![]() The ideal scenario would be that all traffic pointed to 109.132.94.20 is translated to 192.168.1.2 when it enters the router. There is one problem, the server is not reachable from the outside because of the use of private IPs. Notice that the server is now in the private subnet. A lot of companies use DNAT to hide their real server in a private range behind a Firewall / Router. In fact it will rewrite the Destination address instead of the source address. If the connection is reset and interface 1 gets a new IP, the rule will dynamically use this new IP.ĭNAT is the inverse of source NAT. The router will use the dynamic IP assigned to Interface 1 (in this case 109.132.94.20) and will rewrite the source. In this case the same thing will happen as in the previous example. It is a special form of Source NAT where instead of defining a fixed ip it will define only an interface. So it is hard to predict what the outside ip will be. Most providers assign public ip addresses to home users via DHCP. Your network interface at the WAN side might change IP. It would be hard to make firewall rules for the original host as this information is already replaced. If it would be a Pre Routing / Firewall process, the source would be the router itself. You can also see why SNAT should be a Post Routing process. ![]() In this case only 192.168.1.2 would be translated but no other hosts. Interesting to know is that source NAT can be done on a single IP as well, meaning that the original source address might be only be 192.168.1.2. It will translate the port and the destination back and put the package back on the lan There it can see that the final destination is not itself but is an internal IP. It will inspect the package and match it to his translation table based on the translated source port and destination ip (which is now the destination port and source ip). So when a package returns from the website via your Internet GW the following happens on the router. Router WAN send a modified version of the package to Internet GW Basically it modifies the Source Port and keeps a table of the "original settings" linked to the source port and destination. With NAPT this tracking is done on port base. While doing this it tracks that it send out this package for the internal server. So it translate the source to its own ip. It wants to forward this package to this default gateway but it knows that 192.168.1.x is a local subnet. It only has one default gateway itself (the one given by your provider). Your Computer send the following packet to the Router LAN So when your computer sends a package to request the website the following conversation will happens: Remember that .x is a private range and has no meaning on the internet itself. ![]() So the setup of IP's would look something like this: Your computer wants to get a page at 173.194.35.19. Your router is the default gateway in this LAN but is also connected to the Internet. You have a computer connected on your local LAN. Basically this home router does NAPT between your local network and the internet. So when you want to use this connection with multiple devices you put a "router" in between. When you have a broadband connection at home, your provider will probably only assign you one public IP. One of the most common use cases of NAT is NAPT . NAT is mostly done on Routers when a packet transfers from one subnet to another subnet. So what is NAT or Network Address Translation? Well NAT is actually a technique which is used to modify the source or target IP address in a IP packet. If you already know how SNAT, DNAT and NETMAP work please ignore the post. But before I can go into detail in that post, you need to understand how NAT works on Linux (as this is the core). This post is actually a prequel to my next post which will talk about Surebackup and Networking. In this post I will try to explain as simple as possible how NAT works. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |