'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Definition
- Translation types
- NAT implementation
Definition
Network Address Translation_ (NAT) is a technique developed to address the gradual depletion of available IPv4 addresses. Designed as an interim solution before the widespread adoption of IPv6, NAT enabled companies and individuals to keep connecting large numbers of machines while using only a limited set of public IP addresses.
Important reminder: the move from IPv4 to IPv6 theoretically solves the exhaustion problem by expanding the address space from 32 bits to 128 bits, providing an almost unlimited number of addresses (2^128). In practice, however, the transition is still incomplete, and NAT remains widely used today.
The principle behind NAT is simple but highly effective: instead of assigning a unique public IP address to every device on the internal network, a single routable address (or a small pool of addresses) is used for all private devices. The NAT gateway, often integrated into the router or firewall, then dynamically translates the internal IP address along with the information needed to route traffic correctly to the outside world, and ensures that responses are returned to the original sender.
This approach has an immediate benefit: it completely hides the internal network architecture. To an outside observer, all requests from workstations, servers or printers appear to come from the same public identity. Private addresses, usually taken from reserved ranges (e.g. 192.168.x.x or 10.x.x.x), remain invisible from the Internet.
In addition to addressing IPv4 scarcity, NAT also strengthens security by creating a first logical barrier between the internal and public networks. Unsolicited inbound communications are naturally blocked, since only connections initiated from inside the network benefit the necessary translation to receive responses.
Translation types
NAT can be implemented in different ways to suit specific needs. The two main modes of operation are static translation and dynamic translation.
Static translation creates a fixed mapping between a private IP address and a public IP address. Each internal machine is permanently linked to its dedicated public address. For example, an internal device configured as 192.168.20.1 could be associated with the routable address 157.54.130.1. When an outgoing packet leaves the local network, the router replaces the packet's source address with the public address, and performs the reverse operation for incoming traffic. This bidirectional translation is transparent to the user.
Warning: While this method isolates the internal network, it doesn't solve the shortage of public IP addresses, since you still need as many public addresses as there are machines to expose. Static translation is therefore mainly used when certain internal resources must remain reachable from the outside (web server, mail server...).
Dynamic translation, on the other hand, uses a pool of public IP addresses. When an internal host starts a connection, the router temporarily assigns one of these public addresses to the host's private address for the duration of the session. The link is 1-to-1, but temporary:once the connection ends, the public address becomes available for another device. Dynamic NAT therefore reduces the number of public addresses needed when not all machines are online at the same time, but it still requires a block of external addresses at least as large as the maximum number of simultaneous connections.
Port translation (PAT), also known as NAT overload or IP masquerading, goes a step further: all private devices share a single public IP address (or a very small number). To distinguish sessions, the gateway modifies not only the source address, but also the source port. It keeps a table linking each (private address, private port) pair to a unique (public address, public port) pair. This form of NAT is used in almost all home routers, allowing dozens of devices (computers, smartphones, connected objects, etc.) to share the same public IP address, while maintaining fluid communication.
NAT therefore extends IPv4's lifespan, while adding a valuable layer of segmentation and security. However, as IPv6 adoption grows and its vast address space become more widely used, the role of NAT will likely decline, though for compatibility and control purposes, it will still be used in some environments to segment and filter traffic.
NAT implementation
To ensure the proper operation of address translation, the NAT router or gateway must keep an accurate record of the mappings established between each private address on the internal network and the public address it uses to communicate with the outside world. This information is stored in what's known as the "NAT translation table", which plays a central role in managing network traffic.
Each entry in this table links at least one pair: the internal IP address of the sending machine and the external IP address that will be exposed on the Internet. When a packet from the private network is sent to a public destination, the NAT router intercepts the frame, analyzes the IP and TCP/UDP headers, then replaces the private source address with the gateway's public address. On the return path, the same gateway captures the incoming packet, checks the mapping table and performs the reverse operation to redirect the flow to the original internal IP address.
