NAT and NAT tables
I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.
Assume router has WAN 201.22.14.15
1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?
2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?
3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?
192.168.1.1:1234 -> 201.22.14.15:2345The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?
4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234
I am not sure if the steps I highlighted are correct.
12 Answers
I will try to be simple in the explanation. You have mainly two types of NAT:
- Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.
- Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.
I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:
- You generate a connection from your local net to internet:
192.168.1.1 -> 137.132.1.15:PORT, your source port is random. - Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.
- when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into
201.22.14.15 -> 137.132.1.15:PORT. And it will remember that this connection is from your local IP 192.168.1.1. - Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as
201.22.14.15 -> 10.0.0.1:80. - The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.
- The router/firewall will need to masquerade on the other way, changing the packet addresses as
137.132.1.15 -> 201.22.14.15. - Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.
Hope it helps and it does not generate more confusion.
Side note
TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.
4The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.
What you call the "NAT table" is called the connection tracker or conntrack for short. There are tools that you can use to inspect this table.
1) Yes.
2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.
3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables rule with SNAT (source NAT) target.
b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.
4) Yes. Note that there need not be a reverse iptables rule; this confuses many people.
