Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
NATD(8)			  BSD System Manager's Manual		       NATD(8)

     natd -- Network Address Translation daemon

     natd [-unregistered_only |	-u] [-log | -l]	[-proxy_only] [-reverse]
	  [-deny_incoming | -d]	[-use_sockets |	-s] [-same_ports | -m]
	  [-verbose | -v] [-dynamic] [-in_port | -i port]
	  [-out_port | -o port]	[-port | -p port]
	  [-alias_address | -a address]	[-target_address | -t address]
	  [-interface |	-n interface] [-proxy_rule proxyspec]
	  [-redirect_port linkspec] [-redirect_proto linkspec]
	  [-redirect_address linkspec] [-config	| -f configfile] [-log_denied]
	  [-log_facility facility_name]	[-punch_fw firewall_range]
	  [-skinny_port	port] [-log_ipfw_denied] [-pid_file | -P pidfile]

     The natd utility provides a Network Address Translation facility for use
     with divert(4) sockets under FreeBSD.

     (If you need NAT on a PPP link, ppp(8) provides the -nat option that
     gives most	of the natd functionality, and uses the	same libalias(3) li-

     The natd utility normally runs in the background as a daemon.  It is
     passed raw	IP packets as they travel into and out of the machine, and
     will possibly change these	before re-injecting them back into the IP
     packet stream.

     It	changes	all packets destined for another host so that their source IP
     address is	that of	the current machine.  For each packet changed in this
     manner, an	internal table entry is	created	to record this fact.  The
     source port number	is also	changed	to indicate the	table entry applying
     to	the packet.  Packets that are received with a target IP	of the current
     host are checked against this internal table.  If an entry	is found, it
     is	used to	determine the correct target IP	address	and port to place in
     the packet.

     The following command line	options	are available:

     -log | -l	 Log various aliasing statistics and information to the	file
		 /var/log/alias.log.  This file	is truncated each time natd is

     -deny_incoming | -d
		 Do not	pass incoming packets that have	no entry in the	inter-
		 nal translation table.

		 If this option	is not used, then such a packet	will be	al-
		 tered using the rules in -target_address below, and the entry
		 will be made in the internal translation table.

		 Log denied incoming packets via syslog(3) (see	also

     -log_facility facility_name
		 Use specified log facility when logging information via
		 syslog(3).  Argument facility_name is one of the keywords
		 specified in syslog.conf(5).

     -use_sockets | -s
		 Allocate a socket(2) in order to establish an FTP data	or IRC
		 DCC send connection.  This option uses	more system resources,
		 but guarantees	successful connections when port numbers con-

     -same_ports | -m
		 Try to	keep the same port number when altering	outgoing pack-
		 ets.  With this option, protocols such	as RPC will have a
		 better	chance of working.  If it is not possible to maintain
		 the port number, it will be silently changed as per normal.

     -verbose |	-v
		 Do not	call daemon(3) on startup.  Instead, stay attached to
		 the controlling terminal and display all packet alterations
		 to the	standard output.  This option should only be used for
		 debugging purposes.

     -unregistered_only	| -u
		 Only alter outgoing packets with an unregistered source ad-
		 dress.	 According to RFC 1918,	unregistered source addresses
		 are, and

     -redirect_port proto targetIP:targetPORT[-targetPORT]
		 Redirect incoming connections arriving	to given port(s) to
		 another host and port(s).  Argument proto is either tcp or
		 udp, targetIP is the desired target IP	address, targetPORT is
		 the desired target port number	or range, aliasPORT is the re-
		 quested port number or	range, and aliasIP is the aliasing ad-
		 dress.	 Arguments remoteIP and	remotePORT can be used to
		 specify the connection	more accurately	if necessary.  If
		 remotePORT is not specified, it is assumed to be all ports.

		 Arguments targetIP, aliasIP and remoteIP can be given as IP
		 addresses or as hostnames.  The targetPORT, aliasPORT and
		 remotePORT ranges need	not be the same	numerically, but must
		 have the same size.  When targetPORT, aliasPORT or remotePORT
		 specifies a singular value (not a range), it can be given as
		 a service name	that is	searched for in	the services(5)	data-

		 For example, the argument

		       tcp inside1:telnet 6666

		 means that incoming TCP packets destined for port 6666	on
		 this machine will be sent to the telnet port on the inside1

		       tcp inside2:2300-2399 3300-3399

		 will redirect incoming	connections on ports 3300-3399 to host
		 inside2, ports	2300-2399.  The	mapping	is 1:1 meaning port
		 3300 maps to 2300, 3301 maps to 2301, etc.

