1.\" manual page [] for natd 1.4 2.\" $Id: natd.8,v 1.14 1998/07/14 08:18:51 jkoshy Exp $ 3.Dd 15 April 1997 4.Os FreeBSD 5.Dt NATD 8 6.Sh NAME 7.Nm natd 8.Nd 9Network Address Translation Daemon 10.Sh SYNOPSIS 11.Nm 12.Op Fl ldsmvu 13.Op Fl permanent_link 14.Op Fl dynamic 15.Op Fl i Ar inport 16.Op Fl o Ar outport 17.Op Fl p Ar port 18.Op Fl a Ar address 19.Op Fl n Ar interface 20.Op Fl f Ar configfile 21 22.Nm 23.Op Fl log 24.Op Fl deny_incoming 25.Op Fl use_sockets 26.Op Fl same_ports 27.Op Fl verbose 28.Op Fl unregistered_only 29.Op Fl permanent_link 30.Op Fl dynamic 31.Op Fl inport Ar inport 32.Op Fl outport Ar outport 33.Op Fl port Ar port 34.Op Fl alias_address Ar address 35.Op Fl interface Ar interface 36.Op Fl config Ar configfile 37.Op Fl redirect_port Ar linkspec 38.Op Fl redirect_address Ar localIP publicIP 39 40.Sh DESCRIPTION 41This program provides a Network Address Translation facility for use 42with 43.Xr divert 4 44sockets under FreeBSD. Most of the command line options are available 45in a single character short form or in a long form. Use of the long 46form is encouraged as it makes things clearer to the casual observer. 47 48.Pp 49.Nm Natd 50normally runs in the background as a daemon. It is passed raw IP packets 51as they travel into and out of the machine, and will possibly change these 52before re-injecting them back into the IP packet stream. 53 54.Pp 55.Nm Natd 56changes all packets destined for another host so that their source 57IP number is that of the current machine. For each packet changed 58in this manner, an internal table entry is created to record this 59fact. The source port number is also changed to indicate the 60table entry applying to the packet. Packets that are received with 61a target IP of the current host are checked against this internal 62table. If an entry is found, it is used to determine the correct 63target IP number and port to place in the packet. 64 65.Pp 66The following command line options are available. 67.Bl -tag -width Fl 68 69.It Fl log | l 70Log various aliasing statistics and information to the file 71.Pa /var/log/alias.log . 72This file is truncated each time natd is started. 73 74.It Fl deny_incoming | d 75Reject packets destined for the current IP number that have no entry 76in the internal translation table. 77 78.It Fl use_sockets | s 79Allocate a 80.Xr socket 2 81in order to establish an FTP data or IRC DCC send connection. This 82option uses more system resources, but guarantees successful connections 83when port numbers conflict. 84 85.It Fl same_ports | m 86Try to keep the same port number when altering outgoing packets. 87With this option, protocols such as RPC will have a better chance 88of working. If it is not possible to maintain the port number, it 89will be silently changed as per normal. 90 91.It Fl verbose | v 92Don't call 93.Xr fork 2 94or 95.Xr daemon 3 96on startup. Instead, stay attached to the controling terminal and 97display all packet alterations to the standard output. This option 98should only be used for debugging purposes. 99 100.It Fl unregistered_only | u 101Only alter outgoing packets with an unregistered source address. 102According to rfc 1918, unregistered source addresses are 10.0.0.0/8, 103172.16.0.0/12 and 192.168.0.0/16. 104 105.It Fl redirect_port Ar linkspec 106Redirect incoming connections arriving to given port to another host and port. 107Linkspec is of the form 108 109 proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]] 110 111where proto is either tcp or udp, targetIP is the desired target IP 112number, targetPORT is the desired target PORT number, aliasPORT 113is the requested PORT number and aliasIP is the aliasing address. 114RemoteIP and remotePORT can be used to specify the connection 115more accurately if necessary. 116For example, the argument 117 118.Ar tcp inside1:telnet 6666 119 120means that tcp packets destined for port 6666 on this machine will 121be sent to the telnet port on the inside1 machine. 