The Interview Question That Exposes Your Networking Gaps
You're in a Security Engineering interview. The interviewer shows you this diagram:
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Developer │ │ Office NAT │ │ Router │ │ File Server│
│ ├────────►│ ├────────►│ ├────────►│ │
│192.168.1.50│ │ WAN: 198.51.100.10 │ │ │ 20.0.0.100 │
└────────────┘ │ LAN: 192.168.1.1 │ 198.51.100.254 └────────────┘
└────────────┘ └────────────┘
Then they ask:
"The File Server has this iptables rule, but the Developer can't SSH in. Why?"
iptables -A INPUT -s 192.168.1.50 --dport 22 -j ACCEPT
Can you answer this in 10 seconds?
If not, this article is for you. I've compiled 12 packet tracing problems that will permanently fix this gap in your knowledge.
⭐ Free Practice Problems on GitHub
I'm building an open-source collection of Security Engineering interview prep materials. If you find this useful:
Your stars help other security engineers discover these resources!
The Core Insight
Most candidates fail this question because they don't understand one fundamental rule:
| Device Type | Changes Source/Dest IP? |
|---|---|
| NAT | ✅ Yes |
| Router | ❌ No |
| Firewall | ❌ No (filtering only) |
The File Server sees 198.51.100.10 (the NAT's public IP), not 192.168.1.50 (the Developer's private IP).
The fix:
iptables -A INPUT -s 198.51.100.10 --dport 22 -j ACCEPT
This pattern appears in technical assessments at top security companies. Let's master it.
🎯 12 Packet Tracing Problems
These problems are modeled after real technical assessments used by top security teams.
Instructions:
- Time yourself: 30 minutes
- Passing score: 85%
- Answer key is at the bottom — no peeking!
Section A: Outbound NAT (SNAT/MASQUERADE)
Problem 1: Basic NAT
┌────────────┐ ┌────────────┐ ┌────────────┐
│ Client │ │ NAT Router │ │ Web Server │
│ ├────────►│ ├────────►│ │
│ 10.0.0.50 │ │ WAN: 203.0.113.5 │ 93.184.216.34
└────────────┘ │ LAN: 10.0.0.1│ └────────────┘
└────────────┘
Client sends HTTP request to Web Server.
At Point A (Client → NAT Router):
- Source IP: __________
- Destination IP: __________
At Point B (NAT Router → Web Server):
- Source IP: __________
- Destination IP: __________
Problem 2: NAT + Router Chain
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Workstation│ │ NAT Router │ │ Router │ │ Server │
│ ├────────►│ ├────────►│ ├────────►│ │
│192.168.1.100 │ WAN: 74.125.1.1 │ │ │ 8.8.8.8 │
└────────────┘ │ LAN: 192.168.1.1 │ 74.125.1.254 └────────────┘
└────────────┘ └────────────┘
Workstation sends DNS query to 8.8.8.8.
At Point A (Workstation → NAT Router):
- Source IP: __________
- Destination IP: __________
At Point B (NAT Router → Router):
- Source IP: __________
- Destination IP: __________
At Point C (Router → Server):
- Source IP: __________
- Destination IP: __________
Problem 3: Double NAT (Carrier-Grade NAT)
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Laptop │ │ Home NAT │ │ ISP NAT │ │ Server │
│ ├────────►│ ├────────►│ (CGNAT) ├────────►│ │
│192.168.0.25│ │ WAN: 100.64.1.50 │ WAN: 52.1.2.3 │ 151.101.1.69
└────────────┘ │ LAN: 192.168.0.1 │ LAN: 100.64.0.1 └────────────┘
└────────────┘ └────────────┘
Laptop connects to Server (Double NAT scenario).
