From Telecomix Crypto Munitions Bureau
Network Address Translation (NAT) is a technique that fucked up the internets back in May, 1994. Before 1994 all computers at the internets had their own IP address, but after 1994 computers began to share IP addresses. The reason is that we dont have enough IPv4 addresses for everyone to have their own address.
IPv6 does not support NAT, all computers are expected to have their own publicly reachable IP address(es). NATing can be a good thing if one tries to connect to networks that are not reachable through the internets (such as the onioncat-addresses), which creates other types of problems however.
 How does NAT work?
The typical scenario is that a router sits at the edge of a network. The router has one IP address and all the computers within the network typically has addresses within 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8 (those are RFC1918-addresses, used for LANs.)
Every time any one of the computers within the LAN tries to connect to something outside the LAN it will connect to it as usual, and dont care about if there is any router or not between them. The router however replaces the unroutable RFC1918-address of the computer with its own public IP address, but does not tell the computer inside the network about it. When the server that the computer inside the LAN connected to replies, it will reply to the routers external IP address, not to the IP address of the computer inside the LAN. When the packets arrive from the server to the router, the router will remember who originally sent the request to the server, and route the packets to that computer instead.
This means that the entire network will look as if it only is one single computer.
This also means that servers that are inside the LAN is not reachable for anywhere at the intertubes, unless you poke a hole in your router.
 Symmetric / asymmetric NAT?
There are multiple types of NAT. Wikipedia has an article about it, ofc. It is generally rather difficult to figure out what type of NAT you have, but it does not really matter unless you only has access to stone-age-equipment from the mid-90ies, or really crappy hardware routers.
 Typical scenario example
- A single router with lots of slots for ordinary ethernet-cables delivers internets to lots of computers within a LAN.
- The router has one public IP address. 126.96.36.199.
- The computers at the LAN has IP addresses in the range of 192.168.1.2 - 254. (network is 192.168.1.0/24)
One of the computers (192.168.1.4) in the LAN connect to the website http://google.com.
(internets) | | 188.8.131.52 ROUTER 192.168.1.1 | | 192.168.1.4 some computer
This is what could happen: (most likely, but exact behaviour differs from router to router)
- 192.168.1.4 sends a packet to google.com.
- the client computer uses TCP source port 19239 when it connect to google.com. (19239 can be any number. often its a random number, but for simplicity we will just assume it uses 19239.)
- the packet passes in at the router (192.168.1.1).
- If the source port 19239 is not used by any other computer behind the NAT
- THEN: the router marks TCP port 19239 as used by 192.168.1.4 for connections to google.com.
- ELSE: the router selects another TCP port to be used by 192.168.1.4 for connections to google.com.
- and then the router replaces the clients IP address with its own public IP address (192.168.1.4 is replaces with 184.108.40.206)
- then the router sends the packet further towards google.com. it will thus look as if the router connects to google.com.
When google.com receives the packet, it replies to it.
- google.com sends the reply-packet to 220.127.116.11 TCP port (19239 or something else, depending on if the source port was used by another client in the network or not)
- the packet enters the router at 18.104.22.168.
- the router notice that its a reply from google.com to source port 19239 (or something else) and that it therefore is supposed to be forwarded to the client computer 192.168.1.4 source port 19239. the client computer "owns" this TCP source port because it used it to connect to google.com.
- The router replaces 22.214.171.124 with 192.168.1.4 because it was that computer who made the connection to google in the first place and sends it to the internal network. IF the router had to replace the source address with something else because that source address was already used, it also replaces the source address of the packet before it forwards it (otherwise the client will not understand that google is replying to it).
- the packet enter the client computer, 192.168.1.4, TCP source port 19239. From the clients side, it looks as if google.com is replying directly to it, even though it is using a LAN-only IP address that is normally not routable at the internets.
 Why would the router want to change the source port??
- If some other client computer has already used that source port for connecting to some website/server/whatever, then some other computer can not expect to use the very same source port. The router would be confused and not know which LAN computer to forward the packets to.
- However, there are ofc multiple solutions to this problem: As long as the router is able to keep track of who connected to what, and handle the servers replies correctly, it does not really matter how the router handles NAT.
Some routers always replace the clients source ports with randomly chosen ones. Randomizing as many fields as possible in the TCP packets are probably the best choice, some operating systems leak unnecessary info about themselves through their outbound connections. For example, its often possible to see if you are using windows/linux/solaris/whatever by looking at differences in the TCP stack, and how the packets look like. For example, OpenBSD by default comes with a file /etc/pf.os that contains fingerprints for different operating system, that could be used to deny windows users access to servers. It is generally not a good idea to leak info about yourself if you want to stay anonymous, so please think about this. (If you are using cryptoanarchy.org as a proxy/VPN this is handled automatically for all outbound connections.)
Most routers however (probably) behaves as described above.