Introduction to NAT
NAT stands for “Network Address Translation” and is not the same as a “Gnat,” which our readers from the Southern United States identify as a small winged insect that can wreak havoc on your picnic! Although NAT can be as irritating as a Gnat when configuring technology such as Video Conferencing, it is not the same spelling. The primary reason we have NAT is due to a lack of IPv4 IP address space to handle the massive number of devices we use every day.
An IPv4 address is 32 bits in size and contains 4,294,967,296 addresses. That sounds like a lot, but when you consider every server, computer, phone, smartwatch, electronic door lock, smart light bulb, etc., the number starts to sound a little smaller. If every one of these devices required a public IP address, we would have been out of IP addresses long ago! In fact, there are 2 BILLION (2,000,000,000) smartphones in existence alone! (http://thehub.smsglobal.com/smartphone-ownership-usage-and-penetration). So, how can an organization with thousands of servers give each one access to the internet without assigning public IP addresses? The answer is NAT!
How NAT works
Public vs. Private IP addresses
Private IP Addresses
Defined by “RFC 1918” as “non-routable” to the internet. This means that if a device is assigned one of these IP addresses, information from the internet cannot reach this device without a NAT in place. These addresses are as follows:
i.Class A: 10.0.0.0 – 10.255.255.255 (16,777,216 IP addresses)
ii.Class B: 172.16.0.0 – 172.31.255.255 (1,048,576 IP addresses)
iii.Class C: 192.168.0.0 – 192.168.255.255 (65,536 IP addresses)
Although the “class system” above can assist in choosing a proper range for your network, it is by no means a rule. If you want to create a network with 2 devices, you can use a Class A address and your boss probably won’t bat an eye, just make sure it has the proper “subnet mask” that doesn’t allocate too many addresses. (Subnet masks are a topic for another lesson.)
Public IP addresses
Public addresses are addresses that fall into any range not within the private IP guidelines. These are assigned by your ISP, who may have purchased their IP address blocks from one of the Regional Internet Registries. These registries are nearly out of IPv4 addresses, however, so many companies that need new IPv4 address blocks must purchase them from companies willing to sell ones they have already purchased.
Ports and sockets
A “port” is a number between 0 and 65535. There are 1024 “well-known” port numbers that represent frequently used services, such as SSH (22) and HTTP (80).
A “Socket” is the IP address and the port together. For example: 192.168.1.1:22 is the SSH socket for the computer with IP address 192.168.1.1
You may be asking, “What do these things have to do with NAT?” Well I’ll tell you! NAT has 3 primary methods of operation:
1.Static: Static NAT is 1 private IP = 1 public IP. If your company has purchased 5 public IPs and they have 5 servers with private IPs, they will “map” each private IP to a public IP. Some organizations will map the public IP directly to the server, but NATting allows for the ability to change servers more easily and seamlessly without having the downtime required to remove the IP from one server and add it to another.
2.Dynamic: Dynamic NAT uses a pool of public IP addresses and maps them to private addresses in a random fashion, typically first come first served. If you have 5 servers with private IP addresses and 5 public IP addresses, the NAT gateway will assign public addresses to private addresses as the server needs them. So if one server with 192.168.1.1 tries to reach the internet, it will receive a public IP address when it attempts. When the server is finished communicating, it will return its IP back to the pool for another server to use.
3.Port Address Translation (Overloading): Port Address Translation is where the ports and sockets come into play. In “PAT,” each device with a private address connects using ports. So, one server may have its private IP address 192.168.1.1 mapped to socket 220.127.116.11:62838 and another with private IP address 192.168.1.2 mapped to 18.104.22.168:34839. Both have the same public IP address, but are using different ports. For incoming traffic, “Port Forwarding” is used. So, the Nat Gateway (typically your router) will see an incoming request for a service, such as SSH, and forward the connection to the appropriate port. If you have a server at 192.168.1.1 and you want to access it via SSH, you can forward port 22 to 192.168.1.1 and all requests to your public IP address will be forwarded to that server.
