my host to my default gateway, which means, in network-speak, that we're adjacent. Verify this with the following command, changing the IP address to that of your default gateway:
traceroute 24.12.170.1
Or, if you're stuck using Windows:
tracert 24.12.170.1
The important thing is that the modem isn't there in terms of IP addresses. While it does crucial things with signals, it isn't really part of the networking topology as far as networks and routing are concerned.

Using a NAT firewall: your PC, modem, your ISP, and the Internet.

Now you go to the store and buy one of those "SOHO" (Small Office / Home Office) router/firewall boxes. They only cost about US$ 20-40. What's in it? Quite a bit, actually. A typical router box really contains all this:

Using a NAT firewall: the interior of the cable/DSL router/firewall.
D-Link TM-G5240 WLAN 802.11g wireless router, Cisco EZXS88W Ethernet switch, MFJ-1278 multi-mode data controller.

D-Link TM-G5240 802.11g wireless router, Cisco EZXS88W 8-port Ethernet switch, and MFJ-1278 multi-mode data controller. Small Internet access routers like this D-Link unit implement NAT.

On its exterior port, the firewall is a DHCP client, and acts just like your PC did to get an IP connection to the world.

Internally, the firewall does NAT and applies stateful packet filtering rules.

On its interior side, the firewall is a DHCP server for a private IP address space used inside your organization. RFC 1918 specifies a set of private blocks of IP addresses.

Class CIDR Block IP Address Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255

So you plug your NAT firewall into where your PC used to go, and your PC into one of the firewall's Ethernet jacks. And other computers, and/or other Ethernet switches, into the other ports. So now you have something like the below:

Using a NAT firewall: internal Ethernet switches, the interior of the cable/DSL router/firewall, ISP, and Internet backbone.

Benefits

You could have up to 16,777,214 hosts on your internal network, if you used the 10.0.0.0/8 IP network. But you only need one external IP address.
224 = 16,777,216
Minus two unusable addresses, hostid all 0's or all 1's:
224 - 2 = 16,777,214

No one outside can tell anything about your internal topology. You could have lots of routers and networks inside. From the outside it appears that you have only one very busy host, the exterior port of the NAT firewall.

Your internal addresses are not routable. The reserved RFC 1918 addresses are not routable. If an attacker managed to figure out your internal IP address, his packets would not go toward you but toward the core of the Internet. They would eventually hit a core router, one of the routers on the backbone. The core routers have no default routes, they have to know where everything is. And they don't have routes for 10/8, 172.16/12, or 192.168/16 — those networks effectively do not exist according to the routing tables of the public Internet.

Multi-level NAT

You can do this in multiple levels. In the below diagram, a cable or FiOS or DSL router connects to the ISP's line. It gets a publicly routable external address, and this one is set up to use 192.168.0.0/24 on its internal side, both wired and wireless.

Then a second router, one with an Ethernet port as its external connection, is connected to one of the other router's port. This inner router must be configured to use a different block of IP addresses for its DHCP clients on its interior side.

Multi-level NAT networking.

Let's say you connect a computer to that inner network, to one of the wired Ethernet ports or the wireless net of the inner router. That computer gets an address like 192.168.1.0, and it is told to route its packets through a gateway at 192.168.1.254, which is the inner router itself.

That inner router got an edge network address like 192.168.0.1 for its exterior (or "Internet" or "WAN") port, and it was told to route its packets through a gateway at 192.168.0.254, which is your edge router.

It, in turn, was told to use 24.14.170.39 for its exterior port, and route its packets through 24.14.170.1.

Now you can use traceroute (or, on Windows, tracert) to test the path to Google:

$ traceroute www.google.com
traceroute to www.google.com (172.217.0.4), 30 hops max, 60 byte packets
 1  192.168.1.254 (192.168.1.254)  0.127 ms  0.078 ms  0.199 ms
 2  192.168.0.254 (192.168.0.254)  0.254 ms  0.221 ms  0.307 ms
 3  po102-rur01.lafayette.in.indiana.comcast.net (24.12.170.1)  8.002 ms  8.947 ms  14.140 ms
 4  162.151.45.86 (162.151.45.86)  14.155 ms  14.344 ms  14.359 ms
 6  be-22-ar01.indianapolis.in.indiana.comcast.net (68.86.188.97)  13.102 ms  14.215 ms  14.254 ms
 5  be-3-ar01.area4.il.chicago.comcast.net (68.86.188.181)  20.629 ms  21.592 ms 22.703 ms

You can do some interesting things with multi-level NAT, even in a home setting. Because both of your routers perform NAT, of course the outside world can't connect in. That is, unless you use video chat or another application that opens a static tunnel inbound through your edge router.

