NAT and NAT tables
up vote
5
down vote
favorite
I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.
Assume router has WAN 201.22.14.15
1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?
2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?
3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?
192.168.1.1:1234 -> 201.22.14.15:2345
The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?
4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234
I am not sure if the steps I highlighted are correct.
networking wireless-networking router ip nat
add a comment |
up vote
5
down vote
favorite
I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.
Assume router has WAN 201.22.14.15
1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?
2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?
3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?
192.168.1.1:1234 -> 201.22.14.15:2345
The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?
4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234
I am not sure if the steps I highlighted are correct.
networking wireless-networking router ip nat
3
You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09
add a comment |
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.
Assume router has WAN 201.22.14.15
1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?
2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?
3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?
192.168.1.1:1234 -> 201.22.14.15:2345
The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?
4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234
I am not sure if the steps I highlighted are correct.
networking wireless-networking router ip nat
I am trying to understand how NAT and NAT tables work but cant seem to find answers online. I have a few questions regarding NAT. Assume TCP connection made.
Assume router has WAN 201.22.14.15
1) Lets say a device with IP 192.168.1.1 wants to connect to a server with IP 137.132.1.15. The device first encapsulates the data in a IP datagram with source IP as 192.168.1.1 and dest IP as 137.132.1.15 ?
2) After which the datagram is sent to the router where NAT happens. Assuming this is the first packet being sent in the private network, the NAT table is initially empty ?
3) Now there is a entry in the table which maps 192.168.1.1:1234 to 201.22.14.15:2345. ?
192.168.1.1:1234 -> 201.22.14.15:2345
The IP datagram is repackaged with the corresponding router address (201.22.14.15) and port number 2345 before being sent out. Is there a separate TCP connection from the router to the server ? Or is the entry just a virtual port number assigned ?
4) The data comes back from the server 137.132.1.15 with dst IP 201.22.14.15 and dest port 2345. The router does a table look up and finds that 201.22.14.15:2345 is mapped to 192.168.1.1:1234. So it repackages the IP datagram with src address 137.132.1.15:80 and dst address 192.168.1.1:1234
I am not sure if the steps I highlighted are correct.
networking wireless-networking router ip nat
networking wireless-networking router ip nat
asked Nov 20 at 16:06
calveeen
486
486
3
You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09
add a comment |
3
You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09
3
3
You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09
You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09
add a comment |
2 Answers
2
active
oldest
votes
up vote
2
down vote
accepted
I will try to be simple in the explanation. You have mainly two types of NAT:
Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.
Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.
I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:
- You generate a connection from your local net to internet:
192.168.1.1 -> 137.132.1.15:PORT
, your source port is random. - Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.
- when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into
201.22.14.15 -> 137.132.1.15:PORT
. And it will remember that this connection is from your local IP 192.168.1.1. - Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as
201.22.14.15 -> 10.0.0.1:80
. - The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.
- The router/firewall will need to masquerade on the other way, changing the packet addresses as
137.132.1.15 -> 201.22.14.15
. - Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.
Hope it helps and it does not generate more confusion.
Side note
TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.
1
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
add a comment |
up vote
1
down vote
The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.
What you call the "NAT table" is called the connection tracker or conntrack
for short. There are tools that you can use to inspect this table.
1) Yes.
2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.
3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables
rule with SNAT (source NAT) target.
b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.
4) Yes. Note that there need not be a reverse iptables
rule; this confuses many people.
1
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linuxnetfilter
?
– Barmar
Nov 23 at 19:53
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
I will try to be simple in the explanation. You have mainly two types of NAT:
Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.
Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.
I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:
- You generate a connection from your local net to internet:
192.168.1.1 -> 137.132.1.15:PORT
, your source port is random. - Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.
- when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into
201.22.14.15 -> 137.132.1.15:PORT
. And it will remember that this connection is from your local IP 192.168.1.1. - Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as
201.22.14.15 -> 10.0.0.1:80
. - The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.
- The router/firewall will need to masquerade on the other way, changing the packet addresses as
137.132.1.15 -> 201.22.14.15
. - Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.