At Point A (Laptop → Home NAT):
- Source IP: __________
- Destination IP: __________
At Point B (Home NAT → ISP NAT):
- Source IP: __________
- Destination IP: __________
At Point C (ISP NAT → Server):
- Source IP: __________
- Destination IP: __________
What source IP does the Server see? __________
Section B: Inbound NAT (DNAT / Port Forwarding)
Problem 4: Basic DNAT
┌────────────┐
│ NAT Router │
┌────────────┐ │ │ ┌────────────┐
│ Internet ├────────►│ WAN: 203.0.113.10 │ Web Server │
│ Client │ │ LAN: 10.0.0.1├─────►│ │
│ 72.45.67.89│ │ │ │ 10.0.0.100 │
└────────────┘ │ DNAT: │ └────────────┘
│ 80→10.0.0.100:80
└────────────┘
Internet Client connects to http://203.0.113.10 (port 80).
At Point A (Client → NAT Router WAN):
- Source IP: __________
- Destination IP: __________
At Point B (NAT Router → Web Server):
- Source IP: __________
- Destination IP: __________
What source IP does the Web Server see? __________
Problem 5: DNAT Through Router (Security Scenario)
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Attacker │ │ Router │ │ Firewall │ │ SSH Server │
│ ├────────►│ ├────────►│ (NAT) ├────────►│ │
│ 45.33.32.1 │ │ │ │ WAN: 104.44.1.1 │ 10.0.0.50 │
└────────────┘ │ 45.33.32.254 │ DNAT: 22→10.0.0.50:22│ │
└────────────┘ └────────────┘ └────────────┘
Attacker attempts SSH to 104.44.1.1.
At Point A (Attacker → Router):
- Source IP: __________
- Destination IP: __________
At Point B (Router → Firewall):
- Source IP: __________
- Destination IP: __________
At Point C (Firewall → SSH Server):
- Source IP: __________
- Destination IP: __________
The SSH Server has this firewall rule:
iptables -A INPUT -s 45.33.32.254 --dport 22 -j DROP
Will this block the attacker? __________
Why? __________
Section C: Firewall Troubleshooting
Problem 6: The Classic NAT Trap
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Developer │ │ Office NAT │ │ Router │ │ File Server│
│ ├────────►│ ├────────►│ ├────────►│ │
│192.168.1.50│ │ WAN: 198.51.100.10 │ │ │ 20.0.0.100 │
└────────────┘ │ LAN: 192.168.1.1 │ 198.51.100.254 └────────────┘
└────────────┘ └────────────┘
File Server has this iptables rule:
iptables -A INPUT -s 192.168.1.50 --dport 22 -j ACCEPT
Will the Developer be able to SSH to the File Server? __________
What source IP does the File Server actually see? __________
Write the corrected iptables rule: __________
Problem 7: VPN Without NAT
┌────────────┐ ┌────────────┐ ┌────────────┐
│ Admin │ │ VPN GW │ │ Server │
│ ├─────────┤ ├────────►│ │
│ 10.8.0.50 │ VPN │ 10.8.0.1 │ │ 172.16.0.10│
│(VPN tunnel)│ │ 172.16.0.1 │ │ │
└────────────┘ └────────────┘ └────────────┘
Note: VPN Gateway does NOT NAT internal traffic.
Admin SSHs to Server (172.16.0.10).
What source IP does the Server see? __________
Server has firewall rule:
iptables -A INPUT -s 10.8.0.0/24 --dport 22 -j ACCEPT
Will Admin be allowed to SSH? __________
Problem 8: Same Private IP, Different Offices
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Seattle │ │ Seattle │ │ │ │ │
│ Developer ├────────►│ NAT Router ├────────►│ Internet ├────────►│ Cloud LB │
│192.168.1.75│ │ WAN: 52.12.1.1 │ │ │ 35.200.1.1 │
└────────────┘ └────────────┘ │ │ └─────┬──────┘
│ │ │
┌────────────┐ ┌────────────┐ │ │ ┌─────▼──────┐
│ Austin │ │ Austin │ │ │ │ Backend │
│ Developer ├────────►│ NAT Router ├────────►│ │ │ Server │
│192.168.1.75│ │ WAN: 104.210.1.1 │ │ │ 10.0.0.50 │
└────────────┘ └────────────┘ └────────────┘ └────────────┘
Note: Both developers have the SAME private IP (192.168.1.75) - different offices.
