xref: /freebsd/sbin/natd/natd.8 (revision ef18594985c0d569650b44b0ba0171a6fd8703a5)

.Dd December 6, 2024
.Dt NATD 8
.Os
.Sh NAME
.Nm natd
.Nd Network Address Translation daemon
.Sh SYNOPSIS
.Nm
.Bk -words
.Op Fl unregistered_only | u
.Op Fl log | l
.Op Fl proxy_only
.Op Fl reverse
.Op Fl deny_incoming | d
.Op Fl use_sockets | s
.Op Fl same_ports | m
.Op Fl udp_eim
.Op Fl verbose | v
.Op Fl dynamic
.Op Fl in_port | i Ar port
.Op Fl out_port | o Ar port
.Op Fl port | p Ar port
.Op Fl alias_address | a Ar address
.Op Fl target_address | t Ar address
.Op Fl interface | n Ar interface
.Op Fl proxy_rule Ar proxyspec
.Op Fl redirect_port Ar linkspec
.Op Fl redirect_proto Ar linkspec
.Op Fl redirect_address Ar linkspec
.Op Fl config | f Ar configfile
.Op Fl instance Ar instancename
.Op Fl globalport Ar port
.Op Fl log_denied
.Op Fl log_facility Ar facility_name
.Op Fl punch_fw Ar firewall_range
.Op Fl skinny_port Ar port
.Op Fl log_ipfw_denied
.Op Fl pid_file | P Ar pidfile
.Op Fl exit_delay | P Ar ms
.Ek
.Sh DESCRIPTION
The
.Nm
utility provides a Network Address Translation facility for use
with
.Xr divert 4
sockets under
.Fx .
.Pp
(If you need NAT on a PPP link,
.Xr ppp 8
provides the
.Fl nat
option that gives most of the
.Nm
functionality, and uses the same
.Xr libalias 3
library.)
.Pp
The
.Nm
utility normally runs in the background as a daemon.
It is passed raw IP packets as they travel into and out of the machine,
and will possibly change these before re-injecting them back into the
IP packet stream.
.Pp
It changes all packets destined for another host so that their source
IP address is that of the current machine.
For each packet changed in this manner, an internal table entry is
created to record this fact.
The source port number is also changed to indicate the table entry
applying to the packet.
Packets that are received with a target IP of the current host are
checked against this internal table.
If an entry is found, it is used to determine the correct target IP
address and port to place in the packet.
.Pp
The following command line options are available:
.Bl -tag -width Fl
.It Fl log | l
Log various aliasing statistics and information to the file
.Pa /var/log/alias.log .
This file is truncated each time
.Nm
is started.
.It Fl deny_incoming | d
Do not pass incoming packets that have no
entry in the internal translation table.
.Pp
If this option is not used, then such a packet will be altered
using the rules in
.Fl target_address
below, and the entry will be made in the internal translation table.
.It Fl log_denied
Log denied incoming packets via
.Xr syslog 3
(see also
.Fl log_facility ) .
.It Fl log_facility Ar facility_name
Use specified log facility when logging information via
.Xr syslog 3 .
Argument
.Ar facility_name
is one of the keywords specified in
.Xr syslog.conf 5 .
.It Fl use_sockets | s
Allocate a
.Xr socket 2
in order to establish an FTP data or IRC DCC send connection.
This option uses more system resources, but guarantees successful
connections when port numbers conflict.
.It Fl same_ports | m
Try to keep the same port number when altering outgoing packets.
With this option, protocols such as RPC will have a better chance
of working.
If it is not possible to maintain the port number, it will be silently
changed as per normal.
.It Fl udp_eim
When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
("full cone" NAT of RFC 3489).
All packets from the same internal address:port are mapped to the same NAT
address:port, regardless of their destination address:port.
If filtering rules allow, and if
.Em deny_incoming
is disabled, any other external address:port can
also send to the internal address:port through its mapped NAT address:port.
This is more compatible with applications, and can reduce the need for port
forwarding, but less scalable as each NAT address:port can only be
concurrently used by at most one internal address:port.
.Pp
