J
Jarret W. Buse
Guest
TCP/IP Protocol: Network Address Translation (NAT)
TCP/IP version 4 (IPv4) has run out of addresses to supply Internet clients access to the Internet. Since each system requires a unique IP Address but none exist, NAT was designed to assist with the address depletion.
Network Address Translation allows multiple systems to access the Internet with only one IPv4 Address. It can be easy to see the importance of using NAT to conserve IP Addresses.
Let’s look at NAT to give you an idea how Network Address Translation works.
A company uses private IP Addresses such as 10.0.0.1-10.255.255.254 with a Netmask of 255.0.0.0.
NOTE: For more information on IP Addressing and Netmasking, see Netmasking Transmission Control Protocol/Internet Protocol.
The company must have one Public IP Address for access to the Internet. The NAT system is connected to the Internet with one network interface and to the company network with another interface as shown in Figure 1.
NOTE: The NAT system can be a Linux system or a Router which handles NAT. Instructions for setting up NAT on a Linux system are towards the end of the article. Be sure to read the whole article to be aware how NAT works.
FIGURE 1
An example is when a system on the company network requests a web page. It sends the request to the NAT Server which is configured as the Gateway in the TCP/IP Configuration. The NAT Server accepts the request and maps an address internally for the request. The request is made from a system with an IP Address of 10.0.0.100 to port number 80. The NAT Server maps system 10.0.0.100:80 to its own IP Address and Port 2000. The frame is changed to contain only the NAT Server’s IP Address and new Port Number of 2000. After being encapsulated the packet is sent to the Web Server, say Linux.org. The frame is sent to 209.92.24.80:80 and we’ll assume the public address of the NAT Server is 8.9.11.19, so the frame is from 8.9.11.19:2000. When the Web Server responds to the HTTP Request, it sends back the HTML page to 8.9.11.19:2000. Once the NAT Server receives the frames, it checks its Translation Table and changes the IP Address and port to 10.0.0.100:80. It then encapsulates the frame before sending it out on the company network. The system making the initial request receives the frames and displays the HTML page in the browser.
NOTE: IP Addresses and ports can be shortened to be the address, colon and then the port number. For example, an IP Address of 10.0.0.58 and port 21 would be shortened to 10.0.0.58:21.
Be aware that the systems on the company’s network can use the connection-based Transmission control Protocol (TCP) or the connectionless based User Datagram Protocol (UDP).
You may be thinking that a NAT Server sounds similar in function as an HTTP Proxy Server.
An HTTP Proxy Server performs the same as a NAT Server, but it also caches web pages as well as maintaining the Network Address Translation table.
NAT deals with routing the frames to the proper destination so the NAT Server works on Layer 3 of the OSI Network Layer. The HTTP Proxy Servers work with IP Addresses and ports so it functions on Layer 4 of the OSI Model, the Transport Layer. For this reason, a NAT Server operates faster than a Proxy Server since the frames do not have to be encapsulated for as many layers.
NAT also provides a natural firewall. Since the private network uses Private IP Addresses, regular hackers cannot easily get through from the public Internet to the private addressed network.
NOTE: A NAT Server does not prevent viruses or Trojan Horses or the like. Other Servers which may provide services to Internet hosts cannot be accessed through the NAT Server.
To set up NAT on a Linux system there needs to be two network cards and each with a static IP Address. We’ll assume the private network is eth0 with an address of 10.0.0.1. The public address on eth1 is 192.168.1.1 (this is an example since this address is technically also a private one).
We start the configuration with the following: sudo nano /etc/networks/interfaces
The following changes would be made:
Now, we need to set up port forwarding for IP version 4 (IPv4) and IP version 6 (IPv6). So, we start with the following to configure the port forwarding: sudo nano /etc/sysctl.conf.
We find the line: # net.ipv4.ip_forward=1 and change it to: net.ipv4.ip_forward=1. You also uncomment the line for IPv6.
Now, we need to configure the Network Address Translation for eth1. We start this process by using the following command: sudo nano /etc/rc.local.
The following lines need to be added before the exit statement:
Perform a reboot by using the command: sudo reboot
Use a system connected on the private side of the NAT Server to connect to an Internet website. The connection should work; if not, check all the settings again and reboot the NAT Server.
