Source NAT
Destination NAT
SNAT (Source Network Address Translation)
SNAT provides a secure mechanism for translating internal, nonroutable addresses into routable addresses. As traffic flows out of a data center, the gateway and source address of IP packets are translated and switched to the appropriate upstream gateway router. This ensures that traffic is sent and returned through the desired path.
NAT (network address translation)
To extend the reach of the IPv4 address space, companies have turned to using private IPv4 addresses through a public-to-private address translation technique known as network address translation (NAT).
NAT works by using the several million private addresses that have been put aside by the Internet Engineering Task Force, turning a public IP address such as 192. 156.136.22 into a private address, such as 10.0.0.4, for delivery to a user's PC. Private IP addresses cannot be "seen" by the Internet, and therefore may be reused by various enterprise networks.
In conjunction with a NAT-enabled gateway or router device, a privately addressed network may hide hundreds or thousands of hosts behind a single public address. The NAT device differentiates among the PCs by translating their port numbers into unique values.
But NAT is limited by applications such as streaming media that transmit IP addresses or port numbers in the payloads of packets. Such applications require that NAT take on application-specific knowledge and perform additional computation.
Worse, because NAT typically resides in a boundary router between private and public networks, it can't function with IP Security (IPSec), the popular encryption technology for virtual private networks. IPSec requires true end-to-end handshaking in order to set up initial encryption rules. Once encrypted at a client system, IPSec packets cannot be modified - or recognized - by NAT.
5.5. Destination NAT with netfilter (DNAT)
Destination NAT with netfilter is commonly used to publish a service from an internal RFC 1918 network to a publicly accessible IP. To enable DNAT, at least one iptables command is required. The connection tracking mechanism of netfilter will ensure that subsequent packets exchanged in either direction (which can be identified as part of the existing DNAT connection) are also transformed.