Cloud Load Balancer DNATs to Backend Server.
Backend Server has this firewall rule:
iptables -A INPUT -s 192.168.1.75 --dport 443 -j ACCEPT
Will Seattle Developer connect? __________
Will Austin Developer connect? __________
What two source IPs does Backend Server actually see?
- Seattle: __________
- Austin: __________
Write corrected firewall rules to allow both offices: __________
Problem 9: IP Allowlisting
┌────────────┐ ┌────────────┐ ┌────────────┐
│ App Server │ │ NAT Gateway│ │ External │
│ ├────────►│ ├────────►│ API │
│ 10.0.2.50 │ │ priv: 10.0.2.1 │ 151.101.1.1│
└────────────┘ │ pub: 54.23.45.67 └────────────┘
└────────────┘
App Server makes HTTPS request to External API.
What source IP does External API see? __________
External API has allowlist:
Allowed IPs: 54.23.45.67, 54.23.45.68
Will the request succeed? __________
Problem 10: Blocking a Scanner (The Trap)
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Malicious │ │ Router │ │ Firewall │ │ Web Server │
│ Scanner ├────────►│ (no NAT)├────────►│ (NAT) ├────────►│ │
│ 45.33.32.1 │ │ │ │ WAN: 104.44.1.1 │ 10.0.0.80 │
└────────────┘ │ 45.33.32.254 │ DNAT: 443→10.0.0.80 │ │
└────────────┘ └────────────┘ └────────────┘
Web Server has this firewall rule to block the scanner:
iptables -A INPUT -s 45.33.32.254 -j DROP
Will this rule block the scanner? __________
What source IP does the Web Server see? __________
Write the corrected blocking rule: __________
Section D: Return Traffic
Problem 11: Outbound Return Path
┌────────────┐ ┌────────────┐ ┌────────────┐
│ Client │ │ NAT Router │ │ Server │
│ │◄────────┤ │◄────────┤ │
│ 10.0.0.50 │ │ WAN: 203.0.113.5 │ 93.184.216.34
└────────────┘ │ LAN: 10.0.0.1│ └────────────┘
└────────────┘
Server sends HTTP response back to Client.
At Point A (Server → NAT Router):
- Source IP: __________
- Destination IP: __________
At Point B (NAT Router → Client):
- Source IP: __________
- Destination IP: __________
What changes the destination IP from 203.0.113.5 to 10.0.0.50? __________
Problem 12: DNAT Return Path
┌────────────┐ ┌────────────┐ ┌────────────┐
│ Internet │ │ Firewall │ │ Web Server │
│ Client │◄────────┤ (NAT) │◄────────┤ │
│ 72.45.67.89│ │ DNAT: 80→10.0.0.100 │ 10.0.0.100 │
└────────────┘ │ WAN: 203.0.113.10 └────────────┘
└────────────┘
Web Server sends HTTP response back to Internet Client.
At Point A (Web Server → Firewall):
- Source IP: __________
- Destination IP: __________
At Point B (Firewall → Internet Client):
- Source IP: __________
- Destination IP: __________
⭐ Found This Useful?
I'm building an open-source Security Engineering interview prep repository with:
- 🔥 More packet tracing problems
- 🔥 iptables scenario labs
- 🔥 SQL injection practice
- 🔥 Threat modeling exercises
- 🔥 System design questions
Star the repo on GitHub to support the project and get notified of new content!
Answer Key
Section A: Outbound NAT
Problem 1
- Point A: SRC=10.0.0.50, DST=93.184.216.34
- Point B: SRC=203.0.113.5, DST=93.184.216.34
Key insight: NAT changes the source IP. Destination stays the same.
Problem 2
- Point A: SRC=192.168.1.100, DST=8.8.8.8
- Point B: SRC=74.125.1.1, DST=8.8.8.8
- Point C: SRC=74.125.1.1, DST=8.8.8.8
Key insight: The Router doesn't change the source IP—only NAT does.
