NAT and NAT tables











up vote
5
down vote

favorite












I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.



Assume router has WAN 201.22.14.15



1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?



2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?



3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?



192.168.1.1:1234 -> 201.22.14.15:2345


The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?



4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234



I am not sure if the steps I highlighted are correct.










share|improve this question


















  • 3




    You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
    – Radhil
    Nov 20 at 16:09















up vote
5
down vote

favorite












I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.



Assume router has WAN 201.22.14.15



1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?



2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?



3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?



192.168.1.1:1234 -> 201.22.14.15:2345


The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?



4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234



I am not sure if the steps I highlighted are correct.










share|improve this question


















  • 3




    You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
    – Radhil
    Nov 20 at 16:09













up vote
5
down vote

favorite









up vote
5
down vote

favorite











I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.



Assume router has WAN 201.22.14.15



1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?



2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?



3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?



192.168.1.1:1234 -> 201.22.14.15:2345


The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?



4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234



I am not sure if the steps I highlighted are correct.










share|improve this question













I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.



Assume router has WAN 201.22.14.15



1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?



2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?



3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?



192.168.1.1:1234 -> 201.22.14.15:2345


The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?



4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234



I am not sure if the steps I highlighted are correct.







networking wireless-networking router ip nat






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 20 at 16:06









calveeen

486




486








  • 3




    You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
    – Radhil
    Nov 20 at 16:09














  • 3




    You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
    – Radhil
    Nov 20 at 16:09








3




3




You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09




You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09










2 Answers
2






active

oldest

votes

















up vote
2
down vote



accepted










I will try to be simple in the explanation. You have mainly two types of NAT:





  • Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.


  • Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.


I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:




  1. You generate a connection from your local net to internet: 192.168.1.1 -> 137.132.1.15:PORT, your source port is random.

  2. Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.

  3. when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into 201.22.14.15 -> 137.132.1.15:PORT. And it will remember that this connection is from your local IP 192.168.1.1.

  4. Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as 201.22.14.15 -> 10.0.0.1:80.

  5. The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.

  6. The router/firewall will need to masquerade on the other way, changing the packet addresses as 137.132.1.15 -> 201.22.14.15.

  7. Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.


Hope it helps and it does not generate more confusion.



Side note



TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.






share|improve this answer

















  • 1




    For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
    – davidgo
    Nov 20 at 18:18










  • Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
    – Jorge Valentini
    Nov 20 at 18:45










  • Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
    – calveeen
    Nov 21 at 0:52










  • Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
    – Jorge Valentini
    Nov 21 at 1:09


















up vote
1
down vote













The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.



What you call the "NAT table" is called the connection tracker or conntrack for short. There are tools that you can use to inspect this table.



1) Yes.



2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.



3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables rule with SNAT (source NAT) target.



b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.



4) Yes. Note that there need not be a reverse iptables rule; this confuses many people.






share|improve this answer

















  • 1




    Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
    – Twisty Impersonator
    Nov 20 at 18:15










  • "There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
    – Barmar
    Nov 23 at 19:53










  • @Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
    – dirkt
    Nov 24 at 12:31











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377027%2fnat-and-nat-tables%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted










I will try to be simple in the explanation. You have mainly two types of NAT:





  • Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.


  • Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.


I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:




  1. You generate a connection from your local net to internet: 192.168.1.1 -> 137.132.1.15:PORT, your source port is random.

  2. Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.

  3. when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into 201.22.14.15 -> 137.132.1.15:PORT. And it will remember that this connection is from your local IP 192.168.1.1.

  4. Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as 201.22.14.15 -> 10.0.0.1:80.

  5. The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.

  6. The router/firewall will need to masquerade on the other way, changing the packet addresses as 137.132.1.15 -> 201.22.14.15.

  7. Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.


Hope it helps and it does not generate more confusion.



Side note



TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.






share|improve this answer

















  • 1




    For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
    – davidgo
    Nov 20 at 18:18










  • Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
    – Jorge Valentini
    Nov 20 at 18:45










  • Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
    – calveeen
    Nov 21 at 0:52










  • Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
    – Jorge Valentini
    Nov 21 at 1:09















up vote
2
down vote



accepted










I will try to be simple in the explanation. You have mainly two types of NAT:





  • Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.


  • Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.


I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:




  1. You generate a connection from your local net to internet: 192.168.1.1 -> 137.132.1.15:PORT, your source port is random.

  2. Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.

  3. when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into 201.22.14.15 -> 137.132.1.15:PORT. And it will remember that this connection is from your local IP 192.168.1.1.

  4. Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as 201.22.14.15 -> 10.0.0.1:80.

  5. The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.

  6. The router/firewall will need to masquerade on the other way, changing the packet addresses as 137.132.1.15 -> 201.22.14.15.

  7. Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.


Hope it helps and it does not generate more confusion.



