xref: /freebsd/sbin/natd/natd.8 (revision 5521ff5a4d1929056e7ffc982fac3341ca54df7c) 
1.\" $FreeBSD$
2.Dd June 27, 2000
3.Dt NATD 8
4.Os FreeBSD
5.Sh NAME
6.Nm natd
7.Nd Network Address Translation daemon
8.Sh SYNOPSIS
9.Nm
10.Bk -words
11.Op Fl unregistered_only | u
12.Op Fl log | l
13.Op Fl proxy_only
14.Op Fl reverse
15.Op Fl deny_incoming | d
16.Op Fl use_sockets | s
17.Op Fl same_ports | m
18.Op Fl verbose | v
19.Op Fl dynamic
20.Op Fl in_port | i Ar port
21.Op Fl out_port | o Ar port
22.Op Fl port | p Ar port
23.Op Fl alias_address | a Ar address
24.Op Fl target_address | t Ar address
25.Op Fl interface | n Ar interface
26.Op Fl proxy_rule Ar proxyspec
27.Op Fl redirect_port Ar linkspec
28.Op Fl redirect_proto Ar linkspec
29.Op Fl redirect_address Ar linkspec
30.Op Fl config | f Ar configfile
31.Op Fl log_denied
32.Op Fl log_facility Ar facility_name
33.Op Fl punch_fw Ar firewall_range
34.Ek
35.Sh DESCRIPTION
36This program provides a Network Address Translation facility for use
37with
38.Xr divert 4
39sockets under
40.Fx .
41It is intended for use with NICs - if you want to do NAT on a PPP link,
42use the
43.Fl nat
44switch to
45.Xr ppp 8 .
46.Pp
47The
48.Nm
49normally runs in the background as a daemon.
50It is passed raw IP packets as they travel into and out of the machine,
51and will possibly change these before re-injecting them back into the
52IP packet stream.
53.Pp
54It changes all packets destined for another host so that their source
55IP number is that of the current machine.
56For each packet changed in this manner, an internal table entry is
57created to record this fact.
58The source port number is also changed to indicate the table entry
59applying to the packet.
60Packets that are received with a target IP of the current host are
61checked against this internal table.
62If an entry is found, it is used to determine the correct target IP
63number and port to place in the packet.
64.Pp
65The following command line options are available:
66.Bl -tag -width Fl
67.It Fl log | l
68Log various aliasing statistics and information to the file
69.Pa /var/log/alias.log .
70This file is truncated each time
71.Nm
72is started.
73.It Fl deny_incoming | d
74Do not pass incoming packets that have no
75entry in the internal translation table.
76.Pp
77If this option is not used, then such a packet will be altered
78using the rules in
79.Fl target_address
80below, and the entry will be made in the internal translation table.
81.It Fl log_denied
82Log denied incoming packets via
83.Xr syslog 3
84.Po
85see also
86.Fl log_facility
87.Pc .
88.It Fl log_facility Ar facility_name
89Use specified log facility when logging information via
90.Xr syslog 3 .
91Argument
92.Ar facility_name
93is one of the keywords specified in
94.Xr syslog.conf 5 .
95.It Fl use_sockets | s
96Allocate a
97.Xr socket 2
98in order to establish an FTP data or IRC DCC send connection.
99This option uses more system resources, but guarantees successful
100connections when port numbers conflict.
101.It Fl same_ports | m
102Try to keep the same port number when altering outgoing packets.
103With this option, protocols such as RPC will have a better chance
104of working.
105If it is not possible to maintain the port number, it will be silently
106changed as per normal.
107.It Fl verbose | v
108Do not call
109.Xr daemon 3
110on startup.
111Instead, stay attached to the controlling terminal and display all packet
112alterations to the standard output.
113This option should only be used for debugging purposes.
114.It Fl unregistered_only | u
115Only alter outgoing packets with an
116.Em unregistered
117source address.
118According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
119172.16.0.0/12 and 192.168.0.0/16.
120.It Fl redirect_port Ar proto Xo
121.Ar targetIP Ns : Ns Xo
122.Ar targetPORT Ns Op - Ns Ar targetPORT Xc
123.Op Ar aliasIP Ns : Ns Xo
124.Ar aliasPORT Ns Op - Ns Ar aliasPORT Xc
125.Oo Ar remoteIP Ns Oo : Ns
126.Ar remotePORT Ns Op - Ns Ar remotePORT
127.Oc Oc
128.Xc
129Redirect incoming connections arriving to given port(s) to another host
130and port(s).
