Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
UNTITLED()			     LOCAL			    UNTITLED()

NAME
       natd -- Network Address Translation Daemon

SYNOPSIS
       natd   [-ldsmvu]	  [-dynamic]   [-i  inport]  [-o  outport]  [-p	 port]
	    [-a	address] [-n interface]	[-f configfile]

       natd [-log] [-deny_incoming] [-log_denied] [-use_sockets] [-same_ports]
	    [-verbose]	[-log_facility	 facility_name]	  [-unregistered_only]
	    [-dynamic]	 [-inport  inport]  [-outport  outport]	 [-port	 port]
	    [-alias_address	  address]	 [-interface	    interface]
	    [-config	    configfile]	       [-redirect_port	     linkspec]
	    [-redirect_address	localIP	 publicIP]  [-reverse]	 [-proxy_only]
	    [-proxy_rule proxyspec] [-pptpalias	localIP]

DESCRIPTION
       This  program  provides	a Network Address Translation facility for use
       with divert(4) sockets under FreeBSD.  It is intended for use with NICs
       - if you	want to	do NAT on a PPP	link, use the -nat switch to ppp(8).

       Natd normally runs in the background as a daemon.  It is	passed raw  IP
       packets	as  they travel	into and out of	the machine, and will possibly
       change these before re-injecting	them back into the IP packet stream.

       Natd changes all	packets	destined for another host so that their	source
       IP number is that of the	current	machine.  For each packet  changed  in
       this  manner,  an  internal table entry is created to record this fact.
       The source port number is also changed to indicate the table entry  ap-
       plying  to  the	packet.	 Packets that are received with	a target IP of
       the current host	are checked against this internal table.  If an	 entry
       is found, it is used to determine the correct target IP number and port
       to place	in the packet.

       The following command line options are available.

       -log | -l   Log various aliasing	statistics and information to the file
		   /var/log/alias.log.	 This file is truncated	each time natd
		   is started.

       -deny_incoming |	-d
		   Reject packets destined for the current IP number that have
		   no entry in the internal translation	table.

       -log_denied
		   Log denied incoming packets via syslog (see also log_facil-
		   ity)

       -log_facility facility_name
		   Use specified log facility  when  logging  information  via
		   syslog.  Facility names are as in syslog.conf(5)

       -use_sockets | -s
		   Allocate  a	socket(2) in order to establish	an FTP data or
		   IRC DCC send	connection.  This option uses more system  re-
		   sources,  but  guarantees  successful connections when port
		   numbers conflict.

       -same_ports | -m
		   Try to keep the same	port  number  when  altering  outgoing
		   packets.  With this option, protocols such as RPC will have
		   a better chance of working.	If it is not possible to main-
		   tain	 the  port  number, it will be silently	changed	as per
		   normal.

       -verbose	| -v
		   Don't call fork(2) or daemon(3) on startup.	Instead,  stay
		   attached  to	the controling terminal	and display all	packet
		   alterations to the standard	output.	  This	option	should
		   only	be used	for debugging purposes.

       -unregistered_only | -u
		   Only	alter outgoing packets with an unregistered source ad-
		   dress.   According  to  rfc	1918,  unregistered source ad-
		   dresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

       -redirect_port	       proto	      targetIP:targetPORT[-targetPORT]
		   [aliasIP:]aliasPORT[-aliasPORT]
		   [remoteIP[:remotePORT[-remotePORT]]]
		   Redirect  incoming connections arriving to given port(s) to
		   another host	and port(s).  Proto is either tcp or udp, tar-
		   getIP is the	desired	target IP number,  targetPORT  is  the
		   desired  target  PORT number	or range, aliasPORT is the re-
		   quested PORT	number or range, and aliasIP is	 the  aliasing
		   address.   RemoteIP	and  remotePORT	can be used to specify
		   the connection more accurately if necessary.	  The  target-
		   PORT	range and aliasPORT range need not be the same numeri-
		   cally,  but	must have the same size.  If remotePORT	is not
		   specified, it is assumed to be all ports.  If remotePORT is
		   specified, it must match the	size of	targetPORT,  or	 be  0
		   (all	ports).	 For example, the argument

			 tcp inside1:telnet 6666

		   means  that	incoming tcp packets destined for port 6666 on
		   this	machine	will be	sent to	the telnet port	on the inside1
		   machine.

			 tcp inside2:2300-2399 3300-3399

		   will	redirect incoming connections on  ports	 3300-3399  to
		   host	 inside2, ports	2300-2399.  The	mapping	is 1:1 meaning
		   port	3300 maps to 2300, 3301	maps to	2301, etc.