When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
NAT).
Each connection from a particular internal address:port to different
external addresses:ports is mapped to a random and unpredictable NAT
address:port.
Two appplications behind EDM NATs can only connect to each other
by port forwarding on the NAT, or tunnelling through an in-between server.
.It Fl verbose | v
Do not call
.Xr daemon 3
on startup.
Instead, stay attached to the controlling terminal and display all packet
alterations to the standard output.
This option should only be used for debugging purposes.
.It Fl unregistered_only | u
Only alter outgoing packets with an
.Em unregistered
source address.
According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
172.16.0.0/12 and 192.168.0.0/16.
.It Fl redirect_port Ar proto Xo
.Ar targetIP Ns : Ns Xo
.Ar targetPORT Ns Oo - Ns Ar targetPORT Oc Xc
.Oo Ar aliasIP Ns : Oc Ns Xo
.Ar aliasPORT Ns Oo - Ns Ar aliasPORT Oc Xc
.Oo Ar remoteIP Ns Oo : Ns
.Ar remotePORT Ns Op - Ns Ar remotePORT
.Oc Oc
.Xc
Redirect incoming connections arriving to given port(s) to another host
and port(s).
Argument
.Ar proto
is either
.Ar tcp
or
.Ar udp ,
.Ar targetIP
is the desired target IP address,
.Ar targetPORT
is the desired target port number or range,
.Ar aliasPORT
is the requested port number or range, and
.Ar aliasIP
is the aliasing address.
Arguments
.Ar remoteIP
and
.Ar remotePORT
can be used to specify the connection more accurately if necessary.
If
.Ar remotePORT
is not specified, it is assumed to be all ports.
.Pp
Arguments
.Ar targetIP , aliasIP
and
.Ar remoteIP
can be given as IP addresses or as hostnames.
The
.Ar targetPORT , aliasPORT
and
.Ar remotePORT
ranges need not be the same numerically, but must have the same size.
When
.Ar targetPORT , aliasPORT
or
.Ar remotePORT
specifies a singular value (not a range), it can be given as a service
name that is searched for in the
.Xr services 5
database.
.Pp
For example, the argument
.Pp
.Dl Ar tcp inside1:telnet 6666
.Pp
means that incoming TCP packets destined for port 6666 on this machine
will be sent to the telnet port on the inside1 machine.
.Pp
.Dl Ar tcp inside2:2300-2399 3300-3399
.Pp
will redirect incoming connections on ports 3300-3399 to host
inside2, ports 2300-2399.
The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
.It Fl redirect_proto Ar proto localIP Oo
.Ar publicIP Op Ar remoteIP
.Oc
Redirect incoming IP packets of protocol
.Ar proto
(see
.Xr protocols 5 )
destined for
.Ar publicIP
address to a
.Ar localIP
address and vice versa.
.Pp
If
.Ar publicIP
is not specified, then the default aliasing address is used.
If
.Ar remoteIP
is specified, then only packets coming from/to
.Ar remoteIP
will match the rule.
.It Fl redirect_address Ar localIP publicIP
Redirect traffic for public IP address to a machine on the local
network.
This function is known as
.Em static NAT .
Normally static NAT is useful if your ISP has allocated a small block
of IP addresses to you, but it can even be used in the case of single
address:
.Pp
.Dl Ar redirect_address 10.0.0.8 0.0.0.0
.Pp
The above command would redirect all incoming traffic
to machine 10.0.0.8.
.Pp
If several address aliases specify the same public address
as follows
.Bd -literal -offset indent
redirect_address 192.168.0.2 public_addr
redirect_address 192.168.0.3 public_addr
redirect_address 192.168.0.4 public_addr
.Ed
.Pp
the incoming traffic will be directed to the last
translated local address (192.168.0.4), but outgoing
traffic from the first two addresses will still be aliased
to appear from the specified
.Ar public_addr .
.It Fl redirect_port Ar proto Xo
.Ar targetIP Ns : Ns Xo
.Ar targetPORT Ns Oo , Ns
.Ar targetIP Ns : Ns Xo
.Ar targetPORT Ns Oo , Ns
.Ar ...\&
.Oc Xc Oc Xc
.Oo Ar aliasIP Ns : Oc Ns Xo
.Ar aliasPORT
.Xc
.Oo Ar remoteIP Ns
.Op : Ns Ar remotePORT
.Oc
.Xc
.It Fl redirect_address Xo
.Ar localIP Ns Oo , Ns
.Ar localIP Ns Oo , Ns
.Ar ...\&
.Oc Oc
