Network Address Translation 101
The basic router support simply moves messages from one network subnet to
another without translation. This works well in most instances but there is one
case where network address translation (NAT) is worthwhile.
A D V E R T I S E M E N T
This is where an
Internet Service Provider (ISP) supplies a single IP address to a customer. A
single IP address is sufficient when a single computer is attached to the
Internet but NAT is required if the single IP address must support a network.
NAT takes advantage of the fact that messages do not contain just source and
destination IP addresses but rather IP and port address pairs for source and
destination routing. The NAT router has a table to handle translation. When a
NAT-enabled router receives a message from the local network it takes a look at
the source IP address and port number and checks the table to see if this is the
first message from this source. If it is, then a new entry is added to the table
with the source IP address and port number. A new alias port number is allocated
from a pool of unused port addresses. This number is added to the table entry.
The NAT router then changes the source IP address to the IP address of the
outgoing network interface. It also changes the source port number to the alias
port number from the table entry. The translated message is then sent through
the outgoing network interface.
Messages coming into the outgoing network interface follow the reverse
process. The destination IP address matches the one for the outgoing network
interface for the NAT router. The destination port number is used to look up the
matching IP and port number. The destination IP address is changed as is the
port number in the message using the values from the table. The message is then
sent to the local network and the local computer.
Neither the source nor the destination computer know about the masquerade due
to the address translation. The process would be completely transparent if it
were not for the fact that some protocols contain port and IP addresses in the
message in addition to the source and destination addresses. Luckily, this is
another area where masquerading can take place. It just takes a bit more work
including recognition of higher level protocols and the ability to translate
these additional addresses.
The Linux NAT support is integrated with firewall support that uses a
configuration program called ipchains. This handles protocols that
require basic source and destination translation. The ip_masq is
actually a series of programs that handle different protocols. Only those
protocols to be supported need be used. Protocols like FTP and IRC require
masquerading programs. More on these in the next two sections.