Hacker News new | ask | show | jobs
by icedchai 2396 days ago
When most people say "NAT", they really mean "PAT". Port address translation: multiple private IP addresses behind a single public IP address. When a non-pedantic person sees "NAT", they understand it is actually "PAT." And in the typical consumer configuration, it actually does provide some level of security.
1 comments
Dagger2 2396 days ago
And when people talk about "PAT", they're actually talking about a form of NAT that doesn't block connections.

Here's how you do "PAT" on Linux: `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`. Notice how it's limited to outbound connections ("-o wan0")? That means it doesn't apply to inbound connections, and thus doesn't have any effect on the behavior of inbound connections.

If it doesn't have any effect on the behavior of inbound connections, then how could it possibly block inbound connections?

(The typical consumer configuration pairs "PAT" with a firewall, and the firewall does block inbound connections. It's also typical to pair it with RFC1918 addresses, which doesn't block connections but does make it much harder for most people to make the relevant connections in the first place. None of that changes the fact that "PAT" doesn't block connections.)

link
icedchai 2396 days ago
So in other words, even without a firewall, it still provides some level of security. If your attacker can't route to your target's addresses because they are private RFC1918, they're "blocked" for all practical purposes. Yes, I know they're not technically blocked... but the typical attacker 10 hops away isn't going to know...
link
zAy0LfpBZLC8mAC 2396 days ago
On the other hand, this might also give other people a false sense of security. Most people who tell you that "NAT provides security" think that NAT somehow drops packets, and if your network is actually targeted, this myth might well be the reason why someone ends up downloading all your files by connecting to your file server through your NAT gateway.
link
Dagger2 2395 days ago
No... it doesn't drop connections, so it doesn't provide any security.
link
icedchai 2394 days ago
In practical terms, it still provides some (low) level of security. If an attacker can't get IP packets to your machine because it's on an un-routable address, they can't attack it. If your attacker is getting "cooperation" from your ISP to route to it, you have bigger things to worry about it.

Obviously you should really use a firewall...

link
Dagger2 2393 days ago
It won't prevent an attacker from getting IP packets to your machine. How could it do that, when it only acts on outbound connections and its only act is to change the apparent source address of those connections?
link
icedchai 2393 days ago
Did you miss "because it's on an un-routable address" part? If there's no route to your machine from an attacker, they can't attack you.
link