Principle analysis of Network address translation NAT

1 overview

1.1 Introduction

Nat English full name is "network address translation", the Chinese meaning is "the net addresses translates", it is an IETF (Internet Engineering Task Force, Internet Engineering Tasks Group) standard, Allows a whole organization to appear on the internet with a public IP (Internet Protocol) address. As the name implies, it is a technology that translates the internal private network address (IP address) into a legitimate network IP address. Therefore, we can think that NAT to a certain extent, can effectively solve the problem of insufficient public network address.

1.2 Classification

There are three types of NAT: static NAT, dynamic address Nat (pooled NAT), network address port translation napt (Port-level nat).

Where the network address port conversion, NAPT, is a different port on which the internal address is mapped to an IP address of the external network. It can hide small and medium-sized networks behind a legitimate IP address. Unlike dynamic address NAT, NAPT maps An internal connection to a separate IP address in the external network, adding a port number selected by the NAT device to the address.

NAPT is the most common form of conversion, and is used primarily in HOMEGW. It also contains two modes of conversion: Snat and Dnat.

(1) Source NAT (source Nat,snat): Modifies the source address of the packet. Source NAT changes the source address of the first packet, which is always done before the packet is sent to the network, and packet spoofing is a snat example.

(2) Purpose NAT (Destination Nat,dnat): Modifies the destination address of the packet. Destination Nat is just the opposite of Snat, which is the destination address for changing the first data, such as load balancing, port forwarding, and transparent proxy, which are dnat.

1.3 Applications

NAT can implement several functions: packet spoofing, load balancing, port forwarding, and transparent proxy.

Data camouflage: The address information in the intranet packet can be changed into a unified external address information, not allow the intranet host directly exposed to the Internet, to ensure the security of the intranet host. At the same time, this feature is also commonly used to achieve shared Internet access.

Port forwarding: When the intranet host external service, because the use of the internal private IP address, the external network can not directly access. Therefore, port forwarding is required on the gateway to forward packets for a particular service to the intranet host.

Load balancing: Destination Address translation NAT can redirect some servers to connect to other randomly selected servers. (Not very clear)

End of failure: Destination Address translation NAT can be used to provide high reliability services. If a system has a critical server accessed through a router, once the router detects the server, it can use the destination address to translate the NAT transparently to transfer the connection to a backup server. (How is it transferred?)

Transparent proxy: Nat can redirect HTTP connections to the Internet to a specified HTTP proxy server to cache data and filter requests. Some Internet service providers use this technology to reduce the use of bandwidth without having their customers configure their browsers to support proxy connections. (How to redirect?)

2 principle

2.1 Address Translation

Nat basically works by converting the source IP or destination IP in the IP packet between the private IP and the NAT public IP when the IP packet that the private network host communicates with the public network host passes through the Nat gateway.

As shown, the NAT gateway has 2 network ports, where the IP address of the public network port is the uniformly allocated public IP, 202.20.65.5; The IP address of the private network port is the reserved address, which is 192.168.1.1. The host 192.168.1.2 in the private network sends 1 IP packets (dst=202.20.65.4,src=192.168.1.2) to the host 202.20.65.4 in the public network.

When the IP packet passes through the Nat Gateway, NAT gateways translates the IP packet's source IP into the Nat gateway's public IP and forwards it to the public network, where the IP packet (dst=202.20.65.4,src= 202.20.65.5) does not already contain any private network IP information. Because the IP packet's source IP has been converted to NAT Gateway, the response IP packet (dst= 202.20.65.5,src=202.20.65.4) emitted by the public Ip,web server will be sent to the Nat gateway.

At this point, NAT Gateway translates the IP packet's destination IP into the IP of the host in the private network, and then forwards the IP packet (des=192.168.1.2,src=202.20.65.4) to the private network. The conversion process for this address is completely transparent to both sides of the communication. The conversion is as follows.

If the request packet sent by the intranet host is not NAT, then when the Web server receives the request packet, the destination address in the reply packet is the private IP address, and the connection fails when the Internet is not properly delivered.

2.2 Connection Tracking

In the above process, when a response packet is received by the NAT Gateway, it is necessary to determine who forwarded the packet to. At this time, such as the fruit net only a small number of clients, can be manually specified with static NAT, but if the intranet has more than one client, and each visit to different sites, then the need for connection tracking (connection track). As shown in the following:

After the Nat gateway receives the request packet from the client, it makes the source address translation and saves the connection record, when the Nat gateway receives the response packet from the server, finds the track Table, determines the forwarding target, makes the destination address translation, and forwards it to the client.

2.3-Port Conversion

Taking the client Access server as an example, when only one client accesses the server, NAT gateway only needs to change the source IP or destination IP of the packet to communicate properly. However, if client A and client B are accessing the Web Server at the same time, when the Nat gateway receives the response packet, it cannot determine which client to forward the packet to, as shown in.

At this point, the NAT gateway will add port information to the connection track to differentiate it. If the two clients access the same server's source port is different, then add the port information in the track table can be distinguished, if the source port is exactly the same, then the Snat and Dnat at the same time the source port to do the corresponding conversion, as shown in. (The understanding here is often important)

Principle analysis of Network address translation NAT