Static NAT: An example of static NAT would be if someone named Tony Stark had a public phone number (Public IP address) and a private extension (Private IP address). If Steve Rogers called Tony at that public phone number, he would reach Tony without ever knowing Tony’s private extension. If Tony were to quit or get fired, another person could move into Tony’s desk and use their private extension. If Steve called that number back, he would be connected to Tony’s replacement.
Dynamic NAT: An example of Dynamic NAT would be if Tony and 4 other board members all had private phone numbers (Private IPs). Stark Industries has 5 public phone numbers (Public IPs). When any board member makes an outbound call, they are routed to whichever public line is open at the time. So the caller ID on the receiver’s end could show any one of the 5 public phone numbers (Public IP addresses) depending on which one was given to the caller.
Port Address Translation: Let’s say you need to “forward” a port to allow you to access a server from the outside world on port 22. In a static or dynamic NAT environment, this is not necessary; you just map the private IP address to the public IP address. But what if you only have one address? This is where port forwarding comes into play. Let’s use a phone operator example.
Let’s say Steve Rogers is trying to call Tony Stark. Steve Rogers only knows Tony Stark’s executive admin (Pepper Potts’) number, but does not have Tony’s private line. Pepper Potts’ number is the public IP address. Steve calls Pepper Potts who then connects Steve to Tony Stark. The caveat here is that the operator never gives Steve Tony’s phone number. In fact, Tony doesn’t have a public phone number and can ONLY be called by Pepper. This is the important aspect of NAT; it can provide an extra layer of security by only allowing necessary ports to be accessed without allowing anyone to connect to any port.
AWS NAT LAB!
We will run through an example in this guide, but check out the Linux Academy Lab for creating a NAT instance and NAT Gateway in AWS and try it for yourself.
We are going to create an AWS NAT gateway with just a few steps! This will allow your private EC2 instances to access the internet for things such as serving traffic or downloading updates. I am going to skip straight to the NAT configuration section. If you are unfamiliar with EC2 setup, please check out our AWS courses to get up to speed! There are also handy NAT tutorials within those as well!
1.First, we are going to access our VPC Dashboard and select “NAT Gateways”:
2.Next, we will select “Create NAT Gateway”
3. 3. Now we are going to select a *PUBLIC* subnet. This is the subnet that will allow traffic to access the NAT Gateway. After the NAT Gateway receives the traffic, it will process the traffic and send to the instances accordingly. We then need an Elastic IP for the NAT Gateway. If you haven’t already created one, click “Create New EIP” to have one created for you. Finally, we click “Create a NAT Gateway.”
4.After we create our NAT Gateway, we need to edit the route tables to allow traffic to access the gateway.
5.Once you are on the Route Tables screen, select the default route table created in your VPC. If you have created a custom one, use that. In this example, I have created a new route table called “test public.” Edit this route table and select “Add another route.” Enter “0.0.0.0/0” as the Destination, your NAT Gateway ID as the Target (yours will have a different ID than mine, but will begin with “nat-“) and click “Save.”
6.Now, we create a security group to ensure traffic is allowed to our NAT Gateway. Select “Security Groups” on the left side, select “Create Security Group,” give it a descriptive Name tag such as “NAT_SG,” a Group name of the same, a Description, and select the proper VPC. Then, select “Yes, Create.”
7.Finally, we add the appropriate “Inbound Rules.” Outbound rules are set to “Allow All” by default. If you wish to change this, you can do so by utilizing the same techniques as the inbound rules. Select your “NAT_SG” security group, click on the “Inbound Rules” tab, click “Add another rule.” In this example, we are going to allow HTTP traffic to this instance. We select “HTTP (80)” which automatically selects the TCP (6) protocol and a “Port Range” of 80. After this, we select the Source, which is your private subnet that contains the instances that require access. In this case, the subnet is “sg-1eb4f463.” You can also use the subnet as the source, if you wish. This will allow the private instances to access the NAT which has a route to the outside world, allowing your instances to access the internet!
Great! You have created your first NAT! Now that you have created it, you can access instances in your private subnets and update them, download packages, and serve websites using HTTP!
This is a very brief overview of NAT creation in AWS. Once again, please check out the NAT lessons and labs in our AWS training courses.