An Internet packet-forwarding technique which is, depending on your point of view, either a grotesque perversion of the way the Internet was supposed to work, or an elegant hack for both extending the IP address space and gaining useful functionality in the face of someone else's restrictive routing or address-allocation policies.

Network Address Translation, or NAT, is performed in a gateway or router or some device which has two different network connections, to two different subnets, one of them on the "real" Internet and one of them on a private subnet. This device has, as far as the "real" Internet is concerned, one publicly-addressible IP address. It then allows any number of machines on the private subnet behind it to share that single IP address.

The machines on the private subnet behind the NAT-forwarding router are, by definition, not on the public Internet. They will typically all have addresses in one of the private-use ranges. Their only connection to the Internet is through the NAT-forwarding router; all of them are configured with the NAT-forwarding router as the gateway to which they forward all their packets.

The NAT-forwarding router is therefore in the position to play the following game, which is what Network Address Translation is. When a machine on the private subnet attempts to contact some machine on the real internet, the NAT-forwarding router notices this, and makes the same attempt to contact that public machine, listing its own public IP address as the machine making the contact. Then, when responses come back from that public machine, the NAT-forwarding router rewrites the headers and forwards the packets back to the real originating machine on the private subnet behind it.

An example will of course make this much clearer. Suppose that the NAT-forwarding router has as its public IP address Suppose that machine "beeblebrox" on the private subnet has the (private) address Suppose that a user on beeblebrox attempts to visit, at

beeblebrox will construct packets with a source address of and a destination address of But it doesn't have a route to, so it sends the packets to its gateway, the NAT-forwarding router, instead.

The NAT-forwarding router has been configured to do NAT for all addresses on the private subnet behind it. So when the packet comes through for slashdot from beeblebrox, the router rewrites the source address as, and forwards the modified packet to slashdot, and makes a note to itself that it's done this.

With luck, packets eventually arrive back from slashdot, with source IP addresses of and destination IP addresses of The router receives these, but recognizes that they're really destined for beeblebrox. So it rewrites the destination addresses to, and forwards the packets to the private subnet, where beeblebrox receives them. Voila!

(There are some nuances here with respect to TCP and UDP port numbers which I've glossed over, and also with respect to the way in which protocols other than TCP, e.g. ICMP, can work across NAT in the absence of port numbers.)

The nice thing about NAT is that it's almost completely transparent. In the example above, neither beeblebrox nor slashdot care (or have any way of knowing) that any translation is being done. They just sit there and work, as if they're on the same internet with each other, after all.

One obvious use for Network Address Translation is a home LAN, where you've got several machines all trying to share a single connection, whether it be DSL, cable, or some other technology, out to the Internet. Your ISP probably gives you only a single IP address. But if you've connected your home LAN to your Internet connection using a router that can do NAT, it's just as if all the machines in your house are on the net. (Naturally, since they're sharing the same, relatively narrow pipe, anybody who tries to hog it with a large data transfer will noticeably degrade throughput for the rest.)

Perhaps best of all, nobody can really tell you're doing this. If your ISP is greedy, and says you can connect but a single machine to the net at a time, and that you have to buy two services if you want to connect two machines, you can (rightly) say that the one machine you're connecting to the net with your one public IP adddress is your router, and what your router does with the packets it sends to and receives from the Internet is your business, not your ISP's. In fact, it's not just home consumers who play this game with ISP's -- I've heard tell that it's not uncommon for a workgroup in a large company with a repressive or incompetent IT department to set up a NAT-forwarding router rather than put up with the IT department's foot-dragging policies for allocating new IP addresses (whether external or internal).

Lots of devices can do NAT. Besides routers (large and small) I've also seen it done in Apple's AirPort base station, and in multiport Palm-to-Ethernet cradles. Not too surprisingly, a Linux machine can (using "ipchains") do NAT and other forms of IP masquerading.

(Disclaimer: there probably is a way for an ISP to detect -- or at least suspect -- that you're using NAT to share a connection and an IP adddress. I don't know how cranky ISP's tend to get about this. But don't blame me if one catches you doing it and tries to repress you, despite my claim above that "nobody can tell you're doing this" or "the one machine you're connecting to the net is your router".)