       -redirect_address localIP publicIP
		   Redirect traffic for	public IP address to a machine on  the
		   local  network.   This  function  is	known as "static NAT".
		   Normally static NAT is useful if your ISP has  allocated  a
		   small block of IP addresses to you, but it can even be used
		   in the case of single address:

		     redirect_address 10.0.0.8 0.0.0.0

		   The	above  command	would redirect all incoming traffic to
		   machine 10.0.0.8.

		   If several address aliases specify the same public  address
		   as follows

		     redirect_address 192.168.0.2 public_addr
		     redirect_address 192.168.0.3 public_addr
		     redirect_address 192.168.0.4 public_addr

		   the	incoming  traffic  will	be directed to the last	trans-
		   lated local address (192.168.0.4), but outgoing traffic  to
		   the	first two addresses will still be aliased to specified
		   public address.

       -dynamic	   If the -n or	-interface option is used, natd	 will  monitor
		   the routing socket for alterations to the interface passed.
		   If  the  interfaces IP number is changed, natd will dynami-
		   cally alter its concept of the alias	address.

       -i | -inport inport
		   Read	from and write to  inport,  treating  all  packets  as
		   packets coming into the machine.

       -o | -outport outport
		   Read	 from  and  write  to outport, treating	all packets as
		   packets going out of	the machine.

       -p | -port port
		   Read	from and write to port,	distinguishing packets as  in-
		   coming our outgoing using the rules specified in divert(4).
		   If  port  is	 not  numeric,	it  is	searched  for  in  the
		   /etc/services database using	the getservbyname(3) function.
		   If this flag	is not specified, the divert port  named  natd
		   will	 be  used  as  a  default.   An	 example  entry	in the
		   /etc/services database would	be:

		     natd   8668/divert	 # Network Address Translation socket

		   Refer to services(5)	for further details.

       -a | -alias_address address
		   Use address as the alias address.  If this  option  is  not
		   specified,  the  -n or -interface option must be used.  The
		   specified address should be the  address  assigned  to  the
		   public network interface.

		   All	data passing out through this addresses	interface will
		   be rewritten	with a source address equal to	address.   All
		   data	arriving at the	interface from outside will be checked
		   to  see  if it matches any already-aliased outgoing connec-
		   tion.  If it	does, the packet is altered  accordingly.   If
		   not,	 all  -redirect_port and -redirect_address assignments
		   are checked and actioned.  If no other action can be	 made,
		   and	if  -deny_incoming is not specified, the packet	is de-
		   livered to the local	machine	and port as specified  in  the
		   packet.

       -n | -interface interface
		   Use	interface to determine the alias address.  If there is
		   a possibility that the IP number associated with  interface
		   may change, the -dynamic flag should	also be	used.  If this
		   option is not specified, the	-a or -alias_address flag must
		   be used.

		   The	specified  interface must be the public	network	inter-
		   face.

       -f | -config configfile
		   Read	configuration from configfile.	Configfile contains  a
		   list	 of options, one per line in the same form as the long
		   form	of the above command line  flags.   For	 example,  the
		   line

		     alias_address 158.152.17.1

		   would  specify  an  alias address of	158.152.17.1.  Options
		   that	don't take an argument are specified with an option of
		   yes or no in	the configuration file.	 For example, the line

		     log yes

		   is synonomous with -log.

		   Trailing spaces and empty lines are ignored.	  A  `#'  sign
		   will	mark the rest of the line as a comment.

       -reverse	   Reverse  operation  of  natd.   This	 can be	useful in some
		   transparent proxying	situations when	 outgoing  traffic  is
		   redirected  to the local machine and	natd is	running	on the
		   incoming interface (it usually runs on the outgoing	inter-
		   face).

       -proxy_only
		   Force  natd	to  perform transparent	proxying only.	Normal
		   address translation is not performed.