131Argument
132.Ar proto
133is either
134.Ar tcp
135or
136.Ar udp ,
137.Ar targetIP
138is the desired target IP number,
139.Ar targetPORT
140is the desired target port number or range,
141.Ar aliasPORT
142is the requested port number or range, and
143.Ar aliasIP
144is the aliasing address.
145Arguments
146.Ar remoteIP
147and
148.Ar remotePORT
149can be used to specify the connection more accurately if necessary.
150The
151.Ar targetPORT
152range and
153.Ar aliasPORT
154range need not be the same numerically, but must have the same size.
155If
156.Ar remotePORT
157is not specified, it is assumed to be all ports.
158If
159.Ar remotePORT
160is specified, it must match the size of
161.Ar targetPORT ,
162or be 0 (all ports).
163For example, the argument
164.Pp
165.Dl Ar tcp inside1:telnet 6666
166.Pp
167means that incoming TCP packets destined for port 6666 on this machine
168will be sent to the telnet port on the inside1 machine.
169.Pp
170.Dl Ar tcp inside2:2300-2399 3300-3399
171.Pp
172will redirect incoming connections on ports 3300-3399 to host
173inside2, ports 2300-2399.
174The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
175.It Fl redirect_proto Ar proto localIP Oo
176.Ar publicIP Op Ar remoteIP
177.Oc
178Redirect incoming IP packets of protocol
179.Ar proto
180.Po see Xr protocols 5
181.Pc
182destined for
183.Ar publicIP
184address to a
185.Ar localIP
186address and vice versa.
187.Pp
188If
189.Ar publicIP
190is not specified, then the default aliasing address is used.
191If
192.Ar remoteIP
193is specified, then only packets coming from/to
194.Ar remoteIP
195will match the rule.
196.It Fl redirect_address Ar localIP publicIP
197Redirect traffic for public IP address to a machine on the local
198network.
199This function is known as
200.Em static NAT .
201Normally static NAT is useful if your ISP has allocated a small block
202of IP addresses to you, but it can even be used in the case of single
203address:
204.Pp
205.Dl Ar redirect_address 10.0.0.8 0.0.0.0
206.Pp
207The above command would redirect all incoming traffic
208to machine 10.0.0.8.
209.Pp
210If several address aliases specify the same public address
211as follows
212.Bd -literal -offset indent
213.Ar redirect_address 192.168.0.2 public_addr
214.Ar redirect_address 192.168.0.3 public_addr
215.Ar redirect_address 192.168.0.4 public_addr
216.Ed
217.Pp
218the incoming traffic will be directed to the last
219translated local address (192.168.0.4), but outgoing
220traffic from the first two addresses will still be aliased
221to appear from the specified
222.Ar public_addr .
223.It Fl redirect_port Ar proto Xo
224.Ar targetIP Ns : Ns Xo
225.Ar targetPORT Ns Oo , Ns
226.Ar targetIP Ns : Ns Xo
227.Ar targetPORT Ns Oo , Ns
228.Ar ...\&
229.Oc Oc
230.Xc
231.Xc
232.Op Ar aliasIP Ns : Ns Xo
233.Ar aliasPORT
234.Xc
235.Oo Ar remoteIP Ns
236.Op : Ns Ar remotePORT
237.Oc
238.Xc
239.It Fl redirect_address Xo
240.Ar localIP Ns Oo , Ns
241.Ar localIP Ns Oo , Ns
242.Ar ...\&
243.Oc Oc
244.Ar publicIP
245.Xc
246These forms of
247.Fl redirect_port
248and
249.Fl redirect_address
250are used to transparently offload network load on a single server and
251distribute the load across a pool of servers.
252This function is known as
253.Em LSNAT
254(RFC 2391).
255For example, the argument
256.Pp
257.Dl Ar tcp www1:http,www2:http,www3:http www:http
258.Pp
259means that incoming HTTP requests for host www will be transparently
260redirected to one of the www1, www2 or www3, where a host is selected
261simply on a round-robin basis, without regard to load on the net.
262.It Fl dynamic
263If the
264.Fl n
265or
266.Fl interface
267option is used,
268.Nm
269will monitor the routing socket for alterations to the
270.Ar interface
271passed.
272If the interface's IP number is changed,
273.Nm
274will dynamically alter its concept of the alias address.
275.It Fl in_port | i Ar port
276Read from and write to
277.Xr divert 4
278port
279.Ar port ,
280treating all packets as
281.Dq incoming .