.Ar publicIP
.Xc
These forms of
.Fl redirect_port
and
.Fl redirect_address
are used to transparently offload network load on a single server and
distribute the load across a pool of servers.
This function is known as
.Em LSNAT
(RFC 2391).
For example, the argument
.Pp
.Dl Ar tcp www1:http,www2:http,www3:http www:http
.Pp
means that incoming HTTP requests for host www will be transparently
redirected to one of the www1, www2 or www3, where a host is selected
simply on a round-robin basis, without regard to load on the net.
.It Fl dynamic
If the
.Fl n
or
.Fl interface
option is used,
.Nm
will monitor the routing socket for alterations to the
.Ar interface
passed.
If the interface's IP address is changed,
.Nm
will dynamically alter its concept of the alias address.
.It Fl in_port | i Ar port
Read from and write to
.Xr divert 4
port
.Ar port ,
treating all packets as
.Dq incoming .
.It Fl out_port | o Ar port
Read from and write to
.Xr divert 4
port
.Ar port ,
treating all packets as
.Dq outgoing .
.It Fl port | p Ar port
Read from and write to
.Xr divert 4
port
.Ar port ,
distinguishing packets as
.Dq incoming
or
.Dq outgoing
using the rules specified in
.Xr divert 4 .
If
.Ar port
is not numeric, it is searched for in the
.Xr services 5
database.
If this option is not specified, the divert port named
.Ar natd
will be used as a default.
.It Fl alias_address | a Ar address
Use
.Ar address
as the aliasing address.
Either this or the
.Fl interface
option must be used (but not both),
if the
.Fl proxy_only
option is not specified.
The specified address is usually the address assigned to the
.Dq public
network interface.
.Pp
All data passing
.Em out
will be rewritten with a source address equal to
.Ar address .
All data coming
.Em in
will be checked to see if it matches any already-aliased outgoing
connection.
If it does, the packet is altered accordingly.
If not, all
.Fl redirect_port ,
.Fl redirect_proto
and
.Fl redirect_address
assignments are checked and actioned.
If no other action can be made and if
.Fl deny_incoming
is not specified, the packet is delivered to the local machine
using the rules specified in
.Fl target_address
option below.
.It Fl t | target_address Ar address
Set the target address.
When an incoming packet not associated with any pre-existing link
arrives at the host machine, it will be sent to the specified
.Ar address .
.Pp
The target address may be set to
.Ar 255.255.255.255 ,
in which case all new incoming packets go to the alias address set by
.Fl alias_address
or
.Fl interface .
.Pp
If this option is not used, or called with the argument
.Ar 0.0.0.0 ,
then all new incoming packets go to the address specified in
the packet.
This allows external machines to talk directly to internal machines if
they can route packets to the machine in question.
.It Fl interface | n Ar interface
Use
.Ar interface
to determine the aliasing address.
If there is a possibility that the IP address associated with
.Ar interface
may change, the
.Fl dynamic
option should also be used.
If this option is not specified, the
.Fl alias_address
option must be used.
.Pp
The specified
.Ar interface
is usually the
.Dq public
(or
.Dq external )
network interface.
.It Fl config | f Ar file
Read configuration from
.Ar file .
A
.Ar file
should contain a list of options, one per line, in the same form
as the long form of the above command line options.
For example, the line
.Pp
.Dl alias_address 158.152.17.1
.Pp
would specify an alias address of 158.152.17.1.
Options that do not take an argument are specified with an argument of
.Ar yes
or
.Ar no
in the configuration file.
For example, the line
.Pp
.Dl log yes
.Pp
is synonymous with
.Fl log .
.Pp
Options can be divided to several sections.
Each section applies to own
.Nm
instance.
This ability allows the configuration of one
.Nm
process for several NAT instances.
The first instance that always exists is a "default" instance.