     -redirect_proto proto localIP [publicIP [remoteIP]]
		 Redirect incoming IP packets of protocol proto	(see
		 protocols(5)) destined	for publicIP address to	a localIP ad-
		 dress and vice	versa.

		 If publicIP is	not specified, then the	default	aliasing ad-
		 dress is used.	 If remoteIP is	specified, then	only packets
		 coming	from/to	remoteIP will match the	rule.

     -redirect_address localIP publicIP
		 Redirect traffic for public IP	address	to a machine on	the
		 local network.	 This function is known	as static NAT.	Nor-
		 mally static NAT is useful if your ISP	has allocated a	small
		 block of IP addresses to you, but it can even be used in the
		 case of single	address:


		 The above command would redirect all incoming traffic to ma-

		 If several address aliases specify the	same public address as

		       redirect_address public_addr
		       redirect_address public_addr
		       redirect_address public_addr

		 the incoming traffic will be directed to the last translated
		 local address (, but outgoing traffic from	the
		 first two addresses will still	be aliased to appear from the
		 specified public_addr.

     -redirect_port proto targetIP:targetPORT[,targetIP:targetPORT[,...]]
		 [aliasIP:]aliasPORT [remoteIP[:remotePORT]]

     -redirect_address localIP[,localIP[,...]] publicIP
		 These forms of	-redirect_port and -redirect_address are used
		 to transparently offload network load on a single server and
		 distribute the	load across a pool of servers.	This function
		 is known as LSNAT (RFC	2391).	For example, the argument

		       tcp www1:http,www2:http,www3:http www:http

		 means that incoming HTTP requests for host www	will be	trans-
		 parently redirected to	one of the www1, www2 or www3, where a
		 host is selected simply on a round-robin basis, without re-
		 gard to load on the net.

     -dynamic	 If the	-n or -interface option	is used, natd will monitor the
		 routing socket	for alterations	to the interface passed.  If
		 the interface's IP address is changed,	natd will dynamically
		 alter its concept of the alias	address.

     -in_port |	-i port
		 Read from and write to	divert(4) port port, treating all
		 packets as "incoming".

     -out_port | -o port
		 Read from and write to	divert(4) port port, treating all
		 packets as "outgoing".

     -port | -p	port
		 Read from and write to	divert(4) port port, distinguishing
		 packets as "incoming" or "outgoing" using the rules specified
		 in divert(4).	If port	is not numeric,	it is searched for in
		 the services(5) database.  If this option is not specified,
		 the divert port named natd will be used as a default.

     -alias_address | -a address
		 Use address as	the aliasing address.  Either this or the
		 -interface option must	be used	(but not both),	if the
		 -proxy_only option is not specified.  The specified address
		 is usually the	address	assigned to the	"public" network in-

		 All data passing out will be rewritten	with a source address
		 equal to address.  All	data coming in will be checked to see
		 if it matches any already-aliased outgoing connection.	 If it
		 does, the packet is altered accordingly.  If not, all
		 -redirect_port, -redirect_proto and -redirect_address assign-
		 ments are checked and actioned.  If no	other action can be
		 made and if -deny_incoming is not specified, the packet is
		 delivered to the local	machine	using the rules	specified in
		 -target_address option	below.

     -t	| -target_address address
		 Set the target	address.  When an incoming packet not associ-
		 ated with any pre-existing link arrives at the	host machine,
		 it will be sent to the	specified address.

		 The target address may	be set to, in which
		 case all new incoming packets go to the alias address set by
		 -alias_address	or -interface.

		 If this option	is not used, or	called with the	argument, then all new incoming	packets	go to the address
		 specified in the packet.  This	allows external	machines to
		 talk directly to internal machines if they can	route packets
		 to the	machine	in question.

     -interface	| -n interface
		 Use interface to determine the	aliasing address.  If there is
		 a possibility that the	IP address associated with interface
		 may change, the -dynamic option should	also be	used.  If this
		 option	is not specified, the -alias_address option must be

		 The specified interface is usually the	"public" (or
		 "external") network interface.

     -config | -f file
		 Read configuration from file.	A file should contain a	list
		 of options, one per line, in the same form as the long	form
		 of the	above command line options.  For example, the line


		 would specify an alias	address	of  Options that
		 do not	take an	argument are specified with an argument	of yes
		 or no in the configuration file.  For example,	the line

		       log yes

		 is synonymous with -log.

		 Trailing spaces and empty lines are ignored.  A `#' sign will
		 mark the rest of the line as a	comment.

     -reverse	 This option makes natd	reverse	the way	it handles "incoming"
		 and "outgoing"	packets, allowing it to	operate	on the
		 "internal" network interface rather than the "external" one.

		 This can be useful in some transparent	proxying situations
		 when outgoing traffic is redirected to	the local machine and
		 natd is running on the	internal interface (it usually runs on
		 the external interface).

