NAT is one of the biggest attractions of Linux and Iptables to this day it
seems. Instead of using fairly expensive third party solutions such as Cisco
PIX etc, a lot of smaller companies and personal users have chosen to go with
these solutions instead. One of the main reasons is that it is cheap, and
secure. It requires an old computer, a fairly new Linux distribution which you
can download for free from the Internet, a spare network card or two and
This chapter will describe a little bit of the basic theory about NAT, what it
can be used for, how it works and what you should think about before starting
to work on these subjects.
Basically, NAT allows a host or several hosts to share the same IP address in a
way. For example, let's say we have a local network consisting of 5-10 clients.
We set their default gateways to point through the NAT server. Normally the
packet would simply be forwarded by the gateway machine, but in the case of an
NAT server it is a little bit different.
NAT servers translates the source and destination addresses of packets as we
already said to different addresses. The NAT server receives the packet,
rewrites the source and/or destination address and then recalculates the
checksum of the packet. One of the most common usages of NAT is the SNAT
(Source Network Address Translation) function. Basically, this is used in the
above example if we can't afford or see any real idea in having a real public
IP for each and every one of the clients. In that case, we use one of the
private IP ranges for our local network (for example, 192.168.1.0/24), and
then we turn on SNAT for our local network. SNAT will then turn all
192.168.1.0 addresses into it's own public IP (for example, 126.96.36.199).
This way, there will be 5-10 clients or many many more using the same shared
There is also something called DNAT, which can be extremely helpful when it
comes to setting up servers etc. First of all, you can help the greater good
when it comes to saving IP space, second, you can get an more or less totally
impenetrable firewall in between your server and the real server in an easy
fashion, or simply share an IP for several servers that are separated
into several physically different servers. For example, we may run a small
company server farm containing a webserver and ftp server on the same machine,
while there is a physically separated machine containing a couple of different
chat services that the employees working from home or on the road can use to
keep in touch with the employees that are on-site. We may then run all of these
services on the same IP from the outside via DNAT.
The above example is also based on separate port NAT'ing, or often called PNAT.
We don't refer to this very often throughout this book, since it is covered by
the DNAT and SNAT functionality in netfilter.
In Linux, there are actually two separate types of NAT that can be used, either
Fast-NAT or Netfilter-NAT. Fast-NAT is implemented inside the IP routing code
of the Linux kernel, while Netfilter-NAT is also implemented in the Linux
kernel, but inside the netfilter code. Since this book won't touch the IP
routing code too closely, we will pretty much leave it here, except for a few
notes. Fast-NAT is generally called by this name since it is much faster than
the netfilter NAT code. It doesn't keep track of connections, and this is
both its main pro and con. Connection tracking takes a lot of processor power,
and hence it is slower, which is one of the main reasons that the Fast-NAT is
faster than Netfilter-NAT. As we also said, the bad thing about Fast-NAT
doesn't track connections, which means it will not be able to do SNAT very well
for whole networks, neither will it be able to NAT complex protocols such as
FTP, IRC and other protocols that Netfilter-NAT is able to handle very well. It
is possible, but it will take much, much more work than would be expected from
the Netfilter implementation.
There is also a final word that is basically a synonym to SNAT, which is the
Masquerade word. In Netfilter, masquerade is pretty much the same as SNAT with
the exception that masquerading will automatically set the new source IP to the
default IP address of the outgoing network interface.