Everything you didn’t know about NAT

As programmers, we all know that ipv4 addresses became obsolete a long time ago, and then there was a technology that allowed Intranet users to use the same external IP Address — yes, Network Address Translation, or NAT.

And the way it works, it’s pretty simple. If the Intranet address assigned to you is 10.9.8.11 and the public network is 169.5.6.1, the Intranet address cannot communicate with the external network – because there are intranets elsewhere and there will be the same address as you, 10.9.8.11.

When you want to establish a TCP connection (i.e. access to an external network), the TCP port number is 80, and the network packet is sent to the router (usually the router has NAT included). The NAT uses a table to record your internal network address 10.9.8.11 and the port number: 80, and NAT will assign you a random port number, such as 467, and then translate your address to public 169.5.6.1:467 to establish a link with the target address you want to access.

Now that you can send the packet, how can NAT determine which Intranet machine to send the packet back to?

NAT will assign you a port number (467), so when an external network accesses 467, NAT will find the corresponding port to Intranet 10.9.8.11:80 according to the recorded table and forward it back.

Since it is recorded with a table, naturally to consider the table will not be full. The number of ports is limited from 0 to 65535, and as programmers we all think of removing links that have not been used for a long time. Yes, once a record in the NAT table is inactive for a long time and no packet is sent (usually 5-30 minutes, you can set it yourself), the record will be deleted.

But this brings up a question, what if my program is like QQ, which requires long links? When NAT discards an inactive link, it does not notify you on the Intranet or the extranet, meaning that it cannot be rebuilt.

The most reasonable way, of course, is to achieve their own heartbeat packet, every once in a while the program sends a small packet to the other side, the other side also sent back, not only to keep alive, but also to check whether the service is interrupted by unknown errors. You can use TCP Keepalive provided by the Linux kernel instead of implementing heartbeat packets by yourself. After this function is enabled, the system will send a packet at the specified time (2 hours by default).

# cat /proc/sys/net/ipv4/tcp_keepalive_time
7200
# cat /proc/sys/net/ipv4/tcp_keepalive_intvl
75
# cat /proc/sys/net/ipv4/tcp_keepalive_probes
9
Copy the code
  • tcp_keepalive_time: If no data is transmitted within this period, a probe packet is sent.
  • tcp_keepalive_intvl: Interval for sending probe packets.
  • tcp_keepalive_probes: Number of probe attempts. If no response is received after the number of probe packets exceeds the value, the connection is considered invalid and closed.

Of course, the default 2 hours is not enough, 2 hours no data traffic, NAT has kicked your link, a more reasonable setting is 15-30 minutes.

iptalbes

Did you know that Linux itself can do NAT?

How does Docker access the external network? All containers in docker are Intranet 10.xx.xx.xx. How do hosts communicate with the Intranet?

Yes, the answer is also NAT.

Linux already provides iptables for NAT.

  1. Go through the PREROUTING chain of NAT table.
  2. Determine whether the packet is to enter the machine through routing judgment, if not, the next step;
  3. Then through the FORWARD chain of Filter table;
  4. Through the NAT Table’s POSTROUTING chain, and finally out.

PREROUTING changes the destination IP address, and POSTROUTING chain changes the Source IP address. Generally, the Source IP address (that is, the internal IP address) is changed to become the Source NAT (SNAT) for NAT from the Intranet to the Internet.