Hope it helps and it does not generate more confusion.
Side note
TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.
1
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
add a comment |
up vote
2
down vote
accepted
I will try to be simple in the explanation. You have mainly two types of NAT:
Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.
Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.
I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:
- You generate a connection from your local net to internet:
192.168.1.1 -> 137.132.1.15:PORT
, your source port is random. - Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.
- when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into
201.22.14.15 -> 137.132.1.15:PORT
. And it will remember that this connection is from your local IP 192.168.1.1. - Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as
201.22.14.15 -> 10.0.0.1:80
. - The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.
- The router/firewall will need to masquerade on the other way, changing the packet addresses as
137.132.1.15 -> 201.22.14.15
. - Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.
Hope it helps and it does not generate more confusion.
Side note
TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.
1
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
add a comment |
up vote
2
down vote
accepted
up vote
2
down vote
accepted
I will try to be simple in the explanation. You have mainly two types of NAT:
Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.
Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.
I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:
- You generate a connection from your local net to internet:
192.168.1.1 -> 137.132.1.15:PORT
, your source port is random. - Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.
- when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into
201.22.14.15 -> 137.132.1.15:PORT
. And it will remember that this connection is from your local IP 192.168.1.1. - Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as
201.22.14.15 -> 10.0.0.1:80
. - The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.
- The router/firewall will need to masquerade on the other way, changing the packet addresses as
137.132.1.15 -> 201.22.14.15
. - Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.
Hope it helps and it does not generate more confusion.
Side note
TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.
I will try to be simple in the explanation. You have mainly two types of NAT:
Source NAT: Typically known as 'masquerade', it masks your local IP address with his address so that it can communicate with hosts in networks that do not know the route to your local network.
Destination NAT: Usually known as 'port forwarding' it translates the destination network address to a local address in a foreign network.
I think what you are describing is a source NAT, your communication from your local network to a server in the internet. And what happens is as you said, but let me rephrase a little bit:
- You generate a connection from your local net to internet:
192.168.1.1 -> 137.132.1.15:PORT
, your source port is random. - Based on your routing table, in the local host with the IP 192.168.1.1, your packet will go to the next hop, usually your default gateway for internet destinations.
- when your packet arrives to a device that has a configured Source NAT, it will translate the source address, masquerading the source of the packet and converting it into
201.22.14.15 -> 137.132.1.15:PORT
. And it will remember that this connection is from your local IP 192.168.1.1. - Let's suppose that, as most of the times, 137.132.1.15 is a firewall that will NAT the destination port PORT to a foreign local network, for instance 10.0.0.1, and let's suppose it is a web server, so it will translate the packet as
201.22.14.15 -> 10.0.0.1:80
. - The server at 10.0.0.1 will receive then a request from 201.22.14.15, and when returning, the same thing will happen on the other way, based on his routing table, he will go back to 201.22.14.15.
- The router/firewall will need to masquerade on the other way, changing the packet addresses as
137.132.1.15 -> 201.22.14.15
. - Your router at 201.22.14.15 will receive the packet, will be able to detect that is related to the stream generated by 192.168.1.1 and will return the response. 192.168.1.1 will see a packet that comes from 137.132.1.15, as 10.0.0.1 has been masqueraded.
Hope it helps and it does not generate more confusion.
Side note
TCP connections are not organized in datagrams, they are streams. Datagrams are UDP.
answered Nov 20 at 16:40
Jorge Valentini
1829
1829
1
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
add a comment |
1
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
1
1
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
For the sake of clarity you may want to change the the word translate to rewrite. (Strictly speaking there is no transaction occurring, packets are being rewritten based on tracking in a lookup table). Your answer is, of course, otherwise correct.
– davidgo
Nov 20 at 18:18
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @davidgo thanks for your comment, and let me respectfully disagree. It is actually a translation (not a transaction as you well said, but I didn’t say transaction), moreover, ‘translation’ is the T in NAT. I would say that rewrite is just another way of saying it
– Jorge Valentini
Nov 20 at 18:45
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @JorgeValentini from step 2 to step 3 when you say that your packet arrives to a device that has configured Source NAT, is that the default gateway router you are talking about ? So there could be multiple NAT's when your home device wants to connect with a server in the internet because i thought there was only one NAT translation for your home network ? Are those devices that configure Source NAT routers ?
