G
GuideDevOps
Lesson 11 of 28

Network Address Translation (NAT)

Part of the Networking Basics tutorial series.

NAT is one of the most clever networking innovations — it allows millions of devices to share a single public IP address.

The Problem NAT Solves

Internet addresses are limited (IPv4):

  • Only 4.3 billion IPv4 addresses
  • Real estate expensive/limited
  • Can't give every device a public IP

NAT Solution:

  • Private IPs for internal networks (192.168.x.x, 10.x.x.x)
  • Public IP for the gateway
  • Gateway (NAT device) translates between them

How NAT Works

Setup:

Internal Network (Private)     NAT Device          Internet (Public)
PC: 192.168.1.100             Router: 203.0.113.50
                              1.1.1.1 ← DNS

Scenario: PC wants to reach Google DNS (8.8.8.8)

Step 1: PC sends packet

Source: 192.168.1.100:54321
Dest: 8.8.8.8:53

Step 2: NAT device intercepts

"This is from private network."
"I need to rewrite the source address."

Create NAT entry:
192.168.1.100:54321 → 203.0.113.50:12345

Step 3: NAT rewrites packet

Original:
  Source: 192.168.1.100:54321
  Dest: 8.8.8.8:53

Rewritten:
  Source: 203.0.113.50:12345  ← NAT device's IP
  Dest: 8.8.8.8:53

Step 4: Send to internet Packet travels with public IP as source.

Step 5: Response comes back

Source: 8.8.8.8:53
Dest: 203.0.113.50:12345

NAT device receives it, looks up NAT table:

203.0.113.50:12345 came from 192.168.1.100:54321
Rewrite destination to 192.168.1.100:54321

Step 6: Deliver to PC

Source: 8.8.8.8:53
Dest: 192.168.1.100:54321  ← Original PC

PC receives response, thinks it's communicating directly with 8.8.8.8!

NAT Types

1. Static NAT

One-to-one mapping:

Internal: 192.168.1.100 ← → Public: 203.0.113.100
Internal: 192.168.1.101 ← → Public: 203.0.113.101

Use case: Web server needs permanent public IP but internal network

2. Dynamic NAT

Map internal IPs to pool of public IPs:

Internal pool: 192.168.1.0/24 (254 addresses)
Public pool: 203.0.113.0/25 (126 addresses)

When device needs external connection:
- Pick available public IP from pool
- Create mapping
- Release after timeout

Use case: Large office, more users than public IPs

3. PAT (Port Address Translation)

Many internal IPs → one public IP (most common):

192.168.1.100:54321 → 203.0.113.50:10001
192.168.1.101:54322 → 203.0.113.50:10002
192.168.1.102:54323 → 203.0.113.50:10003

Same public IP, different ports!

Use case: Home networks, small offices, NAT routers

NAT Terminology

Inside Local Address

  • Private IP address (192.168.1.100)
  • What device sees itself as

Inside Global Address

  • Public IP the private device maps to (203.0.113.50)
  • What external hosts see

Outside Global Address

  • Remote server's IP (8.8.8.8)
  • Public IP of external host

Outside Local Address

  • How remote host is seen from inside
  • Usually same as Outside Global (unless NAT twice)

One-Way vs Two-Way NAT

One-Way NAT (Egress) Internal devices initiate outbound connections:

PC (internal) → NAT → Internet
Internet cannot initiate to PC

Two-Way NAT (Ingress) Inbound connections also possible:

Internet → NAT → PC (internal)
Requires port forwarding rule

Example Port Forwarding:

External Port 8080 → Internal Port 80
Internet: 203.0.113.50:8080 → PC 192.168.1.100:80

External request to 203.0.113.50:8080
NAT rewrites to 192.168.1.100:80
PC sees the request!

