For any TCP or UDP connection, there are four components that make up an addressing of a packet. The source IP address, the destination IP address, the source port, and the destination port.
The destinatin IP is the server to which you are connectin, and the destination port is the port you are connecting to, such as TCP port 80 for an http connection. The source port is "ephemeral" meaning that it is chosen from a range and has no specific meaning. The range is between 1024-65535. The port selection is dependent on the OS, but it doesn't matter too much which port is chosen.
The source IP address is the PC originating the connection. So lets say the connection is to 222.222.222.222:80 and we have two PCs internally connecting to this IP address, 10.1.1.1 and 10.1.1.2
So as the packets originate they may be addressed like this:
10.1.1.1:3434 -> 222.222.222.222:80
10.1.1.2:5455 -> 222.222.222.222:80
Response packets are reversed, like this:
222.222.222.222:80 -> 10.1.1.1:3434
222.222.222.222:80 -> 10.1.1.2:5455
So we can see that the source port is what allows the return packet to get to the originator.
When we pass through a NAT router, the source IP is changed to the IP of the router - in this case 111.111.111.111. So the packets look like this:
111.111.111.111:3434 -> 222.222.222.222:80
111.111.111.111:5455 -> 222.222.222.222:80
So provided the router keeps a track of the source port of a connection, then it knows that response packets to port 3434 should be sent to 10.1.1.1. This is the NAT translation table.
But what if both of our PCs happened to choose the same source port?
10.1.1.1:3434 -> 222.222.222.222:80
10.1.1.2:3434 -> 222.222.222.222:80
The NATted packets would look like this:
111.111.111.111:3434 -> 222.222.222.222:80
111.111.111.111:3434 -> 222.222.222.222:80
So a response packet to 3434 intended for 10.1.1.1 is indistinguishable from one intended for 10.1.1.2.
To get around this, the router will not only change the source IP address, but also the source port. Then the router can ensure that every connection outgoing has a unique source port, and keeps a translation table to change both the IP and port of the response packets so they are sent to the right originator.
To answer your security question, realistically, the router only needs to alter the source port in the event of a collision, however most will alter the source port in every case, and choose a random source port. This makes it difficult to predict what the next chosen source port might be, and makes it more difficult for an attacker to inject packets into the sequence.
Please re-define your question. It sounds like your trying to ask to many questions without a proper explantation. As you can see from the answers everyone has made alot of assumptions. – onxx – 2012-05-15T02:21:36.313
Next to question in the title I would like someone to explain the necessary details to understand how the gateway can distinguish for which computer an incoming packet is meant for. – Bentley4 – 2012-05-15T08:24:58.033