xref: /freebsd/sbin/natd/natd.8 (revision 380a989b3223d455375b4fae70fd0b9bdd43bafb)
1.\" manual page [] for natd 1.4
2.\" $Id: natd.8,v 1.14 1998/07/14 08:18:51 jkoshy Exp $
3.Dd 15 April 1997
4.Os FreeBSD
5.Dt NATD 8
6.Sh NAME
7.Nm natd
8.Nd
9Network Address Translation Daemon
10.Sh SYNOPSIS
11.Nm
12.Op Fl ldsmvu
13.Op Fl permanent_link
14.Op Fl dynamic
15.Op Fl i Ar inport
16.Op Fl o Ar outport
17.Op Fl p Ar port
18.Op Fl a Ar address
19.Op Fl n Ar interface
20.Op Fl f Ar configfile
21
22.Nm
23.Op Fl log
24.Op Fl deny_incoming
25.Op Fl use_sockets
26.Op Fl same_ports
27.Op Fl verbose
28.Op Fl unregistered_only
29.Op Fl permanent_link
30.Op Fl dynamic
31.Op Fl inport Ar inport
32.Op Fl outport Ar outport
33.Op Fl port Ar port
34.Op Fl alias_address Ar address
35.Op Fl interface Ar interface
36.Op Fl config Ar configfile
37.Op Fl redirect_port Ar linkspec
38.Op Fl redirect_address Ar localIP publicIP
39
40.Sh DESCRIPTION
41This program provides a Network Address Translation facility for use
42with
43.Xr divert 4
44sockets under FreeBSD.  Most of the command line options are available
45in a single character short form or in a long form.  Use of the long
46form is encouraged as it makes things clearer to the casual observer.
47
48.Pp
49.Nm Natd
50normally runs in the background as a daemon.  It is passed raw IP packets
51as they travel into and out of the machine, and will possibly change these
52before re-injecting them back into the IP packet stream.
53
54.Pp
55.Nm Natd
56changes all packets destined for another host so that their source
57IP number is that of the current machine.  For each packet changed
58in this manner, an internal table entry is created to record this
59fact.  The source port number is also changed to indicate the
60table entry applying to the packet.  Packets that are received with
61a target IP of the current host are checked against this internal
62table.  If an entry is found, it is used to determine the correct
63target IP number and port to place in the packet.
64
65.Pp
66The following command line options are available.
67.Bl -tag -width Fl
68
69.It Fl log | l
70Log various aliasing statistics and information to the file
71.Pa /var/log/alias.log .
72This file is truncated each time natd is started.
73
74.It Fl deny_incoming | d
75Reject packets destined for the current IP number that have no entry
76in the internal translation table.
77
78.It Fl use_sockets | s
79Allocate a
80.Xr socket 2
81in order to establish an FTP data or IRC DCC send connection.  This
82option uses more system resources, but guarantees successful connections
83when port numbers conflict.
84
85.It Fl same_ports | m
86Try to keep the same port number when altering outgoing packets.
87With this option, protocols such as RPC will have a better chance
88of working.  If it is not possible to maintain the port number, it
89will be silently changed as per normal.
90
91.It Fl verbose | v
92Don't call
93.Xr fork 2
94or
95.Xr daemon 3
96on startup.  Instead, stay attached to the controling terminal and
97display all packet alterations to the standard output.  This option
98should only be used for debugging purposes.
99
100.It Fl unregistered_only | u
101Only alter outgoing packets with an unregistered source address.
102According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
103172.16.0.0/12 and 192.168.0.0/16.
104
105.It Fl redirect_port Ar linkspec
106Redirect incoming connections arriving to given port to another host and port.
107Linkspec is of the form
108
109  proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
110
111where proto is either tcp or udp, targetIP is the desired target IP
112number, targetPORT is the desired target PORT number, aliasPORT
113is the requested PORT number and aliasIP is the aliasing address.
114RemoteIP and remotePORT can be used to specify the connection
115more accurately if necessary.
