Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across different networks. In most cases NAT will be used to connect one or more LAN to the internet. Typically NAT will be done by routing devices.
Every established connection of a NAT router has its own NAT session. All depending connection information (addresses, ports and timeouts) are stored in a NAT table. Based on this stored information, the router can send answer packets back to the right client. After a NAT session has finished or expired, the entry on the NAT table will be removed. The maximum amounts of concurrent sessions, depending on the power of the used hard- and software.
On every new connection of an internal client, the internal source address will be replaced by the public address of the router. During this process, the source port of the client also will be replaced by an unused one of the router. The mapping will be saved in the NAT table. The whole operation is also known as PAT (Port and Address Translation).
NAT is designed to transmit packages for existing NAT sessions. If the router receives network packages for an expired or non existing session they will be handled by the default firewall (iptables) rule - in most cases those packages get dropped.
Destination NAT (Port forwarding)
Destination Network Address Translation (DNAT), also known as Port forward is a technique for transparently changing the destination IP address of incoming packets to route them to a specific device inside the local network and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet. It is commonly used in port forwarding scenarios or to make services on a local network available to external networks.
DNAT is commonly used to publish various services located in a private network on a publicly accessible IP address. This use of DNAT is also called DMZ when used on an entire server, which becomes exposed to the WAN, becoming analogous to an undefended military demilitarized zone (DMZ).
Consider a simple scenario where a router uses DNAT to forward incoming web requests to a web server on the local network. The table below demonstrates how this might look:
| Step | Action | Packet Source IP | Packet Destination IP | NAT Mapping |
|---|---|---|---|---|
| 1 | Packet arrives at router from internet | External Client IP (e.g., 78.125.0.209) | Router's Public IP (e.g., 50.50.50.1) | None |
| 2 | Router applies DNAT rule | External Client IP (e.g., 78.125.0.209) | Web Server's Private IP (e.g., 192.168.1.101) | 50.50.50.1:80 (public) -> 192.168.1.101:80 (private) |
| 3 | Packet arrives at web server | External Client IP (e.g., 78.125.0.209) | Web Server's Private IP (e.g., 192.168.1.101) | 50.50.50.1:80 (public) -> 192.168.1.101:80 (private) |
| 4 | Web server responds, packet arrives at router | Web Server's Private IP (e.g., 192.168.1.101) | External Client IP (e.g., 78.125.0.209) | 192.168.1.101:80 (private) -> 50.50.50.1:80 (public) |
| 5 | Router applies SNAT rule for response packets | Router's Public IP (e.g., 50.50.50.1) | External Client IP (e.g., 78.125.0.209) | 192.168.1.101:80 (private) -> 50.50.50.1:80 (public) |
| 6 | Packet arrives back at external client | Router's Public IP (e.g., 50.50.50.1) | External Client IP (e.g., 78.125.0.209) | None |
The DNAT rule is applied in Step 2, changing the destination of the incoming packet from the public IP of the router to the private IP of the web server. The packet can then be delivered to the web server on the local network. When the web server responds, the router uses SNAT to translate the source IP back to the public IP for the outgoing packet.
This allows the web server, which is on a private local network, to handle requests from the internet while maintaining the security and privacy of the local network. The router handles all of the translation, making the process seamless to the external client and the web server.
Source NAT
Source Network Address Translation (SNAT), the counterpart of destination NAT (DNAT), is the process where the firewall changes the source IP address of outbound packets from a private IP address to a public IP address. It's commonly used to allow multiple devices on a local network to share a single public IP address.
Consider a scenario where multiple devices in a local network want to access the internet. The table below demonstrates how SNAT might handle this:
| Step | Action | Packet Source IP | Packet Destination IP | NAT Mapping |
|---|---|---|---|---|
| 1 | Device in the local network initiates a request to access the internet | Device's Private IP (e.g., 192.168.1.102) | External Server IP (e.g., 172.217.0.46) | None |
| 2 | Request arrives at router | Device's Private IP (e.g., 192.168.1.102) | External Server IP (e.g., 172.217.0.46) | None |
| 3 | Router applies SNAT rule | Router's Public IP (e.g., 50.50.50.2) | External Server IP (e.g., 172.217.0.46) | 192.168.1.102 (private) -> 50.50.50.2 (public) |
| 4 | Packet arrives at the external server | Router's Public IP (e.g., 50.50.50.2) | External Server IP (e.g., 172.217.0.46) | 192.168.1.102 (private) -> 50.50.50.2 (public) |
| 5 | External server responds, packet arrives back at the router | External Server IP (e.g., 172.217.0.46) | Router's Public IP (e.g., 50.50.50.2) | None |
| 6 | Router applies DNAT rule for incoming response packets | External Server IP (e.g., 172.217.0.46) | Device's Private IP (e.g., 192.168.1.102) | 50.50.50.2 (public) -> 192.168.1.102 (private) |
| 7 | Response packet arrives back at the device | External Server IP (e.g., 172.217.0.46) | Device's Private IP (e.g., 192.168.1.102) | None |
The SNAT rule is applied in Step 3, changing the source of the outgoing packet from the private IP of the device to the public IP of the router. When the external server responds, the router uses DNAT to translate the destination IP back to the private IP for the incoming packet.
This process allows devices on a private local network to access the internet using a single public IP. The router handles all of the translation, making the process seamless to the devices on the network and the external server
The meaning of the term Source NAT varies by different vendors. Many of them have proprietary definitions for SNAT, for example Microsoft uses the acronym for Secure NAT, Cisco Systems uses it for stateful NAT.