Network Address Translation

Network Address Translation (NAT) is an extension of routing that allows the router to modify the addresses in the packets it forwards. Traditional routers examine addresses, but they don't change them. NAT boxes convert the IP addresses used on the local network to "official" IP addresses. This allows you to use a private network number and still have Internet access. The private network numbers defined in RFC 1918 are

• Networks 172.16.0.0 to 172.31.0.0 (Network 172.16.0.0 is used for the examples in this book)

Private network numbers are popular, and for some good reasons:

• Using a private network number reduces paperwork. You don't have to ask anyone's permission to use these addresses. No applications, no fees. Just do it.

• The addresses are yours. If you change ISPs, there is no need to renumber the hosts on the network. You may need to change the configuration of the NAT box, but that is probably easier than changing the configuration of all of your desktop systems.

• You conserve IP addresses. Having more addresses than you really need can make designing a network much easier, but you don't want more than you need if you're wasting valuable IP addresses. When you use private addresses, you don't waste any IP addresses. These addresses are reuseable, and the same addresses you're using are probably being used by hundreds of other private networks around the world.

• Private IP addresses reduce address spoofing. Spoofing is a security attack in which someone at a remote location pretends to be on your local network by using one of your network addresses. Private IP addresses should not be forwarded through the Internet, so spoofing one of these addresses won't do the attacker much good.

Private network numbers are explicitly defined for private use. They cannot be routed through the Internet because any number of private networks might be using the same addresses. Before packets originating from a host that uses a private IP address can be forwarded to an external network, the source address in the packet must be converted to a valid Internet address.

Weigh all of the factors before you decide to use NAT. Network address translation has some problems:

• It places a small additional overhead on the router, which reduces the router's performance.

• It doesn't work well with all protocols. TCP/IP protocols were not designed with NAT in mind.

• It interferes with end-to-end authentication schemes that authenticate the source address.

Linux 2.4 implements IP address translation in the kernel using the iptables command. Linux includes IP address translation as part of the firewall software that comes with the system. Firewalls and how to configure a Linux server as a firewall are discussed in Chapter 12, "Security." Chapter 12 provides the real details of the iptables command. This chapter looks at the one aspect of the iptables command that allows you to translate addresses.

Was this article helpful?

0 0

Post a comment