But now your inner router hides that inner network from your edge network. So...

Keep your systems on the inner network, let visitors use the edge network. That way they can use your Internet connection, but your computers are hidden behind NAT. Or...

Put the children's computers on the inner network, adults use the edge network. That makes access and monitoring much easier, and video chat apps on the inner network can only open a static tunnel from the edge network. And/or...

Put smart home devices on the inner network, and your computers on the edge network. Again, that protects poorly designed IoT (or Internet of Things) systems that you can neither patch nor configure from opening access to the outside world. If they open a static tunnel to expose themselves through the inner router, you can access them but the world can't.

What about IPv6?

IPv6 on Arris Surfboard cable modems

Yes, it works the same way with 128-bit IPv6 addresses, assuming your routers support it. If your edge router uses a cable modem, that device may break IPv6 by defaulting to a small MTU or maximum packet size. I have a page explaining how to use IPv6 on a cable modem.

So what about that "telling lies" analogy?

The NAT device is lying about the internal network. It pretends that the internet network doesn't exist, and that the firewall is really everything you have inside. And remember:

Make certain that your lie is plausible. The NAT device claims that all traffic is from/to its external port, which is a routable address.

>Above all, make certain that you are consistent in your lying. The NAT device keeps track of the multiple connections it is masquerading on behalf of internal hosts.

If you care about the details: It uses unique source TCP ports, thus unique client sockets, for every masqueraded connection. So yes, to be pedantic, it is doing both NAT and PAT (Port Address Translation) simultaneously.

Based on the destination port of the inbound packet, it can figure out which, if any, existing connection the packet belongs to. It can then change the TCP and IP headers accordingly before sent the packet across the interior LAN. The external socket (IP/port) maps onto an interior socket (IP/port) according to the current translation table.

But what about UDP traffic, like DNS lookups, NTP clock synchronization, or even some audio streams? While there is no connection in the TCP sense, it also does the necessary tricks with UDP ports.

How can I do this for free with a Linux machine?

Run a shell script like the following at boot time to enable NAT. Make sure you get this right, it really matters where you use regular quote characters (ASCII 0x27, typically just to the left of the <Enter> key, at least on US keyboards) and where you use back-quote characters (ASCII 0x60, typically somewhere in the upper left region of the keyboard, at least on US keyboards). Also parenthesis (ASCII 0x28/0x29) versus curly braces (ASCII 0x7b/0x7d).

# Turn on IP forwarding (routing)
echo '1' > /proc/sys/net/ipv4/ip_forward
# Figure out what the external IP address is.
# This assumes that p7p1 is the external port.
# Be aware of the modern network interface names.
EXT_IPADDR=$( ip -4 addr show p7p1 | awk '/inet/ {print $2}' | cut -d / -f 1 )
# Turn on NAT
iptables -t nat -A POSTROUTING -o p7p1 -j SNAT --to-source ${EXT_IPADDR}

The kernel maintains the "NAT table", the list of currently masqueraded connections. Put another way, it keeps track of the lies it's telling and keeps them consistent. You can view the NAT table or just see how many connections are currently being masqueraded:

ip_conntrack
conntrack -L | wc -l

At the SIGGRAPH Conference in Los Angeles in 2005, we used one Linux host with a 3 GHz CPU to do address translation for the entire conference site.

The Linux machine was handling over 9500 simultaneous network connections and its CPU was still something over 95% idle.

We did this because a $15,000 Cisco router did not have the needed performance. Cisco routers are extremely good at routing, which can be done in hardware. NAT takes processing, and routers traditionally have not had very powerful CPUs. The last I heard, the Los Angeles Conference Center was looking into Linux. And, Cisco has moved away from slower Motorola CPUs to IA64 systems, basically PC motherboards.

Linux firewall running NAT at the Los Angeles Conference Center.

Linux machine running NAT at the Los Angeles Conference Center. Overworked Cisco routers in the background could not handle the load.