Problem 3
- Point A: SRC=192.168.0.25, DST=151.101.1.69
- Point B: SRC=100.64.1.50, DST=151.101.1.69
- Point C: SRC=52.1.2.3, DST=151.101.1.69
- Server sees: 52.1.2.3
Key insight: Each NAT changes the source IP. Two NATs = two translations.
Section B: Inbound NAT
Problem 4
- Point A: SRC=72.45.67.89, DST=203.0.113.10
- Point B: SRC=72.45.67.89, DST=10.0.0.100
- Web Server sees: 72.45.67.89
Key insight: DNAT changes the destination, not the source. The client's real IP survives.
Problem 5
- Point A: SRC=45.33.32.1, DST=104.44.1.1
- Point B: SRC=45.33.32.1, DST=104.44.1.1
- Point C: SRC=45.33.32.1, DST=10.0.0.50
- Will it block? NO
- Why? The rule blocks 45.33.32.254 (the router), but the attacker's real IP is 45.33.32.1. Routers don't change source IPs.
Correct rule:
iptables -A INPUT -s 45.33.32.1 --dport 22 -j DROP
Section C: Firewall Troubleshooting
Problem 6
- Will Developer SSH? NO
- File Server sees: 198.51.100.10
- Corrected rule:
iptables -A INPUT -s 198.51.100.10 --dport 22 -j ACCEPT
This is the #1 interview question pattern. Private IPs don't survive NAT.
Problem 7
- Server sees: 10.8.0.50
- Will Admin SSH? YES (10.8.0.50 is within 10.8.0.0/24)
Key insight: Without NAT, the original source IP is preserved.
Problem 8
- Seattle connect? NO
- Austin connect? NO
-
Backend Server sees:
- Seattle: 52.12.1.1
- Austin: 104.210.1.1
- Corrected rules:
iptables -A INPUT -s 52.12.1.1 --dport 443 -j ACCEPT
iptables -A INPUT -s 104.210.1.1 --dport 443 -j ACCEPT
Key insight: Same private IP in different offices = different public IPs after NAT.
Problem 9
- External API sees: 54.23.45.67
- Will request succeed? YES (54.23.45.67 is in the allowlist)
Real-world application: This is why companies give their NAT Gateway IPs to third-party APIs.
Problem 10
- Will it block? NO
- Web Server sees: 45.33.32.1
- Corrected rule:
iptables -A INPUT -s 45.33.32.1 -j DROP
The trap: Routers don't change source IPs. The scanner's real IP passes through.
Section D: Return Traffic
Problem 11
- Point A: SRC=93.184.216.34, DST=203.0.113.5
- Point B: SRC=93.184.216.34, DST=10.0.0.50
- What changes it? NAT connection tracking (conntrack)
Key insight: NAT remembers the original mapping and reverses it for return traffic.
Problem 12
- Point A: SRC=10.0.0.100, DST=72.45.67.89
- Point B: SRC=203.0.113.10, DST=72.45.67.89
Key insight: Conntrack reverses DNAT—the source IP changes back to the public IP so the client recognizes the response.
Scoring
| Section | Questions | Points |
|---|---|---|
| A: Outbound NAT | Q1-Q3 | 30 |
| B: Inbound NAT | Q4-Q5 | 20 |
| C: Troubleshooting | Q6-Q10 | 40 |
| D: Return Traffic | Q11-Q12 | 10 |
Total: 100 points
Passing: 85 points
The Golden Rules
| Rule | Explanation |
|---|---|
| NAT changes source (outbound) | SNAT/MASQUERADE rewrites source IP |
| NAT changes destination (inbound) | DNAT rewrites destination IP |
| Routers DON'T change IPs | They only forward packets |
| Source survives DNAT | Attacker's real IP reaches the server |
| Conntrack reverses translations | Return traffic is automatically handled |
Next Steps
If you scored below 85%, review the problems you missed and retry in 24 hours. Spaced repetition is key.
⭐ Star the GitHub repo for more Security Engineering interview prep materials!
Did this help you? Drop a comment with your score! Let's see how many people can hit 100%.
Top comments (0)