TCP/IP Protocol: Network Address Translation (NAT)

Discussion in 'Linux Networking' started by Jarret W. Buse, Nov 25, 2013.

  1. Jarret W. Buse

    Jarret W. Buse Active Member Staff Writer

    Messages:
    160
    Likes Received:
    230
    Trophy Points:
    43
    TCP/IP Protocol: Network Address Translation (NAT)

    TCP/IP version 4 (IPv4) has run out of addresses to supply Internet clients access to the Internet. Since each system requires a unique IP Address but none exist, NAT was designed to assist with the address depletion.

    Network Address Translation allows multiple systems to access the Internet with only one IPv4 Address. It can be easy to see the importance of using NAT to conserve IP Addresses.

    Let’s look at NAT to give you an idea how Network Address Translation works.

    A company uses private IP Addresses such as 10.0.0.1-10.255.255.254 with a Netmask of 255.0.0.0.

    NOTE: For more information on IP Addressing and Netmasking, see Netmasking Transmission Control Protocol/Internet Protocol.

    The company must have one Public IP Address for access to the Internet. The NAT system is connected to the Internet with one network interface and to the company network with another interface as shown in Figure 1.

    NOTE:
    The NAT system can be a Linux system or a Router which handles NAT. Instructions for setting up NAT on a Linux system are towards the end of the article. Be sure to read the whole article to be aware how NAT works.

    TCPIP Protocol NAT Figure 1.jpg
    FIGURE 1​

    An example is when a system on the company network requests a web page. It sends the request to the NAT Server which is configured as the Gateway in the TCP/IP Configuration. The NAT Server accepts the request and maps an address internally for the request. The request is made from a system with an IP Address of 10.0.0.100 to port number 80. The NAT Server maps system 10.0.0.100:80 to its own IP Address and Port 2000. The frame is changed to contain only the NAT Server’s IP Address and new Port Number of 2000. After being encapsulated the packet is sent to the Web Server, say Linux.org. The frame is sent to 209.92.24.80:80 and we’ll assume the public address of the NAT Server is 8.9.11.19, so the frame is from 8.9.11.19:2000. When the Web Server responds to the HTTP Request, it sends back the HTML page to 8.9.11.19:2000. Once the NAT Server receives the frames, it checks its Translation Table and changes the IP Address and port to 10.0.0.100:80. It then encapsulates the frame before sending it out on the company network. The system making the initial request receives the frames and displays the HTML page in the browser.

    NOTE: IP Addresses and ports can be shortened to be the address, colon and then the port number. For example, an IP Address of 10.0.0.58 and port 21 would be shortened to 10.0.0.58:21.

    Be aware that the systems on the company’s network can use the connection-based Transmission control Protocol (TCP) or the connectionless based User Datagram Protocol (UDP).

    You may be thinking that a NAT Server sounds similar in function as an HTTP Proxy Server.

    An HTTP Proxy Server performs the same as a NAT Server, but it also caches web pages as well as maintaining the Network Address Translation table.

    NAT deals with routing the frames to the proper destination so the NAT Server works on Layer 3 of the OSI Network Layer. The HTTP Proxy Servers work with IP Addresses and ports so it functions on Layer 4 of the OSI Model, the Transport Layer. For this reason, a NAT Server operates faster than a Proxy Server since the frames do not have to be encapsulated for as many layers.

    NAT also provides a natural firewall. Since the private network uses Private IP Addresses, regular hackers cannot easily get through from the public Internet to the private addressed network.

    NOTE: A NAT Server does not prevent viruses or Trojan Horses or the like. Other Servers which may provide services to Internet hosts cannot be accessed through the NAT Server.

    To set up NAT on a Linux system there needs to be two network cards and each with a static IP Address. We’ll assume the private network is eth0 with an address of 10.0.0.1. The public address on eth1 is 192.168.1.1 (this is an example since this address is technically also a private one).

    We start the configuration with the following: sudo nano /etc/networks/interfaces

    The following changes would be made:


    Code:
    auto eth0
    iface eth0 inet static
    address 10.0.0.1
    netmask 255.0.0.0
    network 10.0.0.0
    broadcast 10.0.0.255
    gateway 10.0.0.1
    iface eth0 inet6 auto
    auto eth1
    iface eth1 inet static
    address 192.168.1.1
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    iface eth1 inet6 auto

    Now, we need to set up port forwarding for IP version 4 (IPv4) and IP version 6 (IPv6). So, we start with the following to configure the port forwarding: sudo nano /etc/sysctl.conf.
    We find the line: # net.ipv4.ip_forward=1 and change it to: net.ipv4.ip_forward=1. You also uncomment the line for IPv6.
    Now, we need to configure the Network Address Translation for eth1. We start this process by using the following command: sudo nano /etc/rc.local.

    The following lines need to be added before the exit statement:

    Code:
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE
    Perform a reboot by using the command: sudo reboot

    Use a system connected on the private side of the NAT Server to connect to an Internet website. The connection should work; if not, check all the settings again and reboot the NAT Server.

    Attached Files:

    Zia Ali Khan and DevynCJohnson like this.

Share This Page