FreeBSD Manual Pages
UNTITLED() LOCAL UNTITLED() NAME natd -- Network Address Translation Daemon SYNOPSIS natd [-ldsmvu] [-dynamic] [-i inport] [-o outport] [-p port] [-a address] [-n interface] [-f configfile] natd [-log] [-deny_incoming] [-log_denied] [-use_sockets] [-same_ports] [-verbose] [-log_facility facility_name] [-unregistered_only] [-dynamic] [-inport inport] [-outport outport] [-port port] [-alias_address address] [-interface interface] [-config configfile] [-redirect_port linkspec] [-redirect_address localIP publicIP] [-reverse] [-proxy_only] [-proxy_rule proxyspec] [-pptpalias localIP] DESCRIPTION This program provides a Network Address Translation facility for use with divert(4) sockets under FreeBSD. It is intended for use with NICs - if you want to do NAT on a PPP link, use the -nat switch to ppp(8). Natd normally runs in the background as a daemon. It is passed raw IP packets as they travel into and out of the machine, and will possibly change these before re-injecting them back into the IP packet stream. Natd changes all packets destined for another host so that their source IP number is that of the current machine. For each packet changed in this manner, an internal table entry is created to record this fact. The source port number is also changed to indicate the table entry ap- plying to the packet. Packets that are received with a target IP of the current host are checked against this internal table. If an entry is found, it is used to determine the correct target IP number and port to place in the packet. The following command line options are available. -log | -l Log various aliasing statistics and information to the file /var/log/alias.log. This file is truncated each time natd is started. -deny_incoming | -d Reject packets destined for the current IP number that have no entry in the internal translation table. -log_denied Log denied incoming packets via syslog (see also log_facil- ity) -log_facility facility_name Use specified log facility when logging information via syslog. Facility names are as in syslog.conf(5) -use_sockets | -s Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection. This option uses more system re- sources, but guarantees successful connections when port numbers conflict. -same_ports | -m Try to keep the same port number when altering outgoing packets. With this option, protocols such as RPC will have a better chance of working. If it is not possible to main- tain the port number, it will be silently changed as per normal. -verbose | -v Don't call fork(2) or daemon(3) on startup. Instead, stay attached to the controling terminal and display all packet alterations to the standard output. This option should only be used for debugging purposes. -unregistered_only | -u Only alter outgoing packets with an unregistered source ad- dress. According to rfc 1918, unregistered source ad- dresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. -redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] Redirect incoming connections arriving to given port(s) to another host and port(s). Proto is either tcp or udp, tar- getIP is the desired target IP number, targetPORT is the desired target PORT number or range, aliasPORT is the re- quested PORT number or range, and aliasIP is the aliasing address. RemoteIP and remotePORT can be used to specify the connection more accurately if necessary. The target- PORT range and aliasPORT range need not be the same numeri- cally, but must have the same size. If remotePORT is not specified, it is assumed to be all ports. If remotePORT is specified, it must match the size of targetPORT, or be 0 (all ports). For example, the argument tcp inside1:telnet 6666 means that incoming tcp packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. tcp inside2:2300-2399 3300-3399 will redirect incoming connections on ports 3300-3399 to host inside2, ports 2300-2399. The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. -redirect_address localIP publicIP Redirect traffic for public IP address to a machine on the local network. This function is known as "static NAT". Normally static NAT is useful if your ISP has allocated a small block of IP addresses to you, but it can even be used in the case of single address: redirect_address 10.0.0.8 0.0.0.0 The above command would redirect all incoming traffic to machine 10.0.0.8. If several address aliases specify the same public address as follows redirect_address 192.168.0.2 public_addr redirect_address 192.168.0.3 public_addr redirect_address 192.168.0.4 public_addr the incoming traffic will be directed to the last trans- lated local address (192.168.0.4), but outgoing traffic to the first two addresses will still be aliased to specified public address. -dynamic If the -n or -interface option is used, natd will monitor the routing socket for alterations to the interface passed. If the interfaces IP number is changed, natd will dynami- cally alter its concept of the alias address. -i | -inport inport Read from and write to inport, treating all packets as packets coming into the machine. -o | -outport outport Read from and write to outport, treating all packets as packets going out of the machine. -p | -port port Read from and write to port, distinguishing packets as in- coming our outgoing using the rules specified in divert(4). If port is not numeric, it is searched for in the /etc/services database using the getservbyname(3) function. If this flag is not specified, the divert port named natd will be used as a default. An example entry in the /etc/services database would be: natd 8668/divert # Network Address Translation socket Refer to services(5) for further details. -a | -alias_address address Use