1.\" manual page [] for natd 1.4 2.\" $FreeBSD$ 3.Dd 15 April 1997 4.Os FreeBSD 5.Dt NATD 8 6.Sh NAME 7.Nm natd 8.Nd 9Network Address Translation Daemon 10.Sh SYNOPSIS 11.Nm 12.Op Fl ldsmvu 13.Op Fl dynamic 14.Op Fl i Ar inport 15.Op Fl o Ar outport 16.Op Fl p Ar port 17.Op Fl a Ar address 18.Op Fl t Ar address 19.Op Fl n Ar interface 20.Op Fl f Ar configfile 21 22.Nm 23.Op Fl log 24.Op Fl deny_incoming 25.Op Fl log_denied 26.Op Fl use_sockets 27.Op Fl same_ports 28.Op Fl verbose 29.Op Fl log_facility Ar facility_name 30.Op Fl unregistered_only 31.Op Fl dynamic 32.Op Fl inport Ar inport 33.Op Fl outport Ar outport 34.Op Fl port Ar port 35.Op Fl alias_address Ar address 36.Op Fl target_address Ar address 37.Op Fl interface Ar interface 38.Op Fl config Ar configfile 39.Op Fl redirect_port Ar linkspec 40.Op Fl redirect_proto Ar linkspec 41.Op Fl redirect_address Ar linkspec 42.Op Fl reverse 43.Op Fl proxy_only 44.Op Fl proxy_rule Ar proxyspec 45.Op Fl pptpalias Ar localIP 46 47.Sh DESCRIPTION 48This program provides a Network Address Translation facility for use 49with 50.Xr divert 4 51sockets under FreeBSD. It is intended for use with NICs - if you want 52to do NAT on a PPP link, use the -nat switch to 53.Xr ppp 8 . 54 55.Pp 56.Nm Natd 57normally runs in the background as a daemon. It is passed raw IP packets 58as they travel into and out of the machine, and will possibly change these 59before re-injecting them back into the IP packet stream. 60 61.Pp 62.Nm Natd 63changes all packets destined for another host so that their source 64IP number is that of the current machine. For each packet changed 65in this manner, an internal table entry is created to record this 66fact. The source port number is also changed to indicate the 67table entry applying to the packet. Packets that are received with 68a target IP of the current host are checked against this internal 69table. If an entry is found, it is used to determine the correct 70target IP number and port to place in the packet. 71 72.Pp 73The following command line options are available. 74.Bl -tag -width Fl 75 76.It Fl log | l 77Log various aliasing statistics and information to the file 78.Pa /var/log/alias.log . 79This file is truncated each time natd is started. 80 81.It Fl deny_incoming | d 82Reject packets destined for the current IP number that have no entry 83in the internal translation table. 84 85.It Fl log_denied 86Log denied incoming packets via syslog (see also log_facility) 87 88.It Fl log_facility Ar facility_name 89Use specified log facility when logging information via syslog. 90Facility names are as in 91.Xr syslog.conf 5 92 93.It Fl use_sockets | s 94Allocate a 95.Xr socket 2 96in order to establish an FTP data or IRC DCC send connection. This 97option uses more system resources, but guarantees successful connections 98when port numbers conflict. 99 100.It Fl same_ports | m 101Try to keep the same port number when altering outgoing packets. 102With this option, protocols such as RPC will have a better chance 103of working. If it is not possible to maintain the port number, it 104will be silently changed as per normal. 105 106.It Fl verbose | v 107Don't call 108.Xr fork 2 109or 110.Xr daemon 3 111on startup. Instead, stay attached to the controling terminal and 112display all packet alterations to the standard output. This option 113should only be used for debugging purposes. 114 115.It Fl unregistered_only | u 116Only alter outgoing packets with an unregistered source address. 117According to rfc 1918, unregistered source addresses are 10.0.0.0/8, 118172.16.0.0/12 and 192.168.0.0/16. 119 120.It Fl redirect_port Ar proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] 121Redirect incoming connections arriving to given port(s) to another host 122and port(s). 123Proto is either tcp or udp, targetIP is the desired target IP 124number, targetPORT is the desired target PORT number or range, aliasPORT 125is the requested PORT number or range, and aliasIP is the aliasing address. 