Each another instance should begin with
.Pp
.Dl instance Ar instance_name
.Pp
At the next should be placed a configuration option.
Example:
.Pp
.Dl \&# default instance
.Dl port 8668
.Dl alias_address 158.152.17.1
.Pp
.Dl \&# second instance
.Dl instance dsl1
.Dl port 8888
.Dl alias_address 192.168.0.1
.Pp
Trailing spaces and empty lines are ignored.
A
.Ql \&#
sign will mark the rest of the line as a comment.
.It Fl instance Ar instancename
This option switches command line options processing to configure instance
.Ar instancename
(creating it if necessary) till the next
.Fl instance
option or end of command line.
It is easier to set up multiple instances in the configuration file
specified with the
.Fl config
option rather than on a command line.
.It Fl globalport Ar port
Read from and write to
.Xr divert 4
port
.Ar port ,
treating all packets as
.Dq outgoing .
This option is intended to be used with multiple instances:
packets received on this port are checked against
internal translation tables of every configured instance.
If an entry is found, packet is aliased according to that entry.
If no entry was found in any of the instances, packet is passed
unchanged, and no new entry will be created.
See the section
.Sx MULTIPLE INSTANCES
for more details.
.It Fl reverse
This option makes
.Nm
reverse the way it handles
.Dq incoming
and
.Dq outgoing
packets, allowing it to operate on the
.Dq internal
network interface rather than the
.Dq external
one.
.Pp
This can be useful in some transparent proxying situations
when outgoing traffic is redirected to the local machine
and
.Nm
is running on the internal interface (it usually runs on the
external interface).
.It Fl proxy_only
Force
.Nm
to perform transparent proxying only.
Normal address translation is not performed.
.It Fl proxy_rule Xo
.Op Ar type encode_ip_hdr | encode_tcp_stream
.Ar port xxxx
.Ar server a.b.c.d:yyyy
.Xc
Enable transparent proxying.
Outgoing TCP packets with the given port going through this
host to any other host are redirected to the given server and port.
Optionally, the original target address can be encoded into the packet.
Use
.Ar encode_ip_hdr
to put this information into the IP option field or
.Ar encode_tcp_stream
to inject the data into the beginning of the TCP stream.
.It Fl punch_fw Xo
.Ar basenumber Ns : Ns Ar count
.Xc
This option directs
.Nm
to
.Dq punch holes
in an
.Xr ipfirewall 4
based firewall for FTP/IRC DCC connections.
This is done dynamically by installing temporary firewall rules which
allow a particular connection (and only that connection) to go through
the firewall.
The rules are removed once the corresponding connection terminates.
.Pp
A maximum of
.Ar count
rules starting from the rule number
.Ar basenumber
will be used for punching firewall holes.
The range will be cleared for all rules on startup.
This option has no effect when the kernel is in security
level 3, see
.Xr init 8
for more information.
.It Fl skinny_port Ar port
This option allows you to specify the TCP port used for
the Skinny Station protocol.
Skinny is used by Cisco IP phones to communicate with
Cisco Call Managers to set up voice over IP calls.
By default, Skinny aliasing is not performed.
The typical port value for Skinny is 2000.
.It Fl log_ipfw_denied
Log when a packet cannot be re-injected because an
.Xr ipfw 8
rule blocks it.
This is the default with
.Fl verbose .
.It Fl pid_file | P Ar file
Specify an alternate file in which to store the process ID.
The default is
.Pa /var/run/natd.pid .
.It Fl exit_delay Ar ms
Specify delay in ms before daemon exit after signal.
The default is
.Pa 10000 .
.El
.Sh RUNNING NATD
The following steps are necessary before attempting to run
.Nm :
.Bl -enum
.It
Build a custom kernel with the following options:
.Bd -literal -offset indent
options IPFIREWALL
options IPDIVERT
.Ed
.Pp
Refer to the handbook for detailed instructions on building a custom
kernel.
.It
