Skip to content

NAT

Network Address Translation (NAT)

1. Overview of Network Address Translation (NAT)

Network Address Translation (NAT) is the process of mapping one IP address to another, or mapping an IP address and port pair to a different IP and port pair.

2. The Original Problem: IPv4 Scarcity

NAT was primarily designed to address the exhaustion of IPv4 addresses. With only approximately 4 billion available addresses, the explosion of internet-connected devices (including appliances and mobile phones) meant there were not enough unique public IPs to go around [00:26]. NAT allows multiple devices on a private network to share a single public IP address.

3. Communication Fundamentals

To understand NAT, it is helpful to look at how devices communicate within a local network versus across the internet.

  • Internal Communication (Same Subnet): Devices in the same subnet (e.g., 192.168.1.x) can find each other directly [03:20]. They use the Address Resolution Protocol (ARP) to discover the MAC address of the target machine [03:35]. In this scenario, a router typically acts as a simple switch, forwarding traffic without modifying the IP headers [06:20].
  • External Communication (Internet): Private IP ranges (like 10.x.x.x or 192.168.x.x) are not routable on the public internet; if these packets reach a public router, they are dropped [08:16]. For a device with a private IP to communicate with a public server, it needs a "public representation" [08:38].

4. How the NAT Process Works

When a device on a private network tries to reach a public IP, the following steps occur:

  1. Gateway Identification: The device realizes the target IP is outside its subnet and sends the packet to its Default Gateway (the router) [10:08].
  2. Packet Forwarding: The packet is sent to the router's MAC address, but the destination IP remains the final public target [12:03].
  3. Translation (Source NAT): The router modifies the packet by replacing the device's internal private IP with the router's own public IP [13:44].
  4. The NAT Table: The router creates a stateful entry in its memory (a NAT table). This entry maps the internal IP/port to the external port used for the request, allowing the router to remember which device is expecting a response [14:46].
  5. Receiving the Response: When the server replies, it sends the data to the router’s public IP. The router checks its NAT table, identifies the original sender, translates the destination IP back to the private internal IP, and forwards the packet [16:52].

5. Modern Applications of NAT

Even with the advent of IPv6, which provides an almost unlimited number of addresses, NAT remains relevant for other functions:

  • Port Forwarding: This allows an internal service running on a specific port (e.g., 8080) to be exposed to the outside world on a different port (e.g., 80) [18:16]. This is often used to bypass restrictions on "root-only" ports (those below 1024) [18:45].
  • Load Balancing: NAT can be used to implement Virtual IPs (VIP). A load balancer receives traffic at a single VIP and uses a NAT table to distribute those requests across multiple backend servers based on factors like latency or response time [19:45].

Source Video: https://youtu.be/RG97rvw1eUo?si=_lncvkMCokjDx3AP

iptables

1. Core Components of iptables

To understand iptables, you must grasp four key components [00:33]:

  • Tables: The high-level categories of rules. The video focuses on the nat (Network Address Translation) table.
  • Chains: Lists of rules that are applied at specific points in the packet's journey (e.g., PREROUTING, POSTROUTING, OUTPUT).
  • Matches: The criteria used to identify specific packets (e.g., protocol is TCP, destination port is 80).
  • Targets: The action to take once a packet matches (e.g., REDIRECT, DNAT, SNAT, DROP).

2. The NAT Table and Packet Flow

The nat table is primarily used for modifying the source or destination IP addresses and ports [02:04].

  • PREROUTING Chain: Applied as soon as a packet enters a network interface, before any routing decisions are made [02:21].
  • OUTPUT Chain: Applied when a packet is generated locally by a process on the machine [03:25].
  • POSTROUTING Chain: Applied as a packet is about to leave the network interface [03:37].

3. Use Case: Port Redirection (Local Machine)

A common scenario is wanting to run a web server on a privileged port (like 80) without giving the application root permissions [04:28].

  • The Logic: Run the application on a non-privileged port (e.g., 8080) and use iptables to redirect incoming traffic from port 80 to 8080 [06:04].
  • The Command: sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 [08:32]
  • Why it works: The kernel intercepts the packet in the PREROUTING chain, changes the destination port to 8080, and then passes it to the local process [09:17].