282.It Fl out_port | o Ar port
283Read from and write to
284.Xr divert 4
285port
286.Ar port ,
287treating all packets as
288.Dq outgoing .
289.It Fl port | p Ar port
290Read from and write to
291.Xr divert 4
292port
293.Ar port ,
294distinguishing packets as
295.Dq incoming
296or
297.Dq outgoing
298using the rules specified in
299.Xr divert 4 .
300If
301.Ar port
302is not numeric, it is searched for in the
303.Xr services 5
304database.
305If this option is not specified, the divert port named
306.Ar natd
307will be used as a default.
308.It Fl alias_address | a Ar address
309Use
310.Ar address
311as the aliasing address.
312If this option is not specified, the
313.Fl interface
314option must be used.
315The specified address is usually the address assigned to the
316.Dq public
317network interface.
318.Pp
319All data passing
320.Em out
321will be rewritten with a source address equal to
322.Ar address .
323All data coming
324.Em in
325will be checked to see if it matches any already-aliased outgoing
326connection.
327If it does, the packet is altered accordingly.
328If not, all
329.Fl redirect_port ,
330.Fl redirect_proto
331and
332.Fl redirect_address
333assignments are checked and actioned.
334If no other action can be made and if
335.Fl deny_incoming
336is not specified, the packet is delivered to the local machine
337using the rules specified in
338.Fl target_address
339option below.
340.It Fl t | target_address Ar address
341Set the target address.
342When an incoming packet not associated with any pre-existing link
343arrives at the host machine, it will be sent to the specified
344.Ar address .
345.Pp
346The target address may be set to
347.Ar 255.255.255.255 ,
348in which case all new incoming packets go to the alias address set by
349.Fl alias_address
350or
351.Fl interface .
352.Pp
353If this option is not used, or called with the argument
354.Ar 0.0.0.0 ,
355then all new incoming packets go to the address specified in
356the packet.
357This allows external machines to talk directly to internal machines if
358they can route packets to the machine in question.
359.It Fl interface | n Ar interface
360Use
361.Ar interface
362to determine the aliasing address.
363If there is a possibility that the IP number associated with
364.Ar interface
365may change, the
366.Fl dynamic
367option should also be used.
368If this option is not specified, the
369.Fl alias_address
370option must be used.
371.Pp
372The specified
373.Ar interface
374is usually the
375.Dq public
376(or
377.Dq external )
378network interface.
379.It Fl config | f Ar file
380Read configuration from
381.Ar file .
382A
383.Ar file
384should contain a list of options, one per line, in the same form
385as the long form of the above command line options.
386For example, the line
387.Pp
388.Dl alias_address 158.152.17.1
389.Pp
390would specify an alias address of 158.152.17.1.
391Options that do not take an argument are specified with an argument of
392.Ar yes
393or
394.Ar no
395in the configuration file.
396For example, the line
397.Pp
398.Dl log yes
399.Pp
400is synonymous with
401.Fl log .
402.Pp
403Trailing spaces and empty lines are ignored.
404A
405.Ql \&#
406sign will mark the rest of the line as a comment.
407.It Fl reverse
408This option makes
409.Nm
410reverse the way it handles
411.Dq incoming
412and
413.Dq outgoing
414packets, allowing it to operate on the
415.Dq internal
416network interface rather than the
417.Dq external
418one.
419.Pp
420This can be useful in some transparent proxying situations
421when outgoing traffic is redirected to the local machine
422and
423.Nm
424is running on the internal interface (it usually runs on the
425external interface).
426.It Fl proxy_only
427Force
428.Nm
429to perform transparent proxying only.
430Normal address translation is not performed.
431.It Fl proxy_rule Xo
432.Op Ar type encode_ip_hdr | encode_tcp_stream
433.Ar port xxxx
434.Ar server a.b.c.d:yyyy
435.Xc
436Enable transparent proxying.
437Outgoing TCP packets with the given port going through this
438host to any other host are redirected to the given server and port.
439Optionally, the original target address can be encoded into the packet.
440Use
441.Ar encode_ip_hdr
442to put this information into the IP option field or
443.Ar encode_tcp_stream
444to inject the data into the beginning of the TCP stream.
445.It Fl punch_fw Xo
446.Ar basenumber Ns : Ns Ar count
447.Xc
448This option directs
449.Nm
450to
451.Dq punch holes
452in an
453.Xr ipfirewall 4
454based firewall for FTP/IRC DCC connections.
