Networking Fundamentals: NAT, iptables, and ARP¶
Network Address Translation (NAT)¶
Overview¶
Network Address Translation (NAT) is a technique that remaps one IP address space to another by modifying network packet headers in transit. At its most basic, it translates an IP address — or an IP/port pair — to a different IP address or IP/port pair. Though originally conceived as a stopgap measure, NAT has become a foundational component of modern networking.
The IPv4 Scarcity Problem¶
IPv4 supports approximately 4.3 billion unique addresses. As internet adoption exploded — driven by computers, smartphones, and connected appliances — it became clear that the address space would be exhausted. NAT was introduced as a practical solution: allow many devices on a private network to share a single public IP address, dramatically reducing the number of public IPs required.
How Devices Communicate¶
Understanding NAT requires understanding how devices communicate both within a local network and across the internet.
Within a Local Network
Devices on the same subnet (e.g., 192.168.1.x) can communicate directly. When a device needs to reach another on the same subnet, it uses the Address Resolution Protocol (ARP) to discover the target's MAC address. The router in this context acts as a switch — it forwards the traffic without modifying any IP headers.
Across the Internet
Private IP ranges (such as 10.x.x.x and 192.168.x.x) are not routable on the public internet. Any packet carrying a private source IP that reaches a public router will be dropped. For a privately addressed device to communicate with the outside world, it needs a publicly routable representation — this is where NAT becomes essential.
The NAT Process¶
When a device on a private network initiates a connection to a public IP address, the following sequence occurs:
- Gateway Identification — The device determines that the destination IP is outside its subnet and routes the packet to its Default Gateway (the router).
- Packet Forwarding — The packet is addressed to the router's MAC address, but the destination IP remains the intended public target.
- Source NAT (SNAT) — The router rewrites the packet's source IP, replacing the private internal address with its own public IP before forwarding the packet to the internet.
- NAT Table Entry — The router creates a stateful record in its NAT table, mapping the internal IP/port combination to the external port used for this connection.
- Response Handling — When the remote server responds, it sends the reply to the router's public IP. The router consults its NAT table, identifies the original internal sender, rewrites the destination IP back to the private address, and delivers the packet to the correct device.
Modern Applications of NAT¶
Even as IPv6 adoption grows — offering a practically unlimited address space — NAT remains relevant for several purposes beyond address conservation.
Port Forwarding
Port forwarding allows an internal service listening on one port to be exposed externally on a different port. A common use case is running a web server on port 8080 (to avoid requiring root privileges) while making it accessible externally on port 80. The router's NAT configuration handles the translation transparently.
Load Balancing with Virtual IPs
NAT is frequently used to implement Virtual IP (VIP) load balancing. A load balancer presents a single VIP to the outside world and uses an internal NAT table to distribute incoming connections across a pool of backend servers, using metrics such as response latency or connection count to select the target.
iptables¶
iptables is the standard Linux utility for configuring the kernel's built-in packet filtering and NAT capabilities. It provides fine-grained control over how packets are handled as they flow through the system.
Core Components¶
iptables is organized around four fundamental concepts:
| Component | Description |
|---|---|
| Tables | High-level categories of rules. The nat table handles address translation; filter handles packet acceptance and rejection. |
| Chains | Ordered lists of rules applied at specific points in a packet's journey: PREROUTING, OUTPUT, and POSTROUTING. |
| Matches | Criteria for identifying packets, such as protocol (tcp/udp) or destination port. |
| Targets | Actions taken when a packet matches a rule: REDIRECT, DNAT, SNAT, ACCEPT, DROP. |
The NAT Table and Packet Flow¶
The nat table intercepts packets at three points:
- PREROUTING — Applied immediately as a packet arrives on a network interface, before any routing decisions are made. Used for Destination NAT (changing where a packet goes).
- OUTPUT — Applied to packets generated by local processes before they leave the machine.
- POSTROUTING — Applied just before a packet exits a network interface. Used for Source NAT (changing where a packet appears to come from).
Use Case: Port Redirection on a Local Machine¶
A common requirement is to run a web application on an unprivileged port (above 1024) while accepting traffic on the standard HTTP port 80, which normally requires root-level access.
Solution: Run the application on port 8080 and redirect incoming port 80 traffic using iptables:
When a packet arrives destined for port 80, the kernel intercepts it in the PREROUTING chain, rewrites the destination port to 8080, and forwards it to the local process. The application receives the connection without ever needing elevated privileges.
