Re: People do not want it
NanashiNo, NAT won't block it. NAT doesn't route anything. All it does is rewrite the src or dest headers on packets; any firewalling or routing is handled by the rest of the networking stack. You don't need a state table entry for basic routing to work.
You can’t directly route to rfc1918 addresses across the internet.
Correct.
Of the billions of systems that have 10.x addresses behind nat how do you know which router to send your rfc1918 traffic too?
If I want to access a network behind your router, then I send the traffic to your router.
ISP’s drop traffic with rfc 1918 dst IP’s.
They should do, at least.
Also how do you send something to your router from the internet with an additional dst ip? TCP packets have just 1 dst ip.
You don't. The TCP packet's dst address would be set to 10.0.0.234.
Because that's RFC1918, the only way to get it to your router would be to have a machine on your immediate upstream network, configured with a route for 10.0.0.234 via your router.
When the packet arrives at your router, it won't match a NAT state table entry, so NAT won't touch the dest IP. Your router will then follow its routing table entries and route it to your local network.
You clearly don’t understand how networking actually works which feeds into your misguided thoughts on nat.
There is so much wrong with what you wrote.
An ipv4 packet has these fields amongst others. src-ip, src-port, dst-ip, dst-port.
If I want to get to your 10.x address from my public 9.30.1.30 address how do I put that in the ipv4 packet? You put the dst-ip in the dst-ip header but how does my isp or any intermediary know to send my ipv4 packet to the public ip of your router and not to literally anyone of millions of other public IP’s of end point routers for onward routing? The answer is my isp or any intermediaries can’t hence why there is an rfc for isp’s to not route rfc1918 addresses.
If you have port forwarding on your router, let’s say it’s 7.7.7.20 port 20 forwarding to 10.0.0.50 port 443, I can put that 7.7.7.20 in the dst field of the header and every router between my computer and your dst will know exactly what to do to get my connection to you.
NAT is exactly like that port forwarding but dynamic in that when your 10.0.0.60 device wants to connect to my 9.50.9.50 your router makes a note of the src-ip (10.0.0.60), src-port (let’s say it’s 2020), dst-ip (9.50.9.50), dst-port (443) and rewrites the src ip & port for the routers public ip & possibly a new random port, nothing along the path will know about 10.0.0.60. My server will return traffic with your public ip and src-port in the dst fields. Your router checks it’s nat table for incoming connections with your public ip and port in the dst field and my public ip 9.50.9.50 & port 443 as the src, when it finds a match it rewrites the dst details to be 10.0.0.60 port 2020 and forwards to that machine.
NAT MUST be stateful, it keeps track of connections, removing closed, old, & dead ones.
If you nat then you have a stateful dynamic firewall.
Firewalls don’t need to track state but they are more useful when they do, you don’t want an attacker reusing an old session. NAT is therefore far better than a basic firewall
Before moaning about NAT and singing ipv6’s praises it’s helpful if you understand how networking actually works and actually how nat works.
Biting the hand that feeds IT
