The first post in a series about network address translation NAT. Part 1 shows how to use the iptablesnftables packet tracing feature to find the source of NAT related connectivity problems. .
Network address translation is one way to expose containers or virtual machines to the wider internet. Incoming connection requests have their destination address rewritten to a different one. Packets are then routed to a container or virtual machine instead. The same technique can be used for load-balancing where incoming connections get distributed among a pool of machines.
Connection requests fail when network address translation is not working as expected. The wrong service is exposed connections end up in the wrong container request time out and so on. One way to debug such problems is to check that the incoming request matches the expected or configured translation.
NAT involves more than just changing the ip addresses or port numbers. For instance when mapping address X to Y there is no need to add a rule to do the reverse translation. A netfilter system called 8220conntrack8221 recognizes packets that are replies to an existing connection. Each connection has its own NAT state attached to it. Reverse translation is done automatically. .