Nat_pat
Chapter 12: NAT & PAT - Network Address Translation
Section titled “Chapter 12: NAT & PAT - Network Address Translation”12.1 Introduction to NAT
Section titled “12.1 Introduction to NAT”NAT (Network Address Translation) allows multiple devices to share a single public IP address.
Why NAT?+------------------------------------------------------------------+
IPv4 Address Exhaustion:+------------------------------------------------------------------+| Only ~4.3 billion IPv4 addresses || Not enough for billions of devices || Private addresses (RFC 1918) solve this |+------------------------------------------------------------------+
Private IP Ranges (RFC 1918):+------------------------------------------------------------------+| 10.0.0.0/8 - 10.255.255.255 (16 million hosts) || 172.16.0.0/12 - 172.31.255.255 (1 million hosts) || 192.168.0.0/16 - 192.168.255.255 (65,000 hosts) |+------------------------------------------------------------------+
NAT Benefits:+------------------------------------------------------------------+| - Conserves public IP addresses || - Adds security (internal IPs hidden) || - Allows flexible internal network design || - Easy to change ISP without renumbering |+------------------------------------------------------------------+
NAT Drawbacks:+------------------------------------------------------------------+| - Some protocols don't work (P2P, VoIP) || - End-to-end connectivity broken || - Performance overhead || - Logging complexity |+------------------------------------------------------------------+
+------------------------------------------------------------------+12.2 How NAT Works
Section titled “12.2 How NAT Works” NAT Process (Outbound)+------------------------------------------------------------------+
Original Packet (From Internal Host):+------------------------------------------------------------------+| Source IP: 192.168.1.10:5000 || Dest IP: 8.8.8.8:80 || Source MAC: 00:11:22:33:44:55 || Dest MAC: Router MAC |+------------------------------------------------------------------+
After NAT (From Router):+------------------------------------------------------------------+| Source IP: 203.0.113.5:8000 | ← Changed| Dest IP: 8.8.8.8:80 || Source MAC: Router MAC || Dest MAC: ISP Gateway MAC |+------------------------------------------------------------------+
NAT Table Entry Created:+------------------------------------------------------------------+| Internal IP | Internal Port | External IP | External Port || 192.168.1.10 | 5000 | 203.0.113.5 | 8000 |+------------------------------------------------------------------+
Return Packet:+------------------------------------------------------------------+| Dest IP: 203.0.113.5:8000 ← Router looks up in NAT table || Becomes: 192.168.1.10:5000 |+------------------------------------------------------------------+
+------------------------------------------------------------------+12.3 Types of NAT
Section titled “12.3 Types of NAT”Static NAT (One-to-One)
Section titled “Static NAT (One-to-One)” Static NAT+------------------------------------------------------------------+
+---------------------+ +----------------------+| Private Network | | Public Network || | | || 192.168.1.10 <-> | NAT | <-> 203.0.113.10 || 192.168.1.11 <-> | Router | <-> 203.0.113.11 || 192.168.1.12 <-> | | <-> 203.0.113.12 || | | |+---------------------+ +----------------------+
Use Cases:+------------------------------------------------------------------+| - Web servers that need consistent public IP || - Port forwarding for specific services || - Servers that must be reachable from internet |+------------------------------------------------------------------+
Configuration Example:+------------------------------------------------------------------+| iptables -t nat -A PREROUTING -d 203.0.113.10 -j DNAT \ || --to-destination 192.168.1.10 |+------------------------------------------------------------------+
+------------------------------------------------------------------+Dynamic NAT (Many-to-Many)
Section titled “Dynamic NAT (Many-to-Many)” Dynamic NAT+------------------------------------------------------------------+
+---------------------+ +----------------------+| Private Network | | Public Pool || | | || 192.168.1.10 <-> | NAT | <-> 203.0.113.10 || 192.168.1.11 <-> | Pool | <-> 203.0.113.11 || 192.168.1.12 <-> | | <-> 203.0.113.12 || 192.168.1.13 <-> | | <-> 203.0.113.13 || | | |+---------------------+ +----------------------+
Pool: 203.0.113.10 - 203.0.113.20 (11 addresses)
+------------------------------------------------------------------+12.4 PAT (Port Address Translation)
Section titled “12.4 PAT (Port Address Translation)”PAT, also called NAT Overload, maps multiple private IPs to a single public IP using different ports.