126RemoteIP and remotePORT can be used to specify the connection 127more accurately if necessary. 128The targetPORT range and aliasPORT range need not be the same numerically, 129but must have the same size. 130If remotePORT is not specified, it is assumed to be all ports. 131If remotePORT is specified, it must match the size of targetPORT, or be 0 132(all ports). 133For example, the argument 134 135.Dl Ar tcp inside1:telnet 6666 136 137means that incoming tcp packets destined for port 6666 on this machine will 138be sent to the telnet port on the inside1 machine. 139 140.Dl Ar tcp inside2:2300-2399 3300-3399 141 142will redirect incoming connections on ports 3300-3399 to host 143inside2, ports 2300-2399. 144The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. 145.It Fl redirect_proto Ar proto localIP Xo 146.Op Ar publicIP Op Ar remoteIP 147.Xc 148Redirect incoming IP packets of protocol 149.Ar proto 150.Pq see Xr protocols 5 151destined for 152.Ar publicIP 153address to a 154.Ar localIP 155address and vice versa. 156.Pp 157If 158.Ar publicIP 159is not specified, then the default aliasing address is used. 160If 161.Ar remoteIP 162is specified, then only packets coming from/to 163.Ar remoteIP 164will match the rule. 165.It Fl redirect_address Ar localIP publicIP 166Redirect traffic for public IP address to a machine on the local 167network. 168This function is known as "static NAT". Normally static NAT 169is useful if your ISP has allocated a small block of IP addresses to you, 170but it can even be used in the case of single address: 171 172 redirect_address 10.0.0.8 0.0.0.0 173 174The above command would redirect all incoming traffic 175to machine 10.0.0.8. 176 177If several address aliases specify the same public address 178as follows 179 180 redirect_address 192.168.0.2 public_addr 181 redirect_address 192.168.0.3 public_addr 182 redirect_address 192.168.0.4 public_addr 183 184the incoming traffic will be directed to the last 185translated local address (192.168.0.4), but outgoing 186traffic to the first two addresses will still be aliased 187to specified public address. 188.It Fl redirect_port Ar proto Xo 189.Ar targetIP Ns : Ns Xo 190.Ar targetPORT Ns Oo , Ns 191.Ar targetIP Ns : Ns Xo 192.Ar targetPORT Ns Oo , Ns 193.Ar ... 194.Oc Oc 195.Xc 196.Xc 197.Op Ar aliasIP Ns : Ns Xo 198.Ar aliasPORT 199.Xc 200.Oo Ar remoteIP Ns 201.Op : Ns Ar remotePORT 202.Oc 203.Xc 204.It Fl redirect_address Xo 205.Ar localIP Ns Oo , Ns 206.Ar localIP Ns Oo , Ns 207.Ar ... 208.Oc Oc 209.Ar publicIP 210.Xc 211These forms of 212.Fl redirect_port 213and 214.Fl redirect_address 215are used to transparently offload network load on a single server and 216distribute the load across a pool of servers. 217This function is known as 218.Em LSNAT 219(RFC 2391). 220For example, the argument 221.Pp 222.Dl Ar tcp www1:http,www2:http,www3:http www:http 223.Pp 224means that incoming HTTP requests for host www will be transparently 225redirected to one of the www1, www2 or www3, where a host is selected 226simply on a round-robin basis, without regard to load on the net. 227.It Fl dynamic 228If the 229.Fl n 230or 231.Fl interface 232option is used, 233.Nm 234will monitor the routing socket for alterations to the 235.Ar interface 236passed. If the interfaces IP number is changed, 237.Nm 238will dynamically alter its concept of the alias address. 239 240.It Fl i | inport Ar inport 241Read from and write to 242.Ar inport , 243treating all packets as packets coming into the machine. 244 245.It Fl o | outport Ar outport 246Read from and write to 247.Ar outport , 248treating all packets as packets going out of the machine. 249 250.It Fl p | port Ar port 251Read from and write to 252.Ar port , 253distinguishing packets as incoming our outgoing using the rules specified in 254.Xr divert 4 . 