[Techtalk] reality check from networking gurus wanted
lisab at bluesunsa.com
Fri Sep 22 23:12:09 UTC 2006
I didn't read the article (lazy and tired on a friday evening) but
here are the definitions that I had in my Cisco CCNA class. I think
they may be useful here.
Static NAT - allows one-to-one mapping between local and global
addresses. This requires a real IP number for every machine being
Dynamic NAT - maps unregistered (local) IP addresses to a pool of
routable addresses. This limits the number of machines that can be
on the internet at a time based on the number of addresses in the
pool. It is still a one-to-one mapping, but the addresses
dynamically get allocated every time a machine requests a session.
This was a common schema for businesses about 8 years ago.
Overloading (or PAT) = maps multiple, unregistered IP addresses to a
single registered IP address.
Basically, since you have many addresses mapping to one routable IP,
how does the router determine who gets the answering packet? It uses
the port number to identify which machine should get it. In the
olden days (8-10 years ago) we used to call these devices nat/pat.
For whatever reason, common vernacular shortened this to "nat." The
author is probably correct, but it's a point that only routing geeks
would get into.
On Sep 22, 2006, at 5:36 PM, Carla Schroder wrote:
> I've been reading this article over and over, and I'm not getting it:
> Is the article correct and I'm just being thick, or is the author
> missing the boat? For example:
> "Home users who talk about NAT are actually talking about PAT, or
> Port Address Translation. This is quite easy to remember: PAT
> translates ports, as the name implies, and likewise, NAT translates
> Well now, my iptables rules definitely translate addresses. This
> snippet is for a network with a static routable public IP, and a
> Web server in a DMZ on a private IP:
> $ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --dport 80 -j DNAT --
> to-destination 192.168.2.25:80
> $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 192.168.2.25
> --dport 80 -j ALLOW
> DNAT translates the destination address, and outgoing packets are
> source-natted to the public IP:
> $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 22.214.171.124
> Sure looks like address translation to me.
> The concluding statement has me puzzled:
> "IPv6 introduces the ability to have way more IP addresses than we
> really need. Does that mean that IPv6 will eliminate NAT? No. It
> also won't eliminate the usage of NAT everyone's familiar with:
> PAT. We all need somewhere to stow Windows boxes away from the
> myriad of uninitiated connection attempts that come from the
> I look forward to IPv6 taking over and thereby bit-bucketing NAT
> forever with a glad heart. It's a kludge that has served its
> purpose; now it's time to start thinking about retirement. There
> ways other than NAT to protect private hosts, such as plain ole
> iptables filters, and IPv6 provides private addresses.
> I'm digging deeply into both iptables and IPv6, and I'm working
> hard to get it right. I appreciate any comments from y'all smart kids.
> Carla Schroder
> check out my "Linux Cookbook", the ultimate Linux user's
> and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> Techtalk mailing list
> Techtalk at linuxchix.org
More information about the Techtalk