116For example, the argument
117
118.Ar tcp inside1:telnet 6666
119
120means that tcp packets destined for port 6666 on this machine will
121be sent to the telnet port on the inside1 machine.
122
123.It Fl redirect_address Ar localIP publicIP
124Redirect traffic for public IP address to a machine on the local
125network. This function is known as "static NAT". Normally static NAT
126is useful if your ISP has allocated a small block of IP addresses to you,
127but it can even be used in the case of single address:
128
129  redirect_address 10.0.0.8 0.0.0.0
130
131The above command would redirect all incoming traffic
132to machine 10.0.0.8.
133
134If several address aliases specify the same public address
135as follows
136
137  redirect_address 192.168.0.2 public_addr
138  redirect_address 192.168.0.3 public_addr
139  redirect_address 192.168.0.4 public_addr
140
141the incoming traffic will be directed to the last
142translated local address (192.168.0.4), but outgoing
143traffic to the first two addresses will still be aliased
144to specified public address.
145
146.It Fl permanent_link Ar linkspec
147Create a permanent entry in the internal alias table. Linkspec is
148of the form
149
150  proto targetIP:targetPORT sourceIP:sourcePORT aliasPORT
151
152where proto is either tcp or udp, targetIP is the desired target IP
153number, targetPORT is the desired target PORT number, sourceIP and
154sourcePORT match the incoming packet, and aliasPORT is the requested
155PORT number.  Values of zero are considered as wildcards.  For example,
156the argument
157
158.Ar tcp inside1:telnet outside1:0 6666
159
160means that tcp packets destined for port 6666 on this machine from the
161outside1 machine (any port) will be sent to the telnet port on the
162inside1 machine.
163
164New installations are encouraged to use redirect_port instead.
165
166.It Fl dynamic
167If the
168.Fl n
169or
170.Fl interface
171option is used,
172.Nm
173will monitor the routing socket for alterations to the
174.Ar interface
175passed.  If the interfaces IP number is changed,
176.Nm
177will dynamically alter its concept of the alias address.
178
179.It Fl i | inport Ar inport
180Read from and write to
181.Ar inport ,
182treating all packets as packets coming into the machine.
183
184.It Fl o | outport Ar outport
185Read from and write to
186.Ar outport ,
187treating all packets as packets going out of the machine.
188
189.It Fl p | port Ar port
190Read from and write to
191.Ar port ,
192distinguishing packets as incoming our outgoing using the rules specified in
193.Xr divert 4 .
194If
195.Ar port
196is not numeric, it is searched for in the
197.Pa /etc/services
198database using the
199.Xr getservbyname 3
200function.  If this flag is not specified, the divert port named natd will
201be used as a default.  An example entry in the
202.Pa /etc/services
203database would be:
204
205  natd   8668/divert  # Network Address Translation socket
206
207Refer to
208.Xr services 5
209for further details.
210
211.It Fl a | alias_address Ar address
212Use
213.Ar address
214as the alias address.  If this option is not specified, the
215.Fl n
216or
217.Fl interface
218option must be used.  The specified address should be the address assigned
219to the public network interface.
220.Pp
221All data passing out through this addresses interface will be rewritten
222with a source address equal to
223.Ar address .
224All data arriving at the interface from outside will be checked to
225see if it matches any already-aliased outgoing connection.  If it does,
226the packet is altered accordingly.  If not, all
227.Fl redirect_port
228and
229.Fl redirect_address
230assignments are checked and actioned.  If no other action can be made,
231and if
232.Fl deny_incoming
233is not specified, the packet is delivered to the local machine and port
234as specified in the packet.
235
236.It Fl n | interface Ar interface
237Use
238.Ar interface
239to determine the alias address.  If there is a possibility that the
240IP number associated with
241.Ar interface
242may change, the
243.Fl dynamic
244flag should also be used.  If this option is not specified, the
245.Fl a
246or
247.Fl alias_address
248flag must be used.
249.Pp
250The specified
251.Ar interface
252must be the public network interface.
253.It Fl f | config Ar configfile
254Read configuration from
255.Ar configfile .
