Friday, September 5, 2014

Types of NAT and How to determine the NAT Type

I am going to do a couple of posts on NAT (Network Address Translation) to discuss their classification and how to create a NAT on a Linux machine. This post will cover NAT types.

Generally NAT is used to allow private IPs to talk to the Internet. There are certain security aspects to it as well since outsiders cannot directly access the machines inside the NAT (well, not easily at least).


In general there are 4 kinds of NAT. Let us understand them one by one.
  • Full cone NAT: This is also known as one to one NAT. It is basically simple port forwarding where there is a static binding from client ip:port to NAT's ip:port and any one from Internet can write to NAT's ip:port and it will be forwarded to the client. This kind of NAT is used very infrequently. 
  • (Address) Restricted cone NAT: In this scenario, client can only receive packets from the host where it has already sent packets before. For example, if the client from the diagram above sends a packet to server with address 8.8.8.8 then NAT will accept the reply from any port of the server as long as the source IP (8.8.8.8) remains the same.
  • Port Restricted cone NAT: In this scenario, client can only receive packets from the host where it has already sent packets before as long as they come from the same server port. For example, if the client from the diagram above sends a packet to server with address 8.8.8.8 on port 5555 then NAT will only accept reply originating from port 5555 from the server. This NAT is more restricted than Address Restricted NAT.
  • Symmetric NAT: In general all the above NAT types preserve the port. For example if the client is sending a packet from 192.168.0.2:54321 to 8.8.8.8:80, then NAT will usually map 192.168.0.2:54321 to 1.2.3.4:54321 preserving the port number. But in Symmetric NAT a random port is chosen for every new connection.This makes port prediction very difficult and techniques like UDP hole punching fails in this scenario
How do you tell what kind of NAT you are in? I have written a set of scripts to determine that. 


Run server.py on a publicly accessible server and client.py on the client inside the NAT. Make sure that UDP is allowed to public server's 5005 port (or you can change the port in the code).

If you see any bug in the scripts then please let me know in the comments or on the Github

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.