Ensure that your machine is acting as a gateway.
This can be done by specifying the line
.Pp
.Dl gateway_enable=YES
.Pp
in the
.Pa /etc/rc.conf
file or using the command
.Pp
.Dl "sysctl net.inet.ip.forwarding=1"
.It
If you use the
.Fl interface
option, make sure that your interface is already configured.
If, for example, you wish to specify
.Ql tun0
as your
.Ar interface ,
and you are using
.Xr ppp 8
on that interface, you must make sure that you start
.Nm ppp
prior to starting
.Nm .
.El
.Pp
Running
.Nm
is fairly straight forward.
The line
.Pp
.Dl natd -interface ed0
.Pp
should suffice in most cases (substituting the correct interface name).
Please check
.Xr rc.conf 5
on how to configure it to be started automatically during boot.
Once
.Nm
is running, you must ensure that traffic is diverted to
.Nm :
.Bl -enum
.It
You will need to adjust the
.Pa /etc/rc.firewall
script to taste.
If you are not interested in having a firewall, the
following lines will do:
.Bd -literal -offset indent
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
.Ed
.Pp
The second line depends on your interface (change
.Ql ed0
as appropriate).
.Pp
You should be aware of the fact that, with these firewall settings,
everyone on your local network can fake his source-address using your
host as gateway.
If there are other hosts on your local network, you are strongly
encouraged to create firewall rules that only allow traffic to and
from trusted hosts.
.Pp
If you specify real firewall rules, it is best to specify line 2 at
the start of the script so that
.Nm
sees all packets before they are dropped by the firewall.
.Pp
After translation by
.Nm ,
packets re-enter the firewall at the rule number following the rule number
that caused the diversion (not the next rule if there are several at the
same number).
.It
Enable your firewall by setting
.Pp
.Dl firewall_enable=YES
.Pp
in
.Pa /etc/rc.conf .
This tells the system startup scripts to run the
.Pa /etc/rc.firewall
script.
If you do not wish to reboot now, just run this by hand from the console.
NEVER run this from a remote session unless you put it into the background.
If you do, you will lock yourself out after the flush takes place, and
execution of
.Pa /etc/rc.firewall
will stop at this point - blocking all accesses permanently.
Running the script in the background should be enough to prevent this
disaster.
.El
.Sh MULTIPLE INSTANCES
It is not so uncommon to have a need of aliasing to several external IP
addresses.
While this traditionally was achieved by running several
.Nm
processes with independent configurations,
.Nm
can have multiple aliasing instances in a single process,
also allowing them to be not so independent of each other.
For example, let us see a common task of load balancing two
channels to different providers on a machine with two external
interfaces
.Ql sis0
(with IP 1.2.3.4) and
.Ql sis2
(with IP 2.3.4.5):
.Bd -literal -offset indent
          net 1.2.3.0/24
1.2.3.1 ------------------ sis0
(router)                (1.2.3.4)
                                         net 10.0.0.0/24
                                  sis1 ------------------- 10.0.0.2
                               (10.0.0.1)
          net 2.3.4.0/24
2.3.4.1 ------------------ sis2
(router)                (2.3.4.5)
.Ed
.Pp
Default route is out via
.Ql sis0 .
.Pp
Interior machine (10.0.0.2) is accessible on TCP port 122 through
both exterior IPs, and outgoing connections choose a path randomly
between
.Ql sis0
and
.Ql sis2 .
.Pp
The way this works is that
.Pa natd.conf
builds two instances of the aliasing engine.
.Pp
In addition to these instances' private
.Xr divert 4
sockets, a third socket called the
.Dq globalport
is created; packets sent to
.Nm
via this one will be matched against all instances and translated
if an existing entry is found, and unchanged if no entry is found.
The following lines are placed into
.Pa /etc/natd.conf :
.Bd -literal -offset indent
log
deny_incoming
verbose