This dynamic translation principle relies on precise table management: each entry remains valid as long as there is active traffic to justify it. After a configurable period of inactivity, the entry is cleared and can be reused for new connections.
Example of a simplified NAT translation table:
| Internal IP | External IP | Duration (sec) | Reusable? |
| 10.101.10.20 | 193.48.100.174 | 1,200 | no |
| 10.100.54.251 | 193.48.101.8 | 3,601 | yes |
| 10.100.0.89 | 193.48.100.46 | 0 | no |
In this example, if no packet has passed through for the second entry in over an hour (3,600 seconds), it is marked as reusable. Conversely, a duration of zero indicates an active communication, with the mapping locked.
While NAT operates transparently for most common uses (web browsing, e-mail, file transfer, etc.), it can create additional challenges for certain network applications. Some technologies rely on explicitly exchanging IP addresses or ports within the packet payload. After passing through a NAT gateway, this information becomes inconsistent.
Typical examples of limitations include:
- Peer-to-peer protocols (P2P), which require direct connections between devices, are hindered by the NAT barrier, since all internal machine shares the same external IP address and cannot be reached directly without specific configuration (such as port forwarding or UPnP);
- The IPSec protocol, used to secure network communications, encrypts packet headers. Because NAT must modify these headers to replace IP addresses, encryption makes this impossible without adaptation mechanisms such as NAT-T (NAT Traversal);
- The X Window protocol, which allows remote display of graphical applications on Unix/Linux, works in a way that the X server actively sends TCP connections to clients. This reversal of the usual direction of connections can be blocked by NAT.
In general, any protocol that explicitly includes the internal IP address in the packet payload will be affected, since that address will no longer match the real, internet-visible address after translation.
Important note: To address these issues, some NAT routers offer Deep Packet Inspection (DPI) or Protocol Helpers , which inspect packet contents to identify and dynamically replace addresses or port numbers within application data. This requires in-depth knowledge of the protocol format, and can create security vulnerabilities or increase resource usage.
Caution: Although NAT helps hide the internal network and control incoming traffic, it is not a substitute for a dedicated firewall. Translation alone is not a complete security barrier: it must always be complemented by clear filtering rules to block unsolicited or unwanted traffic.
To illustrate how this works in practice, consider the following example:
In this scenario, an internal workstation can access the internal web server simply by calling the URL
http://192.168.1.20:80. Specifying the port is optional here, since 80 is the standard HTTP port.Conversely, if a request is initiated from the outside, the user will enter the public address http://85.152.44.14:80. The NAT router receives the request, consults its mapping table, and automatically translates the public address into a private one, redirecting the connection to http://192.168.1.20:80.The same principle applies to any other server authorized to receive internet connections, such as the Extranet server (blue circuit in the diagram).
Practical note: in virtualized environments, network interfaces called virbrX (for Virtual Bridge X) are commonly used. These virtual bridges, provided in particular by the libvirt library or the Xen hypervisor, connect the virtual internal network of guest machines to the physical network while applying NAT. They are generally configured via scripts in
/etc/sysconfig/network-scripts/, as shown below for virbr0:NAME="" BOOTPROTO=none MACADDR="" TYPE=Bridge DEVICE=virbr0 NETMASK=255.255.255.0 MTU="" BROADCAST=192.168.0.255 IPADDR=192.168.0.1 NETWORK=192.168.0.0 ONBOOT=yes
Once the virtual bridge is in place, you need to enable IP routing and configure port translation with
iptables:echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o <WAN> -s 192.168.0.0/24 -j MASQUERADE
With this configuration, outgoing traffic is routed and NAT translation is applied, allowing virtual machines to communicate with the outside world without directly exposing their internal IP addresses.
In the next chapter, we'll look in detail at IP address configuration under Linux, covering both simple and advanced methods suited to different administration contexts.
Quiz
Quiz1/5
net3023.5
Which NAT mode allows dozens devices to share a single public IP address by modifying ports?