		 Force natd to perform transparent proxying only.  Normal ad-
		 dress translation is not performed.

     -proxy_rule [type encode_ip_hdr | encode_tcp_stream] port xxxx server
		 Enable	transparent proxying.  Outgoing	TCP packets with the
		 given port going through this host to any other host are
		 redirected to the given server	and port.  Optionally, the
		 original target address can be	encoded	into the packet.  Use
		 encode_ip_hdr to put this information into the	IP option
		 field or encode_tcp_stream to inject the data into the	begin-
		 ning of the TCP stream.

     -punch_fw basenumber:count
		 This option directs natd to "punch holes" in an ipfirewall(4)
		 based firewall	for FTP/IRC DCC	connections.  This is done dy-
		 namically by installing temporary firewall rules which	allow
		 a particular connection (and only that	connection) to go
		 through the firewall.	The rules are removed once the corre-
		 sponding connection terminates.

		 A maximum of count rules starting from	the rule number
		 basenumber will be used for punching firewall holes.  The
		 range will be cleared for all rules on	startup.

     -skinny_port port
		 This option allows you	to specify the TCP port	used for the
		 Skinny	Station	protocol.  Skinny is used by Cisco IP phones
		 to communicate	with Cisco Call	Managers to set	up voice over
		 IP calls.  By default,	Skinny aliasing	is not performed.  The
		 typical port value for	Skinny is 2000.

		 Log when a packet cannot be re-injected because an ipfw(8)
		 rule blocks it.  This is the default with -verbose.

     -pid_file | -P file
		 Specify an alternate file in which to store the process ID.
		 The default is	/var/run/

     The following steps are necessary before attempting to run	natd:

     1.	  Build	a custom kernel	with the following options:

		options	IPFIREWALL
		options	IPDIVERT

	  Refer	to the handbook	for detailed instructions on building a	custom

     2.	  Ensure that your machine is acting as	a gateway.  This can be	done
	  by specifying	the line


	  in the /etc/rc.conf file or using the	command

		sysctl net.inet.ip.forwarding=1

     3.	  If you use the -interface option, make sure that your	interface is
	  already configured.  If, for example,	you wish to specify `tun0' as
	  your interface, and you are using ppp(8) on that interface, you must
	  make sure that you start ppp prior to	starting natd.

     Running natd is fairly straight forward.  The line

	   natd	-interface ed0

     should suffice in most cases (substituting	the correct interface name).
     Please check rc.conf(5) on	how to configure it to be started automati-
     cally during boot.	 Once natd is running, you must	ensure that traffic is
     diverted to natd:

     1.	  You will need	to adjust the /etc/rc.firewall script to taste.	 If
	  you are not interested in having a firewall, the following lines
	  will do:

		/sbin/ipfw -f flush
		/sbin/ipfw add divert natd all from any	to any via ed0
		/sbin/ipfw add pass all	from any to any

	  The second line depends on your interface (change `ed0' as appropri-

	  You should be	aware of the fact that,	with these firewall settings,
	  everyone on your local network can fake his source-address using
	  your host as gateway.	 If there are other hosts on your local	net-
	  work,	you are	strongly encouraged to create firewall rules that only
	  allow	traffic	to and from trusted hosts.

	  If you specify real firewall rules, it is best to specify line 2 at
	  the start of the script so that natd sees all	packets	before they
	  are dropped by the firewall.

	  After	translation by natd, packets re-enter the firewall at the rule
	  number following the rule number that	caused the diversion (not the
	  next rule if there are several at the	same number).

     2.	  Enable your firewall by setting


	  in /etc/rc.conf.  This tells the system startup scripts to run the
	  /etc/rc.firewall script.  If you do not wish to reboot now, just run
	  this by hand from the	console.  NEVER	run this from a	remote session
	  unless you put it into the background.  If you do, you will lock
	  yourself out after the flush takes place, and	execution of
	  /etc/rc.firewall will	stop at	this point - blocking all accesses
	  permanently.	Running	the script in the background should be enough
	  to prevent this disaster.

     libalias(3), divert(4), protocols(5), rc.conf(5), services(5),
     syslog.conf(5), ipfw(8), ppp(8)

     This program is the result	of the efforts of many people at different

     Archie Cobbs <> (divert sockets)
     Charles Mott <> (packet aliasing)
     Eivind Eklund <> (IRC support & misc	additions)
     Ari Suutari <> (natd)
     Dru Nelson	<> (early PPTP support)
     Brian Somers <> (glue)
     Ruslan Ermilov <> (natd, packet aliasing, glue)

BSD			       February	28, 2003			   BSD


Want to link to this manual page? Use this URL:

home | help