NAT Translation Table

NAT device maintains a translation table:

Inside LocalInside GlobalOutside Global
192.168.1.100:54321203.0.113.50:100018.8.8.8:53
192.168.1.101:54322203.0.113.50:100021.1.1.1:443
192.168.1.102:54323203.0.113.50:10003142.251.41.14:80

When reply from external host arrives, NAT reverses the mapping:

Reply from 8.8.8.8:53 to 203.0.113.50:10001
NAT looks up: 10001 belongs to 192.168.1.100:54321
Rewrite destination
Deliver to PC

NAT Session Timeout

Each NAT entry stays active only while in use:

TCP:

  • Active while connection open
  • Stays for a few minutes after close (TIME_WAIT)

UDP:

  • No connection concept
  • Typical timeout: 30 seconds - 5 minutes

Configuration (Linux iptables):

# Set timeout for UDP connections
sudo modprobe -l | grep nf_conntrack
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout=600

NAT Problems and Limitations

Problem 1: Incoming Connections Blocked

Internet PC: "I want to connect to 192.168.1.100:8080"
NAT: "Who's that? I don't have a rule for it."
Result: Connection refused

Solution: Port forwarding or UPnP

Problem 2: Application Conflicts Some apps send IP addresses in messages:

FTP: "Connect to 192.168.1.100 for data"
NAT rewrites IP to 203.0.113.50
Internet client tries to reach it: "It's the IP I already have!"
Confusion and broken connections

Solution: NAT-aware protocols, ALG (Application Layer Gateway)

Problem 3: Multiple NAT Levels (Double NAT)

Your Router: 192.168.1.1/203.0.113.50
Your PC:    192.168.1.100 (translates)
ISP NAT:    203.0.113.50/ISP-public (translates again)

Symptoms: Can't reach server, mysterious connectivity issues

Solution: Don't nest NAT unnecessarily

NAT in Cloud / Containers

Container NAT:

Container: 172.17.0.2
Host: 192.168.1.100

Port mapping:
External :8080 → Container :3000

Docker NAT rewrites destination port

AWS NAT Gateway:

Private Subnet: 10.0.1.0/24
EC2 Instance: 10.0.1.50 (no public IP)

EC2 initiates outbound → NAT Gateway
NAT Gateway has Elastic IP: 203.0.113.50
External traffic shows source: 203.0.113.50
Response comes back to NAT Gateway
NAT routes to EC2 instance

Kubernetes NodePort Service:

External request: Internet:30080
Kube-proxy NAT to: PodIP:8080
Client sees source rewritten (SNAT)

NAT Technology Variants

SNAT (Source NAT) Change source address:

192.168.1.100 → 203.0.113.50
Outbound traffic rewrites source

DNAT (Destination NAT) Change destination address:

203.0.113.50:8080 → 192.168.1.100:80
Inbound traffic rewrites destination

Masquerading Linux version of dynamic NAT:

# Enable masquerading on eth0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

NAT and Protocol Issues

ICMP (Ping)

  • Can be NATed, but must maintain ID field
  • Some NAT devices break this

FTP

  • Sends IP in application data
  • NAT can't rewrite (not L3/L4)
  • Use passive FTP instead

VoIP

  • Timing critical
  • NAT delays break calls
  • Special VoIP NAT traversal techniques

IPsec

  • Often incompatible with NAT
  • Checksums become invalid
  • Use NAT-T (NAT Traversal)

Viewing NAT Rules (Linux)

# View NAT rules
sudo iptables -t nat -L -n
 
# Example:
# Chain PREROUTING (policy ACCEPT)
# target     prot opt source               destination
# DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.168.1.100:80
#
# Chain POSTROUTING (policy ACCEPT)
# MASQUERADE  all  --  192.168.1.0/24     !192.168.1.0/24

NAT Best Practices

✓ Avoid double NAT ✓ Use port forwarding for incoming services ✓ Document all port mappings ✓ Monitor connection table size ✓ Use UPnP/NAT-PMP for automatic mapping when safe ✓ Test both inbound and outbound connectivity ✓ Be aware of timeouts for long-lived connections ✓ Use SNAT for outbound consistency

Key Concepts

  • NAT translates between private and public addresses
  • SNAT rewrites source (outbound)
  • DNAT rewrites destination (inbound)
  • PAT uses ports to multiplex one public IP
  • Translation table maintains active mappings
  • Sessions timeout when no longer in use
  • Port forwarding enables inbound to private network
  • Most home/office routers use NAT automatically
  • IPv6 eliminates need for NAT (eventually)