Use Case: Forwarding Traffic to Another Machine¶
Forwarding traffic from a gateway machine to a backend server requires two complementary NAT rules.
Destination NAT (DNAT)¶
DNAT is applied in the PREROUTING chain to redirect incoming packets to a different host and port:
sudo iptables -t nat -A PREROUTING -p tcp -d <Gateway_IP> --dport 80 -j DNAT --to-destination <Target_IP>:8080
Source NAT (SNAT)¶
SNAT is applied in the POSTROUTING chain to rewrite the packet's source IP. Without this step, the backend server would reply directly to the original client — which would reject the response, since it expects traffic back from the gateway, not the backend.
sudo iptables -t nat -A POSTROUTING -p tcp -d <Target_IP> --dport 8080 -j SNAT --to-source <Gateway_IP>
Enabling IP Forwarding¶
For cross-machine packet forwarding to function, the Linux kernel must have IP forwarding enabled. Without it, the kernel will not route packets between network interfaces.
Enable it persistently by editing /etc/sysctl.conf:
Apply the change immediately without rebooting:
Essential Commands¶
# List all rules in the nat table
sudo iptables -t nat -L
# Flush (clear) all rules in the nat table
sudo iptables -t nat -F
Address Resolution Protocol (ARP)¶
Overview¶
The Address Resolution Protocol (ARP) resolves a known IP address to its corresponding MAC (Media Access Control) address. It operates at Layer 2 of the OSI model and is a prerequisite for communication on any Ethernet or Wi-Fi network.
Why ARP Is Necessary¶
Applications and operating systems identify remote hosts by IP address (or domain name, resolved via DNS). However, physical network hardware — Ethernet cards, switches, wireless access points — routes frames using MAC addresses, not IP addresses.
Every outgoing network frame must include both a source and destination MAC address. Since systems rarely know the MAC address of a remote host in advance, ARP provides a mechanism to discover it. Because ARP uses broadcast messages (which consume network bandwidth), discovered mappings are cached locally in an ARP table to minimize repeated lookups.
Frame Structure¶
A packet traveling across a network is encapsulated in frames at each layer:
| Layer | Contents |
|---|---|
| Layer 7 (Application) | HTTP, DNS, and other application data |
| Layer 4 (Transport) | Source and destination ports |
| Layer 3 (Network) | Source and destination IP addresses |
| Layer 2 (Data Link) | Source and destination MAC addresses |
ARP is responsible for populating the Layer 2 MAC address fields.
The ARP Lookup Process¶
- Broadcast Request — The source machine sends a broadcast frame to the entire local network: "Who has IP address X? Reply to IP address Y."
- Unicast Reply — The machine assigned that IP address responds directly with its MAC address.
- Cache Update — The source machine records the IP-to-MAC mapping in its ARP table, avoiding future broadcasts for the same host.
ARP table entries are time-limited and expire after a configured duration (typically a few minutes), after which the lookup is repeated if needed.
ARP and the Default Gateway¶
ARP only operates within a single subnet. When a machine needs to reach an IP address outside its local network, it cannot ARP for the remote host directly. Instead, it ARPs for the MAC address of its Default Gateway (the local router) and sends the frame there. The router then takes responsibility for forwarding the packet toward its destination through higher-level routing.
Security Risk: ARP Poisoning¶
ARP was designed without authentication. Machines accept ARP replies regardless of whether they issued a corresponding request — a fundamental trust assumption that opens the door to abuse.
ARP Poisoning (ARP Spoofing) exploits this by allowing an attacker to send unsolicited ARP replies, falsely announcing that their machine's MAC address corresponds to the router's IP. Other hosts update their ARP tables with this fraudulent mapping and begin sending all traffic — including traffic intended for the gateway — to the attacker's machine.
Consequences:
- Man-in-the-Middle (MITM) attacks — The attacker intercepts all traffic between hosts and the gateway, with the ability to read, modify, or drop packets.
- Network sniffing — Tools like Wireshark can capture and inspect unencrypted traffic in real time.
Defense:
The most effective countermeasure is end-to-end encryption. Using HTTPS (TLS) ensures that even if an attacker successfully intercepts frames via ARP poisoning, the payload remains encrypted and unreadable. Network-level defenses such as Dynamic ARP Inspection (DAI) on managed switches can also detect and block malicious ARP traffic.