linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
Intro
Lessons
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
home/linux/how/nat

how/network

How NAT works

At home you have one public IP, but behind the router there are 10 devices, all going to the internet at the same time. The trick is that the router "remembers" who to send what.

At home you have one public IP from your provider. But behind the router sit a laptop, a phone, a TV, and three IoT devices. They all go to the internet at the same time, and they all get answers back. How does one public IP serve them all?

The answer is NAT (Network Address Translation). On the fly, the router swaps the addresses in packet headers: for an outgoing packet it rewrites the "return address" to its own public one, and for an incoming reply it rewrites it back to the private address of the device inside the network. For this to work, the router remembers every active connection in a special table (see conntrack).

Press ▶ to watch the life cycle of one connection through NAT in both directions.

step 1/5·00 · client in a private network
LAN · 192.168.1.0/24WAN · public internetclient192.168.1.50ROUTERNAT routerlan .1 · wan 80.10.20.30server8.8.8.8CONNTRACK · /proc/net/nf_conntrackORIG SRC → TRANSLATED SRC DST(empty)клиент в приватной сети 192.168.1.0/24, его адрес не маршрутизируется в интернет

§ steps

  1. The client has the address 192.168.1.50, which is in the private range. Providers drop such addresses on the internet: they live only inside home and office networks.

    On its own, the client cannot talk to 8.8.8.8 directly, because its src address is "not real". It needs help from the router.

    The conntrack table on the router is empty: no active connections.

recap

What to remember:

  • Private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are not routed on the internet. Any such packet gets dropped by the provider. So every private network needs NAT to reach the outside
  • The NAT table (conntrack) holds every active connection: who, to whom, on which ports. If the table fills up, new connections get dropped
  • NAT breaks peer-to-peer: an external host cannot initiate a connection to an internal one (no conntrack entry means nowhere to forward). That is why VoIP, torrents, and games use workarounds: STUN/TURN/UPnP
  • There is also DNAT (port forwarding): a rule set up in advance, "anything that arrives on my public port 80 → forward to 192.168.1.50:8080". This is how home web servers get exposed to the internet
  • The real fix for the "too few addresses" problem is IPv6 with its 340 undecillion addresses. Every device gets a real public IP, and NAT is not needed

If you want to get hands-on, there is the lesson intermediate-06-nat-and- masquerade with nftables configuration and the conntrack -L command.

§ dig into the knowledge base

  • natNAT - the extended KB article
  • conntrackconntrack - the table of active connections
  • ipv4-addressingIPv4 - why 192.168.x.x are private
  • portport - what ephemeral ports are

§ try it hands-on

  • ›intermediate-06-nat-and-masquerade- NAT and masquerade - get hands-on with nftables
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies