NAT (Network Address Translation) rewrites the source/destination IP address of packets as they cross a router (the border). The reason your many home devices all have similar 192.168.x.x numbers yet appear as a single public IP from the outside is NAT. In particular PAT (NAPT / IP masquerade), which juggles port numbers to achieve "many : 1", runs on almost every home and office router today. This article covers why NAT exists, its flavors, the translation table, port forwarding, the side effects it causes, and why "NAT is not a firewall."
What NAT is — rewriting addresses at the border #
NAT is the translator standing at the boundary between the private world (your LAN) and the public world (the Internet). It swaps the source IP of outbound packets to a public IP, and swaps replies back to the original host.
Inside there are many extensions (private IPs), but the outside sees one main number (the public IP). When you dial out, the other party sees the main number; incoming calls are routed by the operator (the router) to the right extension. The operator tracks "which extension is talking to whom right now" in a ledger — that is the NAT translation table.
Why it was born — IPv4 exhaustion and private addresses #
IPv4 has only about 4.3 billion addresses, and exhaustion was visible early on. So "inside-only numbers" — private addresses (RFC 1918) — were defined, and the NAT approach of translating to a public IP only when talking outside took hold.
| Range | CIDR | Typical use |
|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | Large enterprise |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | Mid-size / Docker, etc. |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | Home / small office |
These addresses are not routed on the Internet, so talking to the outside always requires NAT (or IPv6).
Three flavors — Static / Dynamic / PAT #
| Type | Mapping | Use |
|---|---|---|
| Static NAT | 1 : 1 fixed | Give a public server the same public IP every time |
| Dynamic NAT | many : many (pool) | Lend out free public IPs from a pool |
| PAT / NAPT | many : 1 (+ ports) | The home/office default. One public IP shared by all hosts |
When people say "NAT", they almost always mean PAT — called MASQUERADE on Linux and "IP masquerade" on home routers.
How PAT works — ports collapse many into one #
How do you achieve "many : 1"? With port numbers. The router records the mapping of "inside IP:port" to "public IP:rewritten port" in a translation table, then reverse-looks-up returning packets to send them to the right host.
192.168.1.10:51000 -> dst 93.184.216.34:443. The router rewrites the source to public IP:new port 203.0.113.5:40001 and records the mapping.203.0.113.5:40001. The router reverse-looks-up the table and restores the destination to 192.168.1.10:51000 for the LAN.40002. Because hosts are told apart by port, hundreds can ride on one public IP.Port forwarding — reaching an inside server from outside #
PAT assumes "inside -> outside" traffic. The table is only created by an outbound request, so nobody can come in from outside on their own. To host a game server or website at home, you carve a path manually — that is port forwarding (DNAT / static port mapping).
# Forward incoming 203.0.113.5:8080 to 192.168.1.50:80
WAN 203.0.113.5 : 8080 ──▶ LAN 192.168.1.50 : 80
# On a Linux router, the same via iptables DNAT
$ iptables -t nat -A PREROUTING -p tcp --dport 8080
-j DNAT --to-destination 192.168.1.50:80
Port forwarding means "opening a hole directly to the Internet". Carelessly forwarding an old router admin page, RDP (3389), SMB (445), or an unauthenticated IoT device gets it scanned and breached fast. Automatic hole-punching via UPnP is a classic malware abuse vector too. Expose the minimum, require authentication, and keep it patched.
What NAT breaks — the cost of losing end-to-end #
NAT is convenient, but it breaks the Internet's original assumption that "every host can reach every other host." Hence the side effects.
- You can't initiate from outside — P2P, online matches, and home servers don't connect cleanly.
- VoIP / video calls — when both sides are behind NAT they can't connect directly, so
STUN(learn your own public address) /TURN(relay through a server) / ICE punch holes. - CGNAT (Carrier-Grade NAT) — as IPv4 exhaustion deepens, ISPs stack yet another NAT. Users may not even have a public IP and can't open ports.
- IPv6 is the real fix — with its vast address space, NAT is generally unnecessary and end-to-end returns.
Security meaning — "NAT is not a firewall" #
Because PAT has the side effect of "you can't come in from outside," people mistake NAT for a defense. But NAT's purpose is address translation, not filtering.
| Capability | NAT (PAT) | Firewall |
|---|---|---|
| Block unsolicited outside -> inside | Mostly blocked as a side effect | Explicitly controlled |
| Control inside -> outside traffic | Passes through | Controlled by policy |
| Stop malware's outbound C2 | Doesn't stop it | Can stop it |
Malware's C2 traffic (inside -> outside) sails right through NAT. Put a proper stateful firewall at the border and treat NAT purely as the address-translation role.
Summary — five things to remember #
- NAT rewrites IP addresses at the router. It was born because of IPv4 exhaustion.
- The default is PAT (NAPT / IP masquerade). Port numbers let many hosts share one public IP.
- Replies return to the right host via a reverse lookup of the translation table.
- Outside -> inside fails because there's no table entry. To publish, use port forwarding (DNAT) (which adds attack surface).
- NAT is not a firewall. Inside -> outside passes through; put a real firewall at the border.
