[Techtalk] reality check from networking gurus wanted

Lisa Bogue lisab at bluesunsa.com
Fri Sep 22 23:12:09 UTC 2006

Dear Carla-

I didn't read the article (lazy and tired on a friday evening) but  
here are the definitions that I had in my Cisco CCNA class.  I think  
they may be useful here.

Static NAT - allows one-to-one mapping between local and global  
addresses.  This requires a real IP number for every machine being  

Dynamic NAT - maps unregistered (local) IP addresses to a pool of  
routable addresses.  This limits the number of machines that can be  
on the internet at a time based on the number of addresses in the  
pool.  It is still a one-to-one mapping, but the addresses  
dynamically get allocated every time a machine requests a session.   
This was a common schema for businesses about 8 years ago.

Overloading (or PAT) = maps multiple, unregistered IP addresses to a  
single registered IP address.

Basically, since you have many addresses mapping to one routable IP,  
how does the router determine who gets the answering packet?  It uses  
the port number to identify which machine should get it.  In the  
olden days (8-10 years ago) we used to call these devices nat/pat.   
For whatever reason, common vernacular shortened this to "nat."  The  
author is probably correct, but it's a point that only routing geeks  
would get into.


On Sep 22, 2006, at 5:36 PM, Carla Schroder wrote:

> I've been reading this article over and over, and I'm not getting it:
> http://www.enterprisenetworkingplanet.com/netsp/article.php/3632496
> Is the article correct and I'm just being thick, or is the author  
> missing the boat? For example:
> "Home users who talk about NAT are actually talking about PAT, or  
> Port Address Translation. This is quite easy to remember: PAT  
> translates ports, as the name implies, and likewise, NAT translates  
> addresses."
> Well now, my iptables rules definitely translate addresses. This  
> snippet is for a network with a static routable public IP, and a  
> Web server in a DMZ on a private IP:
> $ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --dport 80 -j DNAT -- 
> to-destination
> $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d  
> --dport 80  -j ALLOW
> DNAT translates the destination address, and outgoing packets are  
> source-natted to the public IP:
> $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source
> Sure looks like address translation to me.
> The concluding statement has me puzzled:
> "IPv6 introduces the ability to have way more IP addresses than we  
> really need. Does that mean that IPv6 will eliminate NAT? No. It  
> also won't eliminate the usage of NAT everyone's familiar with:  
> PAT. We all need somewhere to stow Windows boxes away from the  
> myriad of uninitiated connection attempts that come from the  
> Internet."
> I look forward to IPv6 taking over and thereby bit-bucketing NAT  
> forever with a glad heart. It's a kludge that has served its  
> purpose; now it's time to start thinking about retirement. There  
> ways other than NAT to protect private hosts, such as plain ole  
> iptables filters, and IPv6 provides private addresses.
> I'm digging deeply into both iptables and IPv6, and I'm working  
> hard to get it right. I appreciate any comments from y'all smart kids.
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  Carla Schroder
>  check out my "Linux Cookbook", the ultimate Linux user's
>  and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list