455This is done dynamically by installing temporary firewall rules which
456allow a particular connection (and only that connection) to go through
457the firewall.
458The rules are removed once the corresponding connection terminates.
459.Pp
460A maximum of
461.Ar count
462rules starting from the rule number
463.Ar basenumber
464will be used for punching firewall holes.
465The range will be cleared for all rules on startup.
466.El
467.Sh RUNNING NATD
468The following steps are necessary before attempting to run
469.Nm :
470.Bl -enum
471.It
472Build a custom kernel with the following options:
473.Bd -literal -offset indent
474options IPFIREWALL
475options IPDIVERT
476.Ed
477.Pp
478Refer to the handbook for detailed instructions on building a custom
479kernel.
480.It
481Ensure that your machine is acting as a gateway.
482This can be done by specifying the line
483.Pp
484.Dl gateway_enable=YES
485.Pp
486in the
487.Pa /etc/rc.conf
488file or using the command
489.Pp
490.Dl sysctl -w net.inet.ip.forwarding=1
491.Pp
492.It
493If you use the
494.Fl interface
495option, make sure that your interface is already configured.
496If, for example, you wish to specify
497.Ql tun0
498as your
499.Ar interface ,
500and you are using
501.Xr ppp 8
502on that interface, you must make sure that you start
503.Nm ppp
504prior to starting
505.Nm .
506.El
507.Pp
508Running
509.Nm
510is fairly straight forward.
511The line
512.Pp
513.Dl natd -interface ed0
514.Pp
515should suffice in most cases (substituting the correct interface name).
516Please check
517.Xr rc.conf 5
518on how to configure it to be started automatically during boot.
519Once
520.Nm
521is running, you must ensure that traffic is diverted to
522.Nm :
523.Bl -enum
524.It
525You will need to adjust the
526.Pa /etc/rc.firewall
527script to taste.
528If you are not interested in having a firewall, the
529following lines will do:
530.Bd -literal -offset indent
531/sbin/ipfw -f flush
532/sbin/ipfw add divert natd all from any to any via ed0
533/sbin/ipfw add pass all from any to any
534.Ed
535.Pp
536The second line depends on your interface (change
537.Ql ed0
538as appropriate).
539.Pp
540You should be aware of the fact that, with these firewall settings,
541everyone on your local network can fake his source-address using your
542host as gateway.
543If there are other hosts on your local network, you are strongly
544encouraged to create firewall rules that only allow traffic to and
545from trusted hosts.
546.Pp
547If you specify real firewall rules, it is best to specify line 2 at
548the start of the script so that
549.Nm
550sees all packets before they are dropped by the firewall.
551.Pp
552After translation by
553.Nm ,
554packets re-enter the firewall at the rule number following the rule number
555that caused the diversion (not the next rule if there are several at the
556same number).
557.It
558Enable your firewall by setting
559.Pp
560.Dl firewall_enable=YES
561.Pp
562in
563.Pa /etc/rc.conf .
564This tells the system startup scripts to run the
565.Pa /etc/rc.firewall
566script.
567If you do not wish to reboot now, just run this by hand from the console.
568NEVER run this from a remote session unless you put it into the background.
569If you do, you will lock yourself out after the flush takes place, and
570execution of
571.Pa /etc/rc.firewall
572will stop at this point - blocking all accesses permanently.
573Running the script in the background should be enough to prevent this
574disaster.
575.El
576.Sh SEE ALSO
577.Xr divert 4 ,
578.Xr protocols 5 ,
579.Xr rc.conf 5 ,
580.Xr services 5 ,
581.Xr syslog.conf 5 ,
582.Xr ipfw 8 ,
583.Xr ppp 8
584.Sh AUTHORS
585This program is the result of the efforts of many people at different
586times:
587.Pp
588.An Archie Cobbs Aq archie@whistle.com
589(divert sockets)
590.An Charles Mott Aq cmott@scientech.com
591(packet aliasing)
592.An Eivind Eklund Aq perhaps@yes.no
593(IRC support & misc additions)
594.An Ari Suutari Aq suutari@iki.fi
595(natd)
596.An Dru Nelson Aq dnelson@redwoodsoft.com
597(early PPTP support)
598.An Brian Somers Aq brian@awfulhak.org
599(glue)
600.An Ruslan Ermilov Aq ru@FreeBSD.org
601(natd, packet aliasing, glue)
602