Network Address Translation
Network Address Translation, aka NAT, is a function which allows privately addressed networks to access publicly addressed namespaces, by using an intermediary publicly addressed gateway as a go-between.
For example, say you have a machine with an IP address of 192.168.0.2. 192.168.0.0-192.168.0.255 is a private subnet, which means that there may be (and in fact are) thousands or hundreds of thousands of machines all using those IP addresses, all over the world. For this reason, you cannot access the internet directly from this IP address - if you tried to, the web (or other type) server you were trying to talk to wouldn't know which of thousands of identically numbered networks to route its response to! So your privately addressed computer needs a gateway to NAT your traffic for you if that traffic is going to leave your private network.
With standard routing, the source address of the packet is untouched - the remote machine actually knows precisely what machine is speaking to it, and routes its answer directly back to that machine. With NAT routing, however, the NAT machine accepts outbound packets, alters their source address to match its public interface and a particular port, and then when the reply comes back to it on that port, it mangles the destination address and port on THAT packet to match the original source port and address on the LAN machine, then forwards it there.
So a NAT-enabled communication from a private network over a fictitious chunk of the internet and back again might look something like this:
192.168.0.100 sends packet out. src: 192.168.0.100:32798 dst: 64.89.70.2:53 ------------------------------------------------------------------------------------- 192.168.0.1 NATs packet, forwards out. src: 24.31.168.192:58998 dst: 64.89.70.2:53 ------------------------------------------------------------------------------------- 24.31.168.16 accepts packet, forwards. src: 24.31.168.192:58998 dst: 64.89.70.2:53 4.22.58.17 accepts packet, forwards. src: 24.31.168.192:58998 dst: 64.89.70.2:53 65.89.99.1 accepts packet, delivers. src: 24.31.168.192:58998 dst: 64.89.70.2:53 ------------------------------------------------------------------------------------- 64.89.70.2 accepts packet, processes. 64.89.70.2 responds with a new packet. src: 64.89.70.2:53 dst: 24.31.168.192:58998 ------------------------------------------------------------------------------------- 65.89.99.1 accepts packet, forwards. src: 64.89.70.2:53 dst: 24.31.168.192:58998 4.22.58.17 accepts packet, forwards. src: 64.89.70.2:53 dst: 24.31.168.192:58998 24.31.168.16 accepts packet, forwards. src: 64.89.70.2:53 dst: 24.31.168.192:58998 ------------------------------------------------------------------------------------- 24.31.168.192 accepts packet, NATs it. src: 64.89.70.2:53 dst: 192.168.0.100:32798 ------------------------------------------------------------------------------------- 192.168.0.100 accepts packet, processes.
What the NAT machine is doing here is creating entries in a table on-the-fly so that it will recognize return traffic as it comes in and know which IP and port on the private side of the LAN to forward that traffic to. So for the duration of the conversation, in the example above, an entry is present in the gateway's NAT table to correlate traffic from 64.89.70.2 port 53, targeted to its own WAN interface (24.31.168.192) port 58998, with the LAN IP and port 192.168.0.100:32798.
Both the biggest strength AND weakness in NAT is that under normal circumstances, traffic only passes through NAT if it is initiated from the private side - so while there can be two-way communication between 192.168.0.100 and 64.89.70.2, it can only happen if the communication is INITIATED by 192.168.100.2.
This limitation can be circumvented to some extent by creating permanent mappings of ports on the WAN side of the gateway with IPs and ports on the private side - for example if you wanted to run a web server on a machine on the inside of the LAN with a private IP address, you could tell the gateway to always NAT-and-forward traffic aimed at port 80 of its WAN to the inside machine's port 80. Many NAT devices (including FreeBSD machines running natd) can also map to different inside ports than the WAN port which received the data; so for instance you could route WAN:8080 to port 80 on one inside machine, and WAN:80 to port 80 on a different inside machine.
see also: natd Firewall, Configuring