Skip to content

Nat

ā† Back to all decks

16 cards ā€” šŸŸ¢ 3 easy | šŸŸ” 4 medium | šŸ”“ 3 hard

šŸŸ¢ Easy (3)

1. What is the difference between SNAT and DNAT?

Show answer SNAT (Source NAT) changes the source IP of outgoing packets, used when private hosts access the internet via a shared public IP. DNAT (Destination NAT) changes the destination IP of incoming packets, used for port forwarding and load balancing.

Remember: NAT = Network Address Translation. Privateā†’public. "IP disguise."

Fun fact: NAT was "temporary" in the 1990s. Still everywhere 30+ years later.

2. What is the difference between SNAT and MASQUERADE in iptables?

Show answer SNAT uses a fixed public IP (--to-source), while MASQUERADE dynamically uses the outgoing interface's current IP. SNAT is more efficient; use MASQUERADE only when the public IP is assigned via DHCP and may change.

Remember: NAT = Network Address Translation. Privateā†’public. "IP disguise."

Fun fact: NAT was "temporary" in the 1990s. Still everywhere 30+ years later.

3. What kernel setting must be enabled for NAT to forward packets between interfaces?

Show answer net.ipv4.ip_forward must be set to 1. Enable with: sysctl -w net.ipv4.ip_forward=1. Without this, the kernel drops packets destined for other hosts.

Gotcha: resets on reboot unless persisted in /etc/sysctl.d/. Docker and Kubernetes enable ip_forward automatically.

Under the hood: with ip_forward=0, the kernel drops packets destined for other hosts instead of routing between interfaces.

Remember: NAT = Network Address Translation. Privateā†’public. "IP disguise."

Fun fact: NAT was "temporary" in the 1990s. Still everywhere 30+ years later.

šŸŸ” Medium (4)

1. What is conntrack and why is it essential for NAT?

Show answer conntrack (connection tracking) is the kernel subsystem that tracks every NAT'd connection in a state table. It records source/destination translations so the kernel can reverse the mapping on return packets, ensuring two-way communication works.

Remember: NAT = Network Address Translation. Privateā†’public. "IP disguise."

Fun fact: NAT was "temporary" in the 1990s. Still everywhere 30+ years later.

Number anchor: Default nf_conntrack_max is often 65536. A busy NAT gateway can exhaust this in minutes, causing `nf_conntrack: table full` drops.

Debug clue: `conntrack -C` shows current count. Alert when it exceeds 80% of nf_conntrack_max.

2. How do you set up port forwarding with iptables to forward port 8080 to an internal host on port 80?

Show answer Use DNAT in the PREROUTING chain: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.5:80. You must also add a FORWARD rule allowing the traffic and enable ip_forward.

Remember: NAT types: SNAT(outbound), DNAT(inbound), PAT(many-to-one via ports).

3. How do you view and manage the conntrack table?

Show answer Use the conntrack tool: conntrack -L (list entries), conntrack -C (count), conntrack -E (live events), conntrack -F (flush). Check the max size with sysctl net.netfilter.nf_conntrack_max.

Remember: NAT types: SNAT(outbound), DNAT(inbound), PAT(many-to-one via ports).

4. How does Docker use NAT for container networking?

Show answer Docker uses MASQUERADE for outbound container traffic (container-to-external) and DNAT for published ports (mapping host ports to container ports). These rules are visible via iptables -t nat -L -n -v.

Remember: NAT types: SNAT(outbound), DNAT(inbound), PAT(many-to-one via ports).

šŸ”“ Hard (3)

1. What causes NAT port exhaustion and how do you resolve it?

Show answer Each NAT mapping consumes a source port (~64K available per IP). High-traffic proxies exhaust ports, causing "nf_conntrack: table full, dropping packet" in dmesg. Fix by: increasing nf_conntrack_max, reducing timeout values (tcp_timeout_time_wait, tcp_timeout_established), or adding more public IPs to the SNAT range.

Remember: NAT = Network Address Translation. Privateā†’public. "IP disguise."

Fun fact: NAT was "temporary" in the 1990s. Still everywhere 30+ years later.

2. What conntrack sysctls should you tune for a high-traffic NAT gateway?

Show answer Key tunings: net.netfilter.nf_conntrack_max (increase to 262144+), nf_conntrack_buckets (1/4 of max), nf_conntrack_tcp_timeout_time_wait (reduce to 30s), nf_conntrack_tcp_timeout_established (reduce from 432000 to 600s for proxies). Monitor with conntrack -C.

Remember: NAT = Network Address Translation. Privateā†’public. "IP disguise."

Fun fact: NAT was "temporary" in the 1990s. Still everywhere 30+ years later.

3. How would you configure SNAT using nftables instead of iptables?

Show answer Create a nat table and postrouting chain: nft add table nat; nft add chain nat postrouting { type nat hook postrouting priority 100 \; }; nft add rule nat postrouting oifname "eth0" masquerade. nftables is the modern replacement for iptables with cleaner syntax and better performance.

Remember: SNAT=change source(outbound). Privateā†’internet. Return auto-translated.

Timeline: nftables was merged into Linux kernel 3.13 (2014). It replaces iptables, ip6tables, arptables, and ebtables with a single framework.