Normally, packets on a network travel from their source (such as your
home computer) to their destination (such as www.gnumonks.org)
through many different links: about 19 from where I am in Australia.
None of these links really alter your packet: they just send it
onward.
If one of these links were to do NAT, then they would alter the source
or destinations of the packet as it passes through. As you can
imagine, this is not how the system was designed to work, and hence
NAT is always something of a crock. Usually the link doing NAT will
remember how it mangled a packet, and when a reply packet passes
through the other way, it will do the reverse mangling on that reply
packet, so everything works.
In a perfect world, you wouldn't. Meanwhile, the main reasons are:
Modem Connections To The Internet
Most ISPs give you a single IP
address when you dial up to them. You can send out packets with any
source address you want, but only replies to packets with this source
IP address will return to you. If you want to use multiple different
machines (such as a home network) to connect to the Internet through
this one link, you'll need NAT.
This is by far the most common use of NAT today, commonly known as
`masquerading' in the Linux world. I call this SNAT, because you
change the source address of the first packet.
Multiple Servers
Sometimes you want to change where packets
heading into your network will go. Frequently this is because (as
above), you have only one IP address, but you want people to be able
to get into the boxes behind the one with the `real' IP address. If
you rewrite the destination of incoming packets, you can manage this.
This type of NAT was called port-forwarding under previous versions of
Linux.
A common variation of this is load-sharing, where the mapping
ranges over a set of machines, fanning packets out to them. If you're
doing this on a serious scale, you may want to look at
Sometimes you want to pretend that each
packet which passes through your Linux box is destined for a program
on the Linux box itself. This is used to make transparent proxies: a
proxy is a program which stands between your network and the outside
world, shuffling communication between the two. The transparent part
is because your network won't even know it's talking to a proxy,
unless of course, the proxy doesn't work.
Squid can be configured to work this way, and it is called
redirection or transparent proxying under previous Linux versions.