PAT (NAT Overload)+------------------------------------------------------------------+
+---------------------+ +----------------------+| Private Network | | Public Network || | | || 192.168.1.10:5000->| |-> 203.0.113.5:50001 || 192.168.1.10:5001->| NAT |-> 203.0.113.5:50002 || 192.168.1.11:6000->| |-> 203.0.113.5:50003 || 192.168.1.12:3345->| |-> 203.0.113.5:50004 || | | |+---------------------+ +----------------------+
NAT Table:+------------------------------------------------------------------+| Proto | Internal IP | Int Port | Ext IP | Ext Port || TCP | 192.168.1.10 | 5000 | 203.0.113.5| 50001 || TCP | 192.168.1.10 | 5001 | 203.0.113.5| 50002 || TCP | 192.168.1.11 | 6000 | 203.0.113.5| 50003 || TCP | 192.168.1.12 | 3345 | 203.0.113.5| 50004 |+------------------------------------------------------------------+
+------------------------------------------------------------------+Port Forwarding
Section titled “Port Forwarding” Port Forwarding+------------------------------------------------------------------+
Scenario: Host web server (192.168.1.100) on internal network Want to access from internet on port 80
Internet ---> Router (203.0.113.5:80) ---> 192.168.1.100:80
Configuration:+------------------------------------------------------------------+| iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT \ || --to-destination 192.168.1.100:80 |+------------------------------------------------------------------+
Common Port Forwards:+------------------------------------------------------------------+| Port | Service | Internal IP | Internal Port || 80 | HTTP | 192.168.1.100 | 80 || 443 | HTTPS | 192.168.1.100 | 443 || 22 | SSH | 192.168.1.10 | 22 || 3389 | RDP | 192.168.1.20 | 3389 || 21 | FTP | 192.168.1.30 | 21 |+------------------------------------------------------------------+
+------------------------------------------------------------------+12.5 NAT Types (NAT Traversal)
Section titled “12.5 NAT Types (NAT Traversal)” NAT Types+------------------------------------------------------------------+
1. Full Cone NAT+------------------------------------------------------------------+| Internal:Port maps to External:Port || Any external IP can connect to internal via external port || Least restrictive |+------------------------------------------------------------------+
2. Restricted Cone NAT+------------------------------------------------------------------+| Only accepts packets from IP that internal host sent to || Port doesn't matter |+------------------------------------------------------------------+
3. Port Restricted Cone NAT+------------------------------------------------------------------+| Only accepts from IP:Port that internal host sent to || More restrictive |+------------------------------------------------------------------+
4. Symmetric NAT+------------------------------------------------------------------+| Different external port for each destination || Most restrictive - causes VoIP/P2P issues || NAT traversal techniques needed |+------------------------------------------------------------------+
NAT Detection:+------------------------------------------------------------------+| Use tools like: || - open-source-nat-traversal (Python) || - pystun / stun client || - https://ipleak.net/ |+------------------------------------------------------------------+
+------------------------------------------------------------------+12.6 NAT on Linux
Section titled “12.6 NAT on Linux”iptables NAT
Section titled “iptables NAT”# Enable IP forwardingecho 1 | sudo tee /proc/sys/net/ipv4/ip_forward# Make permanentsudo sysctl -w net.ipv4.ip_forward=1
# MASQUERADE (PAT) - most common for dynamic IPsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Static NAT (one-to-one)sudo iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0 -j SNAT --to-source 203.0.113.5
# DNAT (Port Forwarding)sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80
# View NAT tablesudo iptables -t nat -L -n -v
# Save rulessudo iptables-save > /etc/iptables.rulesnftables NAT
Section titled “nftables NAT”# Add to /etc/nftables.conftable ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" masquerade }
chain prerouting { type nat hook prerouting priority dstnat; policy accept; iifname "eth0" tcp dport 80 dnat to 192.168.1.100:80 }}12.7 NAT and IPv6
Section titled “12.7 NAT and IPv6”With IPv6, NAT is generally not needed (huge address space).
IPv6 and NAT+------------------------------------------------------------------+
IPv6 Benefits:+------------------------------------------------------------------+| - 340 undecillion addresses (3.4 × 10^38) || - Every device can have unique global address || - End-to-end connectivity preserved || - No need for NAT |+------------------------------------------------------------------+
IPv6 NAT (if needed):+------------------------------------------------------------------+| - NAT66 (IPv6 to IPv6) - rarely used || - NPTv6 (Network Prefix Translation) - for prefix migration || - Not for address scarcity, only for policy reasons |+------------------------------------------------------------------+
+------------------------------------------------------------------+Summary
Section titled “Summary”In this chapter, you learned:
- ✅ Why NAT is needed (IPv4 exhaustion)
- ✅ How NAT works (translation process)
- ✅ Types of NAT (Static, Dynamic, PAT)
- ✅ Port forwarding
- ✅ NAT types (Cone NAT, Symmetric NAT)
- ✅ NAT configuration on Linux
Next Chapter
Section titled “Next Chapter”Chapter 13: Routing Fundamentals
Last Updated: February 2026