Side note



TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.






share|improve this answer

















  • 1




    For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
    – davidgo
    Nov 20 at 18:18










  • Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
    – Jorge Valentini
    Nov 20 at 18:45










  • Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
    – calveeen
    Nov 21 at 0:52










  • Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
    – Jorge Valentini
    Nov 21 at 1:09













up vote
2
down vote



accepted







up vote
2
down vote



accepted






I will try to be simple in the explanation. You have mainly two types of NAT:





  • Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.


  • Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.


I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:




  1. You generate a connection from your local net to internet: 192.168.1.1 -> 137.132.1.15:PORT, your source port is random.

  2. Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.

  3. when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into 201.22.14.15 -> 137.132.1.15:PORT. And it will remember that this connection is from your local IP 192.168.1.1.

  4. Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as 201.22.14.15 -> 10.0.0.1:80.

  5. The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.

  6. The router/firewall will need to masquerade on the other way, changing the packet addresses as 137.132.1.15 -> 201.22.14.15.

  7. Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.


Hope it helps and it does not generate more confusion.



Side note



TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.






share|improve this answer












I will try to be simple in the explanation. You have mainly two types of NAT:





  • Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.


  • Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.


I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:




  1. You generate a connection from your local net to internet: 192.168.1.1 -> 137.132.1.15:PORT, your source port is random.

  2. Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.

  3. when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into 201.22.14.15 -> 137.132.1.15:PORT. And it will remember that this connection is from your local IP 192.168.1.1.

  4. Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as 201.22.14.15 -> 10.0.0.1:80.

  5. The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.

  6. The router/firewall will need to masquerade on the other way, changing the packet addresses as 137.132.1.15 -> 201.22.14.15.

  7. Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.


Hope it helps and it does not generate more confusion.



Side note



TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 20 at 16:40









Jorge Valentini

1829




1829








  • 1




    For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
    – davidgo
    Nov 20 at 18:18










  • Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
    – Jorge Valentini
    Nov 20 at 18:45










  • Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
    – calveeen
    Nov 21 at 0:52










  • Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
    – Jorge Valentini
    Nov 21 at 1:09














  • 1




    For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
    – davidgo
    Nov 20 at 18:18










  • Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
    – Jorge Valentini
    Nov 20 at 18:45










  • Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
    – calveeen
    Nov 21 at 0:52










  • Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
    – Jorge Valentini
    Nov 21 at 1:09








1




1




For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18




For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18












Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45




Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45












Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52




Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52












Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09




Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09












up vote
1
down vote













The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.



What you call the "NAT table" is called the connection tracker or conntrack for short. There are tools that you can use to inspect this table.



1) Yes.



2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.



3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables rule with SNAT (source NAT) target.



b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.



4) Yes. Note that there need not be a reverse iptables rule; this confuses many people.






share|improve this answer

















  • 1




    Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
    – Twisty Impersonator
    Nov 20 at 18:15










  • "There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
    – Barmar
    Nov 23 at 19:53










  • @Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
    – dirkt
    Nov 24 at 12:31















up vote
1
down vote













The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.



What you call the "NAT table" is called the connection tracker or conntrack for short. There are tools that you can use to inspect this table.



1) Yes.



2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.



3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables rule with SNAT (source NAT) target.



b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.



4) Yes. Note that there need not be a reverse iptables rule; this confuses many people.






share|improve this answer

















  • 1




    Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
    – Twisty Impersonator
    Nov 20 at 18:15










  • "There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
    – Barmar
    Nov 23 at 19:53










  • @Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
    – dirkt
    Nov 24 at 12:31













up vote
1
down vote










up vote
1
down vote









The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.



What you call the "NAT table" is called the connection tracker or conntrack for short. There are tools that you can use to inspect this table.



1) Yes.



2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.



3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables rule with SNAT (source NAT) target.



b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.



4) Yes. Note that there need not be a reverse iptables rule; this confuses many people.






share|improve this answer












The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.



What you call the "NAT table" is called the connection tracker or conntrack for short. There are tools that you can use to inspect this table.



1) Yes.



2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.



3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables rule with SNAT (source NAT) target.



b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.



4) Yes. Note that there need not be a reverse iptables rule; this confuses many people.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 20 at 17:25









dirkt

8,60831121




8,60831121








  • 1




    Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
    – Twisty Impersonator
    Nov 20 at 18:15










  • "There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
    – Barmar
    Nov 23 at 19:53










  • @Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
    – dirkt
    Nov 24 at 12:31














  • 1




    Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
    – Twisty Impersonator
    Nov 20 at 18:15










  • "There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
    – Barmar
    Nov 23 at 19:53










  • @Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
    – dirkt
    Nov 24 at 12:31








1




1




Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15




Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15












"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
– Barmar
Nov 23 at 19:53




"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux netfilter?
– Barmar
Nov 23 at 19:53












@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31




@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377027%2fnat-and-nat-tables%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

AnyDesk - Fatal Program Failure

How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

QoS: MAC-Priority for clients behind a repeater