TCP/IP version 4 (IPv4) has run out of addresses to supply Internet clients access to the Internet. Since each system requires a unique IP Address but none exist, NAT was designed to assist with the address depletion.
Network Address Translation allows multiple systems to access the Internet with only one IPv4 Address. It can be easy to see the importance of using NAT to conserve IP Addresses.
Let’s look at NAT to give you an idea how Network Address Translation works.
A company uses private IP Addresses such as 10.0.0.1-10.255.255.254 with a Netmask of 255.0.0.0.
NOTE: For more information on IP Addressing and Netmasking, see Netmasking Transmission Control Protocol/Internet Protocol.
The company must have one Public IP Address for access to the Internet. The NAT system is connected to the Internet with one network interface and to the company network with another interface as shown in Figure 1.
NOTE: The NAT system can be a Linux system or a Router which handles NAT. Instructions for setting up NAT on a Linux system are towards the end of the article. Be sure to read the whole article to be aware how NAT works.
FIGURE 1
An example is when a system on the company network requests a web page. It sends the request to the NAT Server which is configured as the Gateway in the TCP/IP Configuration. The NAT Server accepts the request and maps an address internally for the request. The request is made from a system with an IP Address of 10.0.0.100 to port number 80. The NAT Server maps system 10.0.0.100:80 to its own IP Address and Port 2000. The frame is changed to contain only the NAT Server’s IP Address and new Port Number of 2000. After being encapsulated the packet is sent to the Web Server, say Linux.org. The frame is sent to 209.92.24.80:80 and we’ll assume the public address of the NAT Server is 8.9.11.19, so the frame is from 8.9.11.19:2000. When the Web Server responds to the HTTP Request, it sends back the HTML page to 8.9.11.19:2000. Once the NAT Server receives the frames, it checks its Translation Table and changes the IP Address and port to 10.0.0.100:80. It then encapsulates the frame before sending it out on the company network. The system making the initial request receives the frames and displays the HTML page in the browser.
NOTE: IP Addresses and ports can be shortened to be the address, colon and then the port number. For example, an IP Address of 10.0.0.58 and port 21 would be shortened to 10.0.0.58:21.
Be aware that the systems on the company’s network can use the connection-based Transmission control Protocol (TCP) or the connectionless based User Datagram Protocol (UDP).
You may be thinking that a NAT Server sounds similar in function as an HTTP Proxy Server.
An HTTP Proxy Server performs the same as a NAT Server, but it also caches web pages as well as maintaining the Network Address Translation table.
NAT deals with routing the frames to the proper destination so the NAT Server works on Layer 3 of the OSI Network Layer. The HTTP Proxy Servers work with IP Addresses and ports so it functions on Layer 4 of the OSI Model, the Transport Layer. For this reason, a NAT Server operates faster than a Proxy Server since the frames do not have to be encapsulated for as many layers.
NAT also provides a natural firewall. Since the private network uses Private IP Addresses, regular hackers cannot easily get through from the public Internet to the private addressed network.
NOTE: A NAT Server does not prevent viruses or Trojan Horses or the like. Other Servers which may provide services to Internet hosts cannot be accessed through the NAT Server.
To set up NAT on a Linux system there needs to be two network cards and each with a static IP Address. We’ll assume the private network is eth0 with an address of 10.0.0.1. The public address on eth1 is 192.168.1.1 (this is an example since this address is technically also a private one).
We start the configuration with the following: sudo nano /etc/networks/interfaces
The following changes would be made:
Code:
auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.0.0.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.1
iface eth0 inet6 auto
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
iface eth1 inet6 autoNow, we need to set up port forwarding for IP version 4 (IPv4) and IP version 6 (IPv6). So, we start with the following to configure the port forwarding: sudo nano /etc/sysctl.conf.
We find the line: # net.ipv4.ip_forward=1 and change it to: net.ipv4.ip_forward=1. You also uncomment the line for IPv6.
Now, we need to configure the Network Address Translation for eth1. We start this process by using the following command: sudo nano /etc/rc.local.
The following lines need to be added before the exit statement:
Code:
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADEUse a system connected on the private side of the NAT Server to connect to an Internet website. The connection should work; if not, check all the settings again and reboot the NAT Server.
