NAT Basics Cheat Sheet

Network Address Translation: SNAT, DNAT, PAT/overloading, port forwarding, carrier-grade NAT (CGNAT), and NAT traversal challenges.

Last Updated: May 1, 2025

NAT Types

Item	Description
`SNAT (Source NAT)`	Translate source IP — many private IPs → one public IP (outbound)
`DNAT (Destination NAT)`	Translate destination IP — public IP → private server (inbound)
`PAT (Port Address Translation)`	SNAT + port numbers — 65,000+ sessions per public IP
`Masquerading`	Dynamic SNAT — auto-uses outgoing interface IP (Linux iptables)
`Static NAT`	1:1 mapping — one private IP maps to one public IP (server hosting)
`Full-cone NAT`	Once mapped, any external host can reach internal (least restrictive)
`Restricted-cone NAT`	Only external hosts previously contacted can reach back
`Symmetric NAT`	Each external host:port pair has unique mapping (most restrictive)

Port Forwarding (DNAT)

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.10:8080

Forward public:80 → private:8080

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.1.10:443

Forward HTTPS

iptables -t nat -A POSTROUTING -j MASQUERADE

Enable outbound NAT (masquerade)

iptables -t nat -L -v -n

View NAT table rules with packet counts

Router config (consumer)

'Port Forwarding' or 'Virtual Server' in admin panel

NAT Traversal Challenges

Item	Description
`P2P connectivity`	NAT breaks direct peer-to-peer — needs STUN/TURN/ICE
`STUN`	Session Traversal Utilities for NAT — discovers public IP and NAT type
`TURN`	Traversal Using Relays around NAT — relay server when direct fails
`ICE`	Interactive Connectivity Establishment — tries STUN, falls back to TURN
`Hairpin NAT`	Internal client accessing internal server via public IP (loopback)
`UPnP/NAT-PMP`	Port mapping protocols — devices request port forwards (security risk!)

Carrier-Grade NAT (CGNAT)

Item	Description
`Address space: 100.64.0.0/10`	Shared pool for ISP-side NAT (RFC 6598)
`Double NAT`	ISP NAT + home NAT — breaks port forwarding, P2P, gaming
`Solution: IPv6`	Eliminates need for NAT entirely (but adoption still growing)
`Solution: Public IP`	Request a public (non-NATed) IP from ISP (business plans)

Pro Tip: NAT types: SNAT (Source NAT — outgoing, many-to-one), DNAT (Destination NAT — incoming, port forwarding). PAT adds port translation on top of SNAT to share one public IP.