Network Address Translation, or NAT, is accomplished using software that can hide one or more
subnets behind a single IP address. NAT software is typically found in newer Internet routers and
almost always used in firewalls and proxy servers. NAT is not the same as an HTTP Proxy server.
HTTP Proxy servers must be configured on the client side. Once configured, your Web browser asks
the HTTP proxy to make connections to the Internet
on your behalf; as far as the Web site you're connecting to knows, it's the proxy server that's
reading the Web page, not your browser. NAT is an effect of the HTTP proxy in this case;
the requests from all of the browsers using the HTTP proxy appear to be coming from the
proxy server, not from the workstation. The workstation does not need to be using IP
addresses that are routable to the Internet; in fact, it is normal to use addresses that are
reserved for this purpose, such as 10.x.x.x (see Tips and Tricks, later in this document.)
"Transparent" NAT is easier to implement (since nothing needs to be changed at the workstations).
However, "configured" NAT (e.g., HTTP proxy servers) often add additional features, such
as Web page caching.
NAT software accomplishes three basic things:
NAT can allow you to connect many more machines to the Internet than you have IP addresses
for. I first used NAT to connect my home LAN to a dial-up ISP via a single-IP-address
PPP connection. (I used the reserved address block 192.168.1.0/24 on my LAN).
NAT is a good security measure when you use reserved addresses behind the NAT router, since
the addresses are not globally routable. It is harder to attack hosts when you can't reach them
directly.
NAT is a good security measure because no inbound connections are allowed through the
NAT translator unless it is specifically configured to allow them; as we will see, this is a
side effect of using NAT software.
I like to refer to NAT routers as "transparent TCP proxy routers." Transparent, because unlike HTTP
proxies, NAT routers do not need any configuration nor application software support to work
with most TCP-based protocols. NAT routers will proxy outbound connections "automagically."
For every outbound TCP connection, the NAT router intercepts and creates its own TCP connection to
the destination host. The NAT router builds a growing list of port translations. Consider two
computers that open three TCP connections each to a web server to download the same Web page. At
the same time, a Linux workstation opens a Telnet session to rs.internic.net:
The web server thinks the NAT router at 208.208.208.208 has two browsers running that both just
opened the same document and images; the Telnet server thinks that the same computer at
208.208.208.208 opened a Telnet session to it; only the NAT software knows that three computers
have seven connections open from behind it.
Transparent NAT works well for TCP connections, but due to the connectionless nature of UDP,
NAT works less well for unusual UDP connections (sorry, Quake fans..!)
Since NAT routers are hiding many machines behind a single IP address, putting server(s)
behind a NAT router becomes a problem, since the NAT software has no way of determining for itself
what IP address to forward the inbound connection requests to. This dropping of inbound connections,
while allowing outbound connections, makes NAT routers into cost-effective low-end firewalls.
Though NAT routers do nothing to prevent users from downloading viruses or trojan horse programs
(like the well-publicized trojan horse Back Orifice),
but does go a long way toward blocking attempts to connect inbound to the running trojan horse,
if accidentally or maliciously installed.
If your NAT router only supports one "real" IP address, you can only have one service on your
network listening on the "well known port" for that service; you could have two Web servers
listening on different ports, but not two web servers both listening
on (e.g.) 208.208.208.208:80. For example, you have a LAN configured as follows: This image created using SmartDraw. Click Here for a free trial copy.
You would configure the NAT software to listen to ports 25 and 80 on 208.208.208.208, and forward
connections as follows:
"Listening" Port
"Internal" Address
208.208.208.208:25
192.168.1.5:25
208.208.208.208:80
192.168.1.9:80
If you want to play with NAT software, and you have an old PC-compatible machine lying around
(NAT is easy for routers to do and does not require much in the way of hardware),
Look at two Linux-based standalone router efforts: FreeSCO at
http://www.freesco.org/, or the Linux Router Project
(http://linuxrouter.org/ Please,
read the manual and experiment a bit with the software before sending me questions specific
to FreeSCO or LRP. You'll learn more that way, and I didn't help write the program, so I
probably shouldn't be the person you talk to for tech support about it, anyway. :-)
Platform Specific Infomation: Note that TCP/IP proxies are not platform-specific. In other
words, it works fine to place a MS-DOS based proxy server (such as IPRoute) on a Mac network,
or a Linux proxy on a Novell-based IP network. But if you only want to add software, not hardware, to
your network, then here are some options I've found. (Note: I do not explicitly endorse the
use of any of these products, they're merely listed here for your convenience.)
Netware networks: I understand Border Manager does address translation.
Novell's IPX-to-IP gateway (a different product) works for IPX-only networks by tunneling IP
sockets through the IPX network to the Netware server, which makes the "real"
TCP/IP connection to the destination server. Workstations are protected by virtue
of the fact that they're not actually running TCP/IP locally, and don't have
IP addresses of their own (they all use the server's IP address).
NT networks: Microsoft Proxy Server does HTTP proxying, and I'm told newer versions
do full NAT, but other solutions
to consider are Kerio WinRoute
(http://www.kerio.com/us/kerio.html) and Sygate
(http://www.sygate.com)
for NAT and HTTP proxy services. I've used both. Winroute has more features, but Sygate is a bit
less expensive.
Linux: Vaguely recent (v1.3.x or greater) Linux kernels include support for "IP Masquerading,"
which is its name for network address translation. There is a newer kernel option
called "transparent proxy" which is not NAT, but rather forces all outbound
connections to use a proxy server, without the user's knowledge or explicit configation.
Linux goes a step further with Masquerade Loadable Modules (the link, http://ipmasq.home.ml.org,
is down at the time of this writing; it will probably reappear at a new address),
which can explicitly support "wierd" connections such as the seperate UDP connections
Quake servers use. See any of the many Linux IP Masquerade sites, such as
http://www.indyramp.com/masq/ New: Check out the Linux Router Project at http://linuxrouter.org/.
A full-featured Open Source Linux-based router product that can boot off a floppy disk.
