4.3.10 · Coding › Computer Networks
Poore internet pe "real" (public) addresses ki kami hai. Socho ek apartment building (tumhara ghar/office) jahan andar ke sabhi log EK hi street address share karte hain (building ka). Bahar jaane waale letters pe building ka return address hota hai; doorman (router) yaad rakhta hai ki kaun sa apartment kis letter ko bheja tha, taaki reply sahi room mein aaye. Wahi doorman NAT (Network Address Translation) hai.
IPv4 mein sirf 2 32 ≈ 4.3 billion addresses hain. Devices usse kahin zyada hain. Humein ek tarika chahiye tha jisse bahut saare private devices kuch hi public addresses share kar sakein.
Solution tha private address ranges (RFC 1918) jo public internet pe routable nahi hote:
WHY a /8 has 2 24 hosts: prefix /8 pehle 8 bits fix kar deta hai, baaki 32 − 8 = 24 host bits bachte hain, toh 2 24 addresses. (Same logic /12 ke liye → 2 20 , /16 ke liye → 2 16 .)
NAT ek packet ke header ke andar IP address (aur aksar port) fields ko rewrite karta hai jab packet router boundary cross karta hai, phir ek translation table maintain karta hai taaki return traffic ke liye rewrite reverse kar sake.
Ye in chaar mein se ek ya zyada header fields change karta hai:
( src IP , src port , dst IP , dst port )
…aur affected checksums (IP + TCP/UDP) recompute karta hai.
Jab packet jaata hai, NAT ek mapping store karta hai. Jab reply aata hai, NAT us mapping ko reverse mein lookup karta hai.
Worked example PAT in action (home-router case)
Ek public IP 203.0.113.5 ke peeche do laptops hain.
Inside (src)
Translated (src)
Dest
192.168.0.10:51000
203.0.113.5:40001
93.184.216.34:80
192.168.0.11:51000
203.0.113.5:40002
93.184.216.34:80
Ye step kyun? Dono laptops ne same internal port 51000 use kiya. Agar NAT sirf IP swap karta, toh bahar se dono flows identical lagte aur replies alag nahi ki ja sakti. Isliye PAT port bhi rewrite karta hai (→ 40001, 40002) taaki har flow unique ho.
Definition Source NAT (SNAT)
Outbound packets ka source address rewrite karta hai. Jab inside hosts bahar connections initiate karte hain tab use hota hai. "Mera private IP chhupa do." Ye home routers ka default behavior hai.
Definition Destination NAT (DNAT)
Inbound packets ka destination address rewrite karta hai. Ek internal server expose karne ke liye use hota hai: bahar wale ek public IP hit karte hain, NAT private server pe redirect karta hai. Jab ek specific port map hota hai toh ise port forwarding bhi kehte hain.
Definition PAT (Port Address Translation) — a.k.a. "NAT overload" / masquerade
Ek special SNAT jo source IP aur source port dono rewrite karta hai, taaki bahut saare private hosts ek public IP share kar sakein. Yahi "ek ghar, ek public IP, 30 devices" possible banata hai.
SNAT = "badlo ki ye kisne bheja hai." (outbound, clients chhupana)
DNAT = "badlo ki ye kiske liye hai." (inbound, servers expose karna)
PAT = SNAT + port-mux, the many-to-one trick.
Recall Answer padhne se pehle predict karo
Ek home network mein 50 devices hain aur EK public IP hai. 50 ke 50 ek saath webpage open karte hain. Forecast: kya plain SNAT (IP-only) ye handle kar sakta hai? Kyun ya kyun nahi?
Recall
Nahi. IP-only SNAT har private IP ko public IP se 1:1 map karta hai, toh 50 devices ko 50 public IPs chahiye honge — jo poora purpose defeat kar deta hai. Tumhe PAT chahiye, jo 50 flows ko port number se differentiate karta hai (har ek ko single shared public IP pe ek unique source port milta hai). Table key puri tuple ( IP , port ) ban jaati hai, jo ek public IP pe ~64000 simultaneous flows de sakti hai.
Common mistake "NAT ek firewall hai / NAT mujhe secure banata hai."
Ye sahi kyun lagta hai: bahar wale tumhare private IP pe connection initiate nahi kar sakte, toh ye protection jaisi lagti hai.