122 123.It Fl redirect_address Ar localIP publicIP 124Redirect traffic for public IP address to a machine on the local 125network. This function is known as "static NAT". Normally static NAT 126is useful if your ISP has allocated a small block of IP addresses to you, 127but it can even be used in the case of single address: 128 129 redirect_address 10.0.0.8 0.0.0.0 130 131The above command would redirect all incoming traffic 132to machine 10.0.0.8. 133 134If several address aliases specify the same public address 135as follows 136 137 redirect_address 192.168.0.2 public_addr 138 redirect_address 192.168.0.3 public_addr 139 redirect_address 192.168.0.4 public_addr 140 141the incoming traffic will be directed to the last 142translated local address (192.168.0.4), but outgoing 143traffic to the first two addresses will still be aliased 144to specified public address. 145 146.It Fl permanent_link Ar linkspec 147Create a permanent entry in the internal alias table. Linkspec is 148of the form 149 150 proto targetIP:targetPORT sourceIP:sourcePORT aliasPORT 151 152where proto is either tcp or udp, targetIP is the desired target IP 153number, targetPORT is the desired target PORT number, sourceIP and 154sourcePORT match the incoming packet, and aliasPORT is the requested 155PORT number. Values of zero are considered as wildcards. For example, 156the argument 157 158.Ar tcp inside1:telnet outside1:0 6666 159 160means that tcp packets destined for port 6666 on this machine from the 161outside1 machine (any port) will be sent to the telnet port on the 162inside1 machine. 163 164New installations are encouraged to use redirect_port instead. 165 166.It Fl dynamic 167If the 168.Fl n 169or 170.Fl interface 171option is used, 172.Nm 173will monitor the routing socket for alterations to the 174.Ar interface 175passed. If the interfaces IP number is changed, 176.Nm 177will dynamically alter its concept of the alias address. 178 179.It Fl i | inport Ar inport 180Read from and write to 181.Ar inport , 182treating all packets as packets coming into the machine. 183 184.It Fl o | outport Ar outport 185Read from and write to 186.Ar outport , 187treating all packets as packets going out of the machine. 188 189.It Fl p | port Ar port 190Read from and write to 191.Ar port , 192distinguishing packets as incoming our outgoing using the rules specified in 193.Xr divert 4 . 194If 195.Ar port 196is not numeric, it is searched for in the 197.Pa /etc/services 198database using the 199.Xr getservbyname 3 200function. If this flag is not specified, the divert port named natd will 201be used as a default. An example entry in the 202.Pa /etc/services 203database would be: 204 205 natd 8668/divert # Network Address Translation socket 206 207Refer to 208.Xr services 5 209for further details. 210 211.It Fl a | alias_address Ar address 212Use 213.Ar address 214as the alias address. If this option is not specified, the 215.Fl n 216or 217.Fl interface 218option must be used. The specified address should be the address assigned 219to the public network interface. 220.Pp 221All data passing out through this addresses interface will be rewritten 222with a source address equal to 223.Ar address . 224All data arriving at the interface from outside will be checked to 225see if it matches any already-aliased outgoing connection. If it does, 226the packet is altered accordingly. If not, all 227.Fl redirect_port 228and 229.Fl redirect_address 230assignments are checked and actioned. If no other action can be made, 231and if 232.Fl deny_incoming 233is not specified, the packet is delivered to the local machine and port 234as specified in the packet. 235 236.It Fl n | interface Ar interface 237Use 238.Ar interface 239to determine the alias address. If there is a possibility that the 240IP number associated with 241.Ar interface 242may change, the 243.Fl dynamic 244flag should also be used. If this option is not specified, the 245.Fl a 246or 247.Fl alias_address 248flag must be used. 249.Pp 250The specified 251.Ar interface 252must be the public network interface. 