instance default
interface sis0
port 1000
redirect_port tcp 10.0.0.2:122 122

instance sis2
interface sis2
port 2000
redirect_port tcp 10.0.0.2:122 122

globalport 3000
.Ed
.Pp
And the following
.Xr ipfw 8
rules are used:
.Bd -literal -offset indent
ipfw -f flush

ipfw add      allow ip from any to any via sis1

ipfw add      skipto 1000 ip from any to any in via sis0
ipfw add      skipto 2000 ip from any to any out via sis0
ipfw add      skipto 3000 ip from any to any in via sis2
ipfw add      skipto 4000 ip from any to any out via sis2

ipfw add 1000 count ip from any to any

ipfw add      divert 1000 ip from any to any
ipfw add      allow ip from any to any

ipfw add 2000 count ip from any to any

ipfw add      divert 3000 ip from any to any

ipfw add      allow ip from 1.2.3.4 to any
ipfw add      skipto 5000 ip from 2.3.4.5 to any

ipfw add      prob .5 skipto 4000 ip from any to any

ipfw add      divert 1000 ip from any to any
ipfw add      allow ip from any to any

ipfw add 3000 count ip from any to any

ipfw add      divert 2000 ip from any to any
ipfw add      allow ip from any to any

ipfw add 4000 count ip from any to any

ipfw add      divert 2000 ip from any to any

ipfw add 5000 fwd 2.3.4.1 ip from 2.3.4.5 to not 2.3.4.0/24
ipfw add      allow ip from any to any
.Ed
.Pp
Here the packet from internal network to Internet goes out via
.Ql sis0
(rule number 2000) and gets caught by the
.Ic globalport
socket (3000).
After that, either a match is found in a translation table
of one of the two instances, or the packet is passed to one
of the two other
.Xr divert 4
ports (1000 or 2000), with equal probability.
This ensures that load balancing is done on a per-flow basis
(i.e., packets from a single TCP connection always flow through the
same interface).
Translated packets with source IP of a non-default interface
.Pq Ql sis2
are forwarded to the appropriate router on that interface.
.Sh SEE ALSO
.Xr libalias 3 ,
.Xr divert 4 ,
.Xr protocols 5 ,
.Xr rc.conf 5 ,
.Xr services 5 ,
.Xr syslog.conf 5 ,
.Xr init 8 ,
.Xr ipfw 8 ,
.Xr ppp 8
.Sh HISTORY
The
.Nm
utility appeared in
.Fx 3.0 .
.Sh AUTHORS
This program is the result of the efforts of many people at different
times:
.Pp
.An Archie Cobbs Aq Mt archie@FreeBSD.org
(divert sockets)
.An Charles Mott Aq Mt cm@linktel.net
(packet aliasing)
.An Eivind Eklund Aq Mt perhaps@yes.no
(IRC support & misc additions)
.An Ari Suutari Aq Mt suutari@iki.fi
(natd)
.An Dru Nelson Aq Mt dnelson@redwoodsoft.com
(early PPTP support)
.An Brian Somers Aq Mt brian@awfulhak.org
(glue)
.An Ruslan Ermilov Aq Mt ru@FreeBSD.org
(natd, packet aliasing, glue)
.An Poul-Henning Kamp Aq Mt phk@FreeBSD.org
(multiple instances)