Computer Networks

NAT: One IP for Everyone

There are only 4.3 billion IPv4 addresses, but tens of billions of devices. NAT is the hack that keeps the internet working: your home, office, and coffee shop share one public IP among hundreds of devices.

  • **Home networks:** every router uses NAT
  • **Corporate networks:** thousands of devices behind a few IPs
  • **Servers:** port forwarding for home web hosting

Предварительные знания

  • Private and Public Addresses
  • Ports: doors into a computer

NAT Types

**NAT** (Network Address Translation) - technology for substituting IP addresses when passing through a router. Allows devices with private addresses (192.168.x.x) to access the internet through a single public IP. Solves the problem of IPv4 address shortage.

**PAT = Port Address Translation** - the most common type. Home routers use PAT. One public IP serves hundreds of devices thanks to unique ports.

What type of NAT does a home router use?

SNAT and DNAT

**SNAT** (Source NAT) - substituting the source address. Used to go from a private network to the outside. **DNAT** (Destination NAT) - substituting the destination address. Used for port forwarding into the network.

**Masquerade in Linux** - dynamic SNAT. Automatically uses the interface's IP. Convenient when the external IP is dynamic (DHCP from ISP).

When is DNAT used?

Port Forwarding

**Port Forwarding** - a specific case of DNAT. The router redirects incoming connections on a certain port to a specific device in the local network. Needed for servers, games, torrents, remote access.

**Hairpin NAT / NAT Loopback:** Allows reaching the server by external IP from within the network. Without it: 192.168.1.100 is accessible from inside, but 203.0.113.50:80 is not. Not all routers support it.

Why is Port Forwarding needed?

NAT Traversal

**NAT Traversal** - methods for establishing connections between devices behind NAT without manual port forwarding. Critical for P2P, VoIP, video calls, online games. Main techniques: STUN, TURN, ICE.

**NAT types per RFC 3489:** Full Cone (most open), Restricted Cone, Port Restricted Cone, Symmetric (most restrictive). Symmetric NAT is hardest to punch through - may require a TURN server.

NAT is protection from hackers

NAT hides devices but is not a firewall

NAT doesn't filter traffic - it translates addresses. Security is a side effect: incoming connections are blocked if there's no entry in the table. But it's not a replacement for a firewall. A real firewall is needed for protection.

What does a STUN server do?

Key Ideas

  • **NAT** translates private IPs to public ones
  • **SNAT** - source substitution (outgoing to internet)
  • **DNAT** - destination substitution (port forwarding)
  • **NAT Traversal** (STUN) - P2P through NAT without manual forwarding

Related Topics

NAT interacts with many technologies:

  • NAT Problems — P2P, VoIP, games - details on the challenges
  • IPv6 — IPv6 eliminates the need for NAT
  • VPN — VPN solves NAT problems through tunneling

Вопросы для размышления

  • Why doesn't IPv6 require NAT?
  • How does NAT affect peer-to-peer applications?
  • Why is NAT not a replacement for a firewall?

Связанные уроки

  • sec-01
NAT: One IP for Everyone

0

1

Sign In