5.14 Network Address Translation (IP Masquerading)

5.14 Network Address Translation (IP Masquerading)

Network Address Translation (NAT) permits sharing a single IP address (for example, from a PPP or broadband connection) with an entire internal network. NAT is very popular with home and small office networks. IPv4 addresses are in short supply, and furthermore, ISPs do not really want to bother with more routing than they can handle. As mentioned in Section 5.9.1, many small routers support NAT. In Linux, the variant of NAT that most people use is known as IP masquerading.

The basic idea behind NAT is that the machine with the Internet connection acts as a proxy between the internal network and the rest of the Internet. Consider a network like the one back in Figure 5-1 on page 94, and assume that the router (gateway) has an eth0 interface to an internal private network and a ppp0 interface for the uplink to the Internet.

Every host on the Internet knows how to connect to the router, but they know nothing about the internal private network behind the router. Under NAT, each of the internal hosts has the router as its default gateway. The system works roughly as follows:

  1. A host on the internal private network wishes to make a connection to the outside world, so it sends its connection request packets through the router as normal.

  2. The router intercepts the connection request packet rather than passing it out to the Internet (where it would get lost, because the public Internet knows nothing about private networks such as

  3. The router determines the destination of the connection request packet and opens its own connection to the destination.

  4. When the router obtains the connection, it fakes a "connection established" message back to the original internal host.

  5. The router is now the middleman between the internal host and the destination. The destination knows nothing about the internal host; the connection on the remote host looks like it came from the router.

This doesn't sound too bad until you think about how it works. Plain old IP routing knows only source and destination IP addresses in the Internet layer. However, if the router dealt only with the Internet layer, each host on the internal network could establish only one connection to a single destination at one time (among other limitations), because there is no information in the Internet layer part of a packet that could distinguish multiple requests from the same host to the same destination.

Therefore, NAT must dissect packets to pull out more identifying information. The only suitable stuff is in the transport layer — in particular, the TCP and UDP port numbers. The transport layer is very complex, so you can imagine that there are lots of things that can go wrong when a router goes mucking about inside transport layer information that comes from two hosts (the internal one and the external one) that it knows nothing about.

That said, NAT works better in practice than this brief description might suggest. To set up a Linux machine to perform as a NAT router, you must activate all of the following inside the kernel configuration: network packet filtering ("firewall support"), connection tracking, IP tables support, full NAT, and MASQUERADE target support.


See Chapter 10 for information on the kernel.

Then you need to run iptables commands like the following to make the router perform NAT for its private subnet. The following example commands are for the earlier example:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This example applies to an internal Ethernet network on eth0 sharing a PPP Internet connection (ppp0). Change these to suit your network.

When using NAT, remember that it's essentially a hack. In a perfect world, we would all be using IPv6 (the next-generation Internet), and we could get permanent subnets from our ISPs without any pain. In the mean-time, though, you have to deal with these NAT limitations:

  • Internet hosts cannot connect to services inside the private network without special port forwarding help from the NAT router. Of course, the hosts in the private network may have network security vulnerabilities, so this limitation may be more of a blessing than a drawback.

  • Because Internet hosts cannot connect to internal hosts, some services need even more complicated packet dissection to work.

  • NAT works for TCP, UDP, and some ICMP, but not necessarily all transport layer protocols.

  • NAT requires much more memory and computing power than normal IP routing, so the computer acting as the router cannot be completely underpowered. In addition, there is always some connection overhead and latency. However, modern computers are more than fast enough to handle this, and the overhead and latency don't really matter unless you're running a big operation.