255If 256.Ar port 257is not numeric, it is searched for in the 258.Pa /etc/services 259database using the 260.Xr getservbyname 3 261function. If this flag is not specified, the divert port named natd will 262be used as a default. An example entry in the 263.Pa /etc/services 264database would be: 265 266 natd 8668/divert # Network Address Translation socket 267 268Refer to 269.Xr services 5 270for further details. 271 272.It Fl a | alias_address Ar address 273Use 274.Ar address 275as the alias address. If this option is not specified, the 276.Fl n 277or 278.Fl interface 279option must be used. The specified address should be the address assigned 280to the public network interface. 281.Pp 282All data passing out through this addresses interface will be rewritten 283with a source address equal to 284.Ar address . 285All data arriving at the interface from outside will be checked to 286see if it matches any already-aliased outgoing connection. If it does, 287the packet is altered accordingly. If not, all 288.Fl redirect_port 289and 290.Fl redirect_address 291assignments are checked and actioned. If no other action can be made, 292and if 293.Fl deny_incoming 294is not specified, the packet is delivered to the local machine and port 295as specified in the packet. 296.It Fl t | target_address Ar address 297Set the target address. 298When an incoming packet not associated with any pre-existing link 299arrives at the host machine, it will be sent to the specified 300.Ar address . 301.Pp 302The target address may be set to 303.Dq 255.255.255.255 , 304in which case all new incoming packets go to the alias address set by 305.Fl alias_address 306or 307.Fl interface . 308.Pp 309If this option is not used, or called with the argument 310.Dq 0.0.0.0 , 311then all new incoming packets go to the address specified in 312the packet. 313This allows external machines to talk directly to internal machines if 314they can route packets to the machine in question. 315.It Fl n | interface Ar interface 316Use 317.Ar interface 318to determine the alias address. If there is a possibility that the 319IP number associated with 320.Ar interface 321may change, the 322.Fl dynamic 323flag should also be used. If this option is not specified, the 324.Fl a 325or 326.Fl alias_address 327flag must be used. 328.Pp 329The specified 330.Ar interface 331must be the public network interface. 332.It Fl f | config Ar configfile 333Read configuration from 334.Ar configfile . 335.Ar Configfile 336contains a list of options, one per line in the same form as the 337long form of the above command line flags. For example, the line 338 339 alias_address 158.152.17.1 340 341would specify an alias address of 158.152.17.1. Options that don't 342take an argument are specified with an option of 343.Ar yes 344or 345.Ar no 346in the configuration file. For example, the line 347 348 log yes 349 350is synonomous with 351.Fl log . 352.Pp 353Trailing spaces and empty lines are ignored. 354A 355.Ql \&# 356sign will mark the rest of the line as a comment. 357 358.It Fl reverse 359Reverse operation of natd. 360This can be useful in some 361transparent proxying situations when outgoing traffic 362is redirected to the local machine and natd is running on the 363incoming interface (it usually runs on the outgoing interface). 364 365.It Fl proxy_only 366Force natd to perform transparent proxying 367only. 368Normal address translation is not performed. 369 370.It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy 371Enable transparent proxying. 372Packets with the given port going through this 373host to any other host are redirected to the given server and port. 374Optionally, the original target address can be encoded into the packet. 375Use 376.Dq encode_ip_hdr 377to put this information into the IP option field or 378.Dq encode_tcp_stream 379to inject the data into the beginning of the TCP stream. 