253.It Fl f | config Ar configfile 254Read configuration from 255.Ar configfile . 256.Ar Configfile 257contains a list of options, one per line in the same form as the 258long form of the above command line flags. For example, the line 259 260 alias_address 158.152.17.1 261 262would specify an alias address of 158.152.17.1. Options that don't 263take an argument are specified with an option of 264.Ar yes 265or 266.Ar no 267in the configuration file. For example, the line 268 269 log yes 270 271is synonomous with 272.Fl log . 273Empty lines and lines beginning with '#' are ignored. 274 275.El 276 277.Sh RUNNING NATD 278The following steps are necessary before attempting to run 279.Nm natd : 280 281.Bl -enum 282.It 283Get FreeBSD version 2.2 or higher. Versions before this do not support 284.Xr divert 4 285sockets. 286 287.It 288Build a custom kernel with the following options: 289 290 options IPFIREWALL 291 options IPDIVERT 292 293Refer to the handbook for detailed instructions on building a custom 294kernel. 295 296.It 297Ensure that your machine is acting as a gateway. This can be done by 298specifying the line 299 300 gateway_enable=YES 301 302in 303.Pa /etc/rc.conf , 304or using the command 305 306 sysctl -w net.inet.ip.forwarding=1 307 308.It 309If you wish to use the 310.Fl n 311or 312.Fl interface 313flags, make sure that your interface is already configured. If, for 314example, you wish to specify tun0 as your 315.Ar interface , 316and you're using 317.Xr ppp 8 318on that interface, you must make sure that you start 319.Nm ppp 320prior to starting 321.Nm natd . 322 323.It 324Create an entry in 325.Pa /etc/services : 326 327 natd 8668/divert # Network Address Translation socket 328 329This gives a default for the 330.Fl p 331or 332.Fl port 333flag. 334 335.El 336.Pp 337Running 338.Nm 339is fairly straight forward. The line 340 341 natd -interface ed0 342 343should suffice in most cases (substituting the correct interface name). Once 344.Nm 345is running, you must ensure that traffic is diverted to natd: 346 347.Bl -enum 348.It 349You will need to adjust the 350.Pa /etc/rc.firewall 351script to taste. If you're not interested in having a firewall, the 352following lines will do: 353 354 /sbin/ipfw -f flush 355 /sbin/ipfw add divert natd all from any to any via ed0 356 /sbin/ipfw add pass all from any to any 357 358The second line depends on your interface (change ed0 as appropriate) 359and assumes that you've updated 360.Pa /etc/services 361with the natd entry as above. If you specify real firewall rules, it's 362best to specify line 2 at the start of the script so that 363.Nm 364sees all packets before they are dropped by the firewall. The firewall 365rules will be run again on each packet after translation by 366.Nm natd , 367minus any divert rules. 368 369.It 370Enable your firewall by setting 371 372 firewall_enable=YES 373 374in 375.Pa /etc/rc.conf . 376This tells the system startup scripts to run the 377.Pa /etc/rc.firewall 378script. If you don't wish to reboot now, just run this by hand from the 379console. NEVER run this from a virtual session unless you put it into 380the background. If you do, you'll lock yourself out after the flush 381takes place, and execution of 382.Pa /etc/rc.firewall 383will stop at this point - blocking all accesses permanently. Running 384the script in the background should be enough to prevent this disaster. 385 386.El 387 388.Sh SEE ALSO 389.Xr getservbyname 2 , 390.Xr socket 2 , 391.Xr divert 4 , 392.Xr services 5 , 393.Xr ipfw 8 394 395.Sh AUTHORS 396This program is the result of the efforts of many people at different 397times: 398 399.An Archie Cobbs Aq archie@whistle.com 400(divert sockets) 401.An Charles Mott Aq cmott@srv.net 402(packet aliasing) 403.An Eivind Eklund Aq perhaps@yes.no 404(IRC support & misc additions) 405.An Ari Suutari Aq suutari@iki.fi 406(natd) 407.An Brian Somers Aq brian@awfulhak.org 408(glue) 409