// learn · networking · 10 min

NAT and routing.

How a packet from 10.0.0.5 reaches 1.1.1.1, and how the reply finds its way back. Six animated chapters on source NAT (masquerade), destination NAT (port forwarding), the connection-tracking table the router keeps in its head, and the routing-table lookups happening at every hop.

// nat and routing

A packet from your laptop reaches 1.1.1.1 even though no one outside your house has ever heard of your laptop's IP. The trick is two rewrites and a routing table.

// before you start

you should know

·Comfortable with what an IP address looks like (e.g. 10.0.0.5)
·Helpful: the OSI/TCP-IP layers lesson — IP and TCP layers come up a lot
·Helpful: subnet basics (private vs public ranges)

by the end you'll

Explain why source NAT exists, what conntrack remembers, what destination NAT is for, and how a routing table picks an outgoing interface.

pace: 10 minutes

nat and routing — step 1 / 6 · the setup

The setup — private LAN behind a public IP

Your laptop sits on a private network (10.0.0.0/24). The router has two interfaces: an inside one (10.0.0.1, the default gateway) and an outside one with a public IP (203.0.113.42). The public internet has no idea your 10.0.0.5 exists — and that's the point. NAT and routing are how the router translates between these two worlds.

// key insight

A NAT router is not a security boundary by design — it's an address-translation engine. The reason it's sort of secure by accident is that unsolicited inbound traffic has nowhere to go — without a conntrack entry for it, the router has no idea which inside host to deliver it to. DNAT is the explicit opt-in to inbound delivery.

// exam-ready · what to actually run

$ip routeshow the routing table

$ip route get 1.1.1.1which route would this packet use?

$ip route add default via 10.0.0.1set the default route

$ip route add 10.1.0.0/24 via 10.0.0.2add a specific route

$ip -s linkinterface stats (drops, errors)

$ip addrwhat IPs are on which interfaces

$conntrack -Llist current connection-tracking entries

$conntrack -Elive tail of new/destroyed connections

$iptables -t nat -L -n -vsee SNAT/DNAT rules (iptables)

$nft list rulesetsee all rules (nftables — modern)

$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADESNAT for outbound (legacy iptables)

$iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.0.10:8080DNAT inbound :443

$sysctl net.ipv4.ip_forwardis forwarding enabled? (need 1 to route)

$echo 1 > /proc/sys/net/ipv4/ip_forwardenable forwarding at runtime

$traceroute 1.1.1.1see every router on the path

$mtr 1.1.1.1traceroute + ping, live updating

// check yourself

4 quick questions

Why does your home router rewrite the SOURCE address on outbound traffic?

What does a router need to remember so that a reply packet finds its way back to the correct inside host?

You want users on the internet to reach a web server you run at 10.0.0.10:8080. What's the move?

Two routes match a packet's destination: 10.0.0.0/8 via interface A and 10.0.0.0/24 via interface B. Which wins?

These aren't graded — they're just for active recall, which is what actually makes the lesson stick.

🛣️

// now plan one

Subnet calculator

Carve a CIDR block, figure out where the network and broadcast live, list usable host range — all the layer-3 prep work before any NAT or routing rule makes sense.

open →

// more in networking

keep going — these pair well with what you just learned.

see all networking →

🌐

What happens when you type a URL?

The most-asked interview question, animated. Five chapters: DNS → TCP → TLS → HTTP → Render. Step through each at your own pace.

10 min · interactiveopen →

🧅

OSI / TCP-IP layers

A packet wrapped layer-by-layer, then unwrapped on the other side. Watch headers stack and peel off — OSI 7 and TCP/IP 4 side by side.

8 min · interactiveopen →

📞

DNS deep dive

Beyond the basics: recursive vs iterative, cache layers, TTLs, glue records, and what `dig +trace` actually shows.

12 min · interactiveopen →

all lessons subnet calculator