380 381.It Fl pptpalias Ar localIP 382Allow PPTP packets to go to the defined localIP address. 383PPTP is a VPN or secure 384IP tunneling technology being developed primarily by Microsoft. 385For its encrypted traffic, 386it uses an old IP encapsulation protocol called GRE (47). 387This natd option will translate any traffic of this protocol to a 388single, specified IP address. 389This would allow either one client or one server 390to be serviced with natd. 391If you are setting up a server, don't forget to allow the TCP traffic 392for the PPTP setup. 393For a client or server, 394you must allow GRE (protocol 47) if you have firewall lists active. 395 396.El 397 398.Sh RUNNING NATD 399The following steps are necessary before attempting to run 400.Nm natd : 401 402.Bl -enum 403.It 404Get FreeBSD version 2.2 or higher. Versions before this do not support 405.Xr divert 4 406sockets. 407 408.It 409Build a custom kernel with the following options: 410 411 options IPFIREWALL 412 options IPDIVERT 413 414Refer to the handbook for detailed instructions on building a custom 415kernel. 416 417.It 418Ensure that your machine is acting as a gateway. This can be done by 419specifying the line 420 421 gateway_enable=YES 422 423in 424.Pa /etc/rc.conf , 425or using the command 426 427 sysctl -w net.inet.ip.forwarding=1 428 429.It 430If you wish to use the 431.Fl n 432or 433.Fl interface 434flags, make sure that your interface is already configured. If, for 435example, you wish to specify tun0 as your 436.Ar interface , 437and you're using 438.Xr ppp 8 439on that interface, you must make sure that you start 440.Nm ppp 441prior to starting 442.Nm natd . 443 444.It 445Create an entry in 446.Pa /etc/services : 447 448 natd 8668/divert # Network Address Translation socket 449 450This gives a default for the 451.Fl p 452or 453.Fl port 454flag. 455 456.El 457.Pp 458Running 459.Nm 460is fairly straight forward. The line 461 462 natd -interface ed0 463 464should suffice in most cases (substituting the correct interface name). Once 465.Nm 466is running, you must ensure that traffic is diverted to natd: 467 468.Bl -enum 469.It 470You will need to adjust the 471.Pa /etc/rc.firewall 472script to taste. If you're not interested in having a firewall, the 473following lines will do: 474 475 /sbin/ipfw -f flush 476 /sbin/ipfw add divert natd all from any to any via ed0 477 /sbin/ipfw add pass all from any to any 478 479The second line depends on your interface (change ed0 as appropriate) 480and assumes that you've updated 481.Pa /etc/services 482with the natd entry as above. If you specify real firewall rules, it's 483best to specify line 2 at the start of the script so that 484.Nm 485sees all packets before they are dropped by the firewall. 486.Pp 487After translation by 488.Nm natd , 489packets re-enter the firewall at the rule number following the rule number 490that caused the diversion (not the next rule if there are several at the 491same number). 492 493.It 494Enable your firewall by setting 495 496 firewall_enable=YES 497 498in 499.Pa /etc/rc.conf . 500This tells the system startup scripts to run the 501.Pa /etc/rc.firewall 502script. If you don't wish to reboot now, just run this by hand from the 503console. NEVER run this from a virtual session unless you put it into 504the background. If you do, you'll lock yourself out after the flush 505takes place, and execution of 506.Pa /etc/rc.firewall 507will stop at this point - blocking all accesses permanently. Running 508the script in the background should be enough to prevent this disaster. 509 510.El 511 512.Sh SEE ALSO 513.Xr socket 2 , 514.Xr getservbyname 3 , 515.Xr divert 4 , 516.Xr services 5 , 517.Xr ipfw 8 518 519.Sh AUTHORS 520This program is the result of the efforts of many people at different 521times: 522 523.An Archie Cobbs Aq archie@whistle.com 524(divert sockets) 525