– calveeen
Nov 21 at 0:52
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
Hi @calveen, usually in a home environment the NAT is performed by your ISP router/modem, while strictly speaking a NAT is an instance of firewall, usually these home devices do everything and are the default gateway for the network also, so it’s blurry. Answering to your question, there may be one or more NATs in a more complex network, a typical example of a double NAT could be a DMZ, but I think you go to a much simpler environment, right? As it was not clear to me how simple/complex it was, I didn’t want to specify which one is the device doing the NAT
– Jorge Valentini
Nov 21 at 1:09
add a comment |
up vote
1
down vote
The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.
What you call the "NAT table" is called the connection tracker or conntrack
for short. There are tools that you can use to inspect this table.
1) Yes.
2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.
3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables
rule with SNAT (source NAT) target.
b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.
4) Yes. Note that there need not be a reverse iptables
rule; this confuses many people.
1
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linuxnetfilter
?
– Barmar
Nov 23 at 19:53
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
add a comment |
up vote
1
down vote
The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.
What you call the "NAT table" is called the connection tracker or conntrack
for short. There are tools that you can use to inspect this table.
1) Yes.
2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.
3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables
rule with SNAT (source NAT) target.
b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.
4) Yes. Note that there need not be a reverse iptables
rule; this confuses many people.
1
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linuxnetfilter
?
– Barmar
Nov 23 at 19:53
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
add a comment |
up vote
1
down vote
up vote
1
down vote
The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.
What you call the "NAT table" is called the connection tracker or conntrack
for short. There are tools that you can use to inspect this table.
1) Yes.
2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.
3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables
rule with SNAT (source NAT) target.
b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.
4) Yes. Note that there need not be a reverse iptables
rule; this confuses many people.
The following is for the Linux kernel, but I'd assume MacOS and Windows work similar.
What you call the "NAT table" is called the connection tracker or conntrack
for short. There are tools that you can use to inspect this table.
1) Yes.
2) Yes. To be precise, the connection tracking table doesn't have an entry for this connection, it needn't be empty. A connection is characterized by source address, source port, destination address, and destination port; the port number it is nat'ed to is an additional entry.
3a) Yes, where 2345 is a port that is not already in use. IIRC it defaults to the original source port. The connection tracker entry is made because there's an iptables
rule with SNAT (source NAT) target.
b) No, this connection is not tracked as a normal TCP connection. The netfilter connection tracker and the TCP connection state table are completely different.
4) Yes. Note that there need not be a reverse iptables
rule; this confuses many people.
answered Nov 20 at 17:25
dirkt
8,60831121
8,60831121
1
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linuxnetfilter
?
– Barmar
Nov 23 at 19:53
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
add a comment |
1
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linuxnetfilter
?
– Barmar
Nov 23 at 19:53
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
1
1
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
Please consider quoting the OP's queries in your post as you answer them to make it easier to comprehend. (It's not mandatory, just nicer.)
– Twisty Impersonator
Nov 20 at 18:15
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux
netfilter
?– Barmar
Nov 23 at 19:53
"There are tools that you can use to inspect this table". Do these tools exist for most consumer routers, or are you talking about something specific to Linux
netfilter
?– Barmar
Nov 23 at 19:53
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
@Barmar: Well, both: The tools are specific to Linux netfilter, but the vast majority of consumer routers are embedded Linux machines, so you can cross compile the tools/modules, or install firmware that already has them.
– dirkt
Nov 24 at 12:31
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377027%2fnat-and-nat-tables%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
You've described this pretty much as it happens. If you're confused about whether or not there's a separate TCP connection, the answer is no, all the SYN & ACK packets governing TCP are forwarded to the original connection source in the exact same way you've described.
– Radhil
Nov 20 at 16:09