       -proxy_rule [type  encode_ip_hdr|encode_tcp_stream]  port  xxxx	server
		   a.b.c.d:yyyy
		   Enable  transparent	proxying.  Packets with	the given port
		   going through this host to any other	host are redirected to
		   the given server and	port.  Optionally, the original	target
		   address   can   be	encoded	  into	 the   packet.	   Use
		   "encode_ip_hdr"  to put this	information into the IP	option
		   field or "encode_tcp_stream"	to inject the  data  into  the
		   beginning of	the TCP	stream.

       -pptpalias localIP
		   Allow  PPTP	packets	 to go to the defined localIP address.
		   PPTP	is a VPN or secure IP tunneling	technology  being  de-
		   veloped primarily by	Microsoft.  For	its encrypted traffic,
		   it  uses  an	old IP encapsulation protocol called GRE (47).
		   This	natd option will translate any traffic of this	proto-
		   col	to  a  single, specified IP address.  This would allow
		   either one client or	one server to be serviced  with	 natd.
		   If  you  are	setting	up a server, don't forget to allow the
		   TCP traffic for the PPTP setup.  For	a  client  or  server,
		   you must allow GRE (protocol	47) if you have	firewall lists
		   active.

RUNNING	NATD
       The following steps are necessary before	attempting to run natd:

       1.   Get	 FreeBSD  version  2.2 or higher.  Versions before this	do not
	    support divert(4) sockets.

       2.   Build a custom kernel with the following options:

	      options IPFIREWALL
	      options IPDIVERT

	    Refer to the handbook for detailed instructions on building	a cus-
	    tom	kernel.

       3.   Ensure that	your machine is	acting as a gateway.  This can be done
	    by specifying the line

	      gateway_enable=YES

	    in /etc/rc.conf, or	using the command

	      sysctl -w	net.inet.ip.forwarding=1

       4.   If you wish	to use the -n or -interface flags, make	sure that your
	    interface is already configured.  If, for  example,	 you  wish  to
	    specify  tun0  as  your interface, and you're using	ppp(8) on that
	    interface, you must	make sure that you start ppp prior to starting
	    natd.

       5.   Create an entry in /etc/services:

	      natd	    8668/divert	 # Network Address Translation socket

	    This gives a default for the -p or -port flag.

       Running natd is fairly straight forward.	 The line

	 natd -interface ed0

       should suffice in most cases (substituting the correct interface	name).
       Once natd is running, you must ensure that traffic is diverted to natd:

       1.   You	will need to adjust the	/etc/rc.firewall script	to taste.   If
	    you're  not	 interested  in	having a firewall, the following lines
	    will do:

	      /sbin/ipfw -f flush
	      /sbin/ipfw add divert natd all from any to any via ed0
	      /sbin/ipfw add pass all from any to any

	    The	second line depends on your interface (change ed0 as appropri-
	    ate) and assumes that you've updated /etc/services with  the  natd
	    entry  as above.  If you specify real firewall rules, it's best to
	    specify line 2 at the start	of the script so that  natd  sees  all
	    packets before they	are dropped by the firewall.

	    After  translation	by  natd, packets re-enter the firewall	at the
	    rule number	following the rule number that	caused	the  diversion
	    (not the next rule if there	are several at the same	number).

       2.   Enable your	firewall by setting

	      firewall_enable=YES

	    in /etc/rc.conf.  This tells the system startup scripts to run the
	    /etc/rc.firewall  script.	If  you	don't wish to reboot now, just
	    run	this by	hand from the console.	NEVER run this from a  virtual
	    session  unless you	put it into the	background.  If	you do,	you'll
	    lock yourself out after the	flush takes place,  and	 execution  of
	    /etc/rc.firewall  will  stop at this point - blocking all accesses
	    permanently.  Running the  script  in  the	background  should  be
	    enough to prevent this disaster.

SEE ALSO
       socket(2), getservbyname(3), divert(4), services(5), ipfw(8)

AUTHORS
       This  program  is the result of the efforts of many people at different
       times:

       Archie Cobbs <archie@whistle.com> (divert sockets)
       Charles Mott <cmott@srv.net> (packet aliasing)
       Eivind Eklund <perhaps@yes.no> (IRC support & misc additions)
       Ari Suutari <suutari@iki.fi> (natd)
       Dru Nelson <dnelson@redwoodsoft.com> (PPTP support)
       Brian Somers <brian@awfulhak.org> (glue)

FreeBSD				 15 April 1997			       NATD(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=natd&manpath=FreeBSD+4.0-RELEASE>

home | help