Chapter 5. Network Address Translation (NAT)

Table of Contents

5.1. Rationale for and Introduction to NAT
5.2. Application Layer Protocols with Embedded Network Information
5.3. Stateless NAT with iproute2
5.3.1. Stateless NAT Packet Capture and Introduction
5.3.2. Stateless NAT Practicum
5.3.3. Conditional Stateless NAT
5.4. Stateless NAT and Packet Filtering
5.5. Destination NAT with netfilter (DNAT)
5.5.1. Port Address Translation with DNAT
5.6. Port Address Translation (PAT) from Userspace
5.7. Transparent PAT from Userspace

Network Address Translation (NAT) is a deceptively simple concept. NAT is the technique of rewriting addresses on a packet as it passes through a routing device. There are far reaching ramifications on network design and protocol compatibility wherever NAT is used.

This chapter will introduce two types of NAT available under linux. One, full NAT or stateless NAT, is available under kernel 2.2 and kernel 2.4 via the iproute2 userspace interface. Available only under kernel 2.4, destination NAT (DNAT) is an important derivative of full NAT. DNAT configuration from userspace is accomplished via the iptables utility. The experienced network administrator is probably puzzling about absent references to source NAT (SNAT) and masquerading. These prominent and prevalent uses of NAT are covered in Chapter 6, Masquerading and Source Network Address Translation, although many concepts involved in the special purpose SNAT and masquerading will be introduced in this chapter.

Network address translation is known by a number of names in the networking world: full NAT, one-to-one NAT and inbound NAT. As used in this chapter and throughout this documentation, NAT, when unqualified, will refer to full network address translation or one-to-one NAT. NAT techniques derived from full NAT, such as destination or source NAT, will be described as DNAT (destination NAT) and SNAT (source NAT).

Michael Hasenstein's seminal paper on network address translation is available courtesy of SuSe Linux AG here.