4. Use Case: IP Forwarding (To Another Machine)

To forward traffic from one machine (the gateway) to another machine on the network, you must perform two types of NAT [13:45]:

A. Destination NAT (DNAT)

Used in the PREROUTING chain to change where the packet is going.

  • Command: sudo iptables -t nat -A PREROUTING -p tcp -d [Gateway_IP] --dport 80 -j DNAT --to-destination [Target_IP]:8080 [26:01]

B. Source NAT (SNAT)

Used in the POSTROUTING chain to change the source IP. Without this, the target machine will try to reply directly to the original client, which will reject the packet because it expects a reply from the gateway [17:02].

  • Command: sudo iptables -t nat -A POSTROUTING -p tcp -d [Target_IP] --dport 8080 -j SNAT --to-source [Gateway_IP] [29:01]

5. Essential Requirement: IP Forwarding

For any cross-machine forwarding to work, you must enable IP forwarding in the Linux kernel [21:35].

  • How to enable: Typically found in /etc/sysctl.conf. You must uncomment or add the line net.ipv4.ip_forward=1 and apply the changes [32:38].

6. Useful Commands

  • List rules: sudo iptables -t nat -L (or --list) [23:42].
  • Flush (Clear) rules: sudo iptables -t nat -F (or --flush) [23:16].

Source Video: http://www.youtube.com/watch?v=NAdJojxENEU

Address Resolution Protocol (ARP)

1. Introduction to ARP

  • Definition: ARP is a protocol that maps a known IP address (logical address) to a MAC address (physical hardware address) [00:00].
  • Significance: It is essential for communication at the Data Link Layer (Layer 2) of the OSI model [01:00].

2. Why do we need ARP?

  • The Addressing Gap: While software typically communicates using IP addresses (often resolved via DNS), physical network hardware (cables, fiber optics, wireless) requires MAC addresses to deliver data to the correct machine [01:36].
  • Layer 2 Requirements: Every network frame must include both a source and a destination MAC address. Since we rarely know a destination's MAC address beforehand, ARP provides the discovery mechanism [02:30].
  • ARP Table (Cache): Because looking up a MAC address is a broadcast operation (and thus "expensive" for the network), machines maintain an ARP table to cache these mappings locally [04:02].

3. The Network Frame & ARP Process

  • Frame Structure: A standard network request (like an HTTP GET) is encapsulated into frames. These frames contain layers of data:
  • Layer 7: Application data (HTTP) [06:09].
  • Layer 4: Ports (Source/Destination) [03:15].
  • Layer 3: IP addresses (Source/Destination) [03:24].

  • Layer 2: MAC addresses (Source/Destination) [03:30].

  • The Workflow:

  • Broadcast Request: The source machine sends a broadcast message to the entire network asking, "Who has IP address X? Tell IP address Y" [08:30].
  • Target Reply: The machine owning that IP address replies with its MAC address [08:40].
  • Caching: The source machine updates its ARP table with the new entry to avoid repeating the broadcast [09:39].

4. ARP and Subnets (The Default Gateway)

  • Local vs. Remote: If a machine needs to connect to an IP address outside its own subnet (e.g., a Google server), it cannot communicate with that IP directly via ARP [10:02].
  • The Gateway's Role: Instead, the machine sends the data to its Default Gateway (the router). To do this, it performs an ARP request for the Gateway's MAC address [11:03].
  • Routing: Once the frame reaches the router, the router handles the next steps of getting the data to the external network [11:51].

5. Security Risks: ARP Poisoning

  • Lack of Verification: ARP is inherently trusting; machines generally accept ARP replies even if they didn't ask for them [09:00].
  • ARP Poisoning/Spoofing: An attacker can send fake ARP replies to tell other machines that they are the router. This tricks the network into sending all traffic through the attacker's machine [12:05].
  • Man-in-the-Middle (MITM): This allows attackers to sniff data (using tools like Wireshark) [12:44].
  • Defense: Using encrypted protocols like HTTPS (TLS) prevents attackers from reading the actual data even if they successfully intercept the frames via ARP poisoning [13:00].

Video Source: Address Resolution Protocol - ARP