Fix: NAT ka chhupana ek side effect hai, security policy nahi. Ye kuch nahi karta us malware ke baare mein jo tum outbound initiate karte ho, payloads inspect nahi karta, aur DNAT/port-forwarding holes kholti hai. Security ke liye actual firewall use karo.
Common mistake "SNAT aur PAT same cheez hain."
Ye sahi kyun lagta hai: dono source rewrite karte hain, dono outbound path pe chalte hain.
Fix: plain SNAT 1:1 ho sakta hai (sirf IP). PAT additionally port bhi rewrite karta hai taaki many-to-one achieve ho. PAT, SNAT ka ek subset/extension hai. Har PAT, SNAT hai; har SNAT, PAT nahi hai.
Common mistake "NAT sab cheez ke liye theek kaam karta hai."
Ye sahi kyun lagta hai: browsing hamesha kaam karti hai.
Fix: NAT un protocols ko tod deta hai jo payload ke andar IPs/ports embed karte hain (FTP active mode, SIP/VoIP) kyunki sirf header rewrite karne se body mein stale addresses reh jaate hain — ALGs ki zaroorat padti hai. Peer-to-peer connections ko hole-punching/STUN chahiye.
Recall Ek 12-saal ke bachchhe ko explain karo
Tumhare ghar ka ek mailbox address hai lekin andar bahut log rehte hain. Jab tum letters bhejte ho, doorman ghar ka address return address ke taur pe likhta hai aur note karta hai "ye reply Anya ke liye hai, reply ticket #40001." Jab ghar pe ticket #40001 waali reply aati hai, doorman jaanta hai ki ise Anya ko dena hai, uske bhai ko nahi. NAT wahi doorman hai, aur ticket number port hai.
"S ource S hields, D est D elivers, P AT P acks-by-P ort."
S NAT → source ko S hields/chhupata hai (clients bahar jaate hain).
D NAT → sahi inside server tak D elivers karta hai (traffic aa raha hai).
P AT → bahut saare hosts ko ek IP mein P orts use karke P ack karta hai.
NAT kyun create kiya gaya? Bahut saare private (RFC1918) hosts ko scarce public IPv4 addresses share karne dene ke liye, 2 32 address limit ke around kaam karte hue.
RFC 1918 kaun se teen private IPv4 ranges define karta hai? 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 .
Ek /8 mein kitne hosts hote hain? 2 32 − 8 = 2 24 addresses.
SNAT kya rewrite karta hai aur kab? Outbound packets ka source IP jab inside hosts connections initiate karte hain (clients ko chhupata hai).
DNAT kya rewrite karta hai aur kab? Inbound packets ka destination IP, bahar walon ko ek internal server pe redirect karne ke liye (port forwarding).
PAT plain SNAT ke comparison mein additionally kya rewrite karta hai? Source port, taaki bahut saare private hosts ek public IP share kar sakein (many-to-one).
IP-only SNAT 50 devices ko ek public IP se serve kyun nahi kar sakta? Ye IPs ko 1:1 map karta hai, toh 50 devices ko 50 public IPs chahiye honge; flows ko port se distinguish karne ke liye PAT chahiye.
NAT kaun se chaar header fields modify kar sakta hai? src IP, src port, dst IP, dst port (plus checksum recompute).
Kya NAT ek security feature hai? Nahi; chhupana ek side effect hai, policy nahi. Ye kuch inspect nahi karta aur DNAT holes kholta hai.
Kaun se protocols NAT ke under break ho jaate hain aur kyun? FTP active, SIP/VoIP — ye payload ke andar IP/port embed karte hain, jo sirf header rewrite karne se fix nahi hota; ALGs/STUN chahiye.
PAT ke under ek public IP roughly kitne simultaneous flows support kar sakta hai? ~64000 (16-bit port space per protocol se limited).
IPv4 Addressing & Subnetting — prefixes, /8 /12 /16 math
RFC 1918 Private Addresses
Ports & TCP-UDP Headers — kyun ports PAT enable karte hain
Firewalls vs NAT — security distinction
STUN, TURN & NAT Traversal — NAT ke under P2P fix karna
IPv6 — abundant addresses NAT ki zaroorat kam karte hain
Port Forwarding & DMZ
exposes via port forwarding
IPv4 address shortage 2^32
src/dst IP and port fields
Inside hosts initiate outbound