256.Ar Configfile
257contains a list of options, one per line in the same form as the
258long form of the above command line flags.  For example, the line
259
260  alias_address 158.152.17.1
261
262would specify an alias address of 158.152.17.1.  Options that don't
263take an argument are specified with an option of
264.Ar yes
265or
266.Ar no
267in the configuration file.  For example, the line
268
269  log yes
270
271is synonomous with
272.Fl log .
273Empty lines and lines beginning with '#' are ignored.
274
275.El
276
277.Sh RUNNING NATD
278The following steps are necessary before attempting to run
279.Nm natd :
280
281.Bl -enum
282.It
283Get FreeBSD version 2.2 or higher.  Versions before this do not support
284.Xr divert 4
285sockets.
286
287.It
288Build a custom kernel with the following options:
289
290  options IPFIREWALL
291  options IPDIVERT
292
293Refer to the handbook for detailed instructions on building a custom
294kernel.
295
296.It
297Ensure that your machine is acting as a gateway.  This can be done by
298specifying the line
299
300  gateway_enable=YES
301
302in
303.Pa /etc/rc.conf ,
304or using the command
305
306  sysctl -w net.inet.ip.forwarding=1
307
308.It
309If you wish to use the
310.Fl n
311or
312.Fl interface
313flags, make sure that your interface is already configured.  If, for
314example, you wish to specify tun0 as your
315.Ar interface ,
316and you're using
317.Xr ppp 8
318on that interface, you must make sure that you start
319.Nm ppp
320prior to starting
321.Nm natd .
322
323.It
324Create an entry in
325.Pa /etc/services :
326
327  natd          8668/divert  # Network Address Translation socket
328
329This gives a default for the
330.Fl p
331or
332.Fl port
333flag.
334
335.El
336.Pp
337Running
338.Nm
339is fairly straight forward.  The line
340
341  natd -interface ed0
342
343should suffice in most cases (substituting the correct interface name).  Once
344.Nm
345is running, you must ensure that traffic is diverted to natd:
346
347.Bl -enum
348.It
349You will need to adjust the
350.Pa /etc/rc.firewall
351script to taste.  If you're not interested in having a firewall, the
352following lines will do:
353
354  /sbin/ipfw -f flush
355  /sbin/ipfw add divert natd all from any to any via ed0
356  /sbin/ipfw add pass all from any to any
357
358The second line depends on your interface (change ed0 as appropriate)
359and assumes that you've updated
360.Pa /etc/services
361with the natd entry as above.  If you specify real firewall rules, it's
362best to specify line 2 at the start of the script so that
363.Nm
364sees all packets before they are dropped by the firewall.  The firewall
365rules will be run again on each packet after translation by
366.Nm natd ,
367minus any divert rules.
368
369.It
370Enable your firewall by setting
371
372  firewall_enable=YES
373
374in
375.Pa /etc/rc.conf .
376This tells the system startup scripts to run the
377.Pa /etc/rc.firewall
378script.  If you don't wish to reboot now, just run this by hand from the
379console.  NEVER run this from a virtual session unless you put it into
380the background.  If you do, you'll lock yourself out after the flush
381takes place, and execution of
382.Pa /etc/rc.firewall
383will stop at this point - blocking all accesses permanently.  Running
384the script in the background should be enough to prevent this disaster.
385
386.El
387
388.Sh SEE ALSO
389.Xr getservbyname 2 ,
390.Xr socket 2 ,
391.Xr divert 4 ,
392.Xr services 5 ,
393.Xr ipfw 8
394
395.Sh AUTHORS
396This program is the result of the efforts of many people at different
397times:
398
399.An Archie Cobbs Aq archie@whistle.com
400(divert sockets)
401.An Charles Mott Aq cmott@srv.net
402(packet aliasing)
403.An Eivind Eklund Aq perhaps@yes.no
404(IRC support & misc additions)
405.An Ari Suutari Aq suutari@iki.fi
406(natd)
407.An Brian Somers Aq brian@awfulhak.org
408(glue)
409