address as the alias address. If this option is not specified, the -n or -interface option must be used. The specified address should be the address assigned to the public network interface. All data passing out through this addresses interface will be rewritten with a source address equal to address. All data arriving at the interface from outside will be checked to see if it matches any already-aliased outgoing connec- tion. If it does, the packet is altered accordingly. If not, all -redirect_port and -redirect_address assignments are checked and actioned. If no other action can be made, and if -deny_incoming is not specified, the packet is de- livered to the local machine and port as specified in the packet. -n | -interface interface Use interface to determine the alias address. If there is a possibility that the IP number associated with interface may change, the -dynamic flag should also be used. If this option is not specified, the -a or -alias_address flag must be used. The specified interface must be the public network inter- face. -f | -config configfile Read configuration from configfile. Configfile contains a list of options, one per line in the same form as the long form of the above command line flags. For example, the line alias_address 158.152.17.1 would specify an alias address of 158.152.17.1. Options that don't take an argument are specified with an option of yes or no in the configuration file. For example, the line log yes is synonomous with -log. Trailing spaces and empty lines are ignored. A `#' sign will mark the rest of the line as a comment. -reverse Reverse operation of natd. This can be useful in some transparent proxying situations when outgoing traffic is redirected to the local machine and natd is running on the incoming interface (it usually runs on the outgoing inter- face). -proxy_only Force natd to perform transparent proxying only. Normal address translation is not performed. -proxy_rule [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy Enable transparent proxying. Packets with the given port going through this host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use "encode_ip_hdr" to put this information into the IP option field or "encode_tcp_stream" to inject the data into the beginning of the TCP stream. -pptpalias localIP Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure IP tunneling technology being de- veloped primarily by Microsoft. For its encrypted traffic, it uses an old IP encapsulation protocol called GRE (47). This natd option will translate any traffic of this proto- col to a single, specified IP address. This would allow either one client or one server to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active. RUNNING NATD The following steps are necessary before attempting to run natd: 1. Get FreeBSD version 2.2 or higher. Versions before this do not support divert(4) sockets. 2. Build a custom kernel with the following options: options IPFIREWALL options IPDIVERT Refer to the handbook for detailed instructions on building a cus- tom kernel. 3. Ensure that your machine is acting as a gateway. This can be done by specifying the line gateway_enable=YES in /etc/rc.conf, or using the command sysctl -w net.inet.ip.forwarding=1 4. If you wish to use the -n or -interface flags, make sure that your interface is already configured. If, for example, you wish to specify tun0 as your interface, and you're using ppp(8) on that interface, you must make sure that you start ppp prior to starting natd. 5. Create an entry in /etc/services: natd 8668/divert # Network Address Translation socket This gives a default for the -p or -port flag. Running natd is fairly straight forward. The line natd -interface ed0 should suffice in most cases (substituting the correct interface name). Once natd is running, you must ensure that traffic is diverted to natd: 1. You will need to adjust the /etc/rc.firewall script to taste. If you're not interested in having a firewall, the following lines will do: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any The second line depends on your interface (change ed0 as appropri- ate) and assumes that you've updated /etc/services with the natd entry as above. If you specify real firewall rules, it's best to specify line 2 at the start of the script so that natd sees all packets before they are dropped by the firewall. After translation by natd, packets re-enter the firewall at the rule number following the rule number that caused the diversion (not the next rule if there are several at the same number). 2. Enable your firewall by setting firewall_enable=YES in /etc/rc.conf. This tells the system startup scripts to run the /etc/rc.firewall script. If you don't wish to reboot now, just run this by hand from the console. NEVER run this from a virtual session unless you put it into the background. If you do, you'll lock yourself out after the flush takes place, and execution of /etc/rc.firewall will stop at this point - blocking all accesses permanently. Running the script in the background should be enough to prevent this disaster. SEE ALSO socket(2), getservbyname(3), divert(4), services(5), ipfw(8) AUTHORS This program is the result of the efforts of many people at different times: Archie Cobbs <archie@whistle.com> (divert sockets) Charles Mott <cmott@srv.net> (packet aliasing) Eivind Eklund <perhaps@yes.no> (IRC support & misc additions) Ari Suutari <suutari@iki.fi> (natd) Dru Nelson <dnelson@redwoodsoft.com> (PPTP support) Brian Somers <brian@awfulhak.org> (glue) FreeBSD 15 April 1997 NATD(8)
NAME | SYNOPSIS | DESCRIPTION | RUNNING NATD | SEE ALSO | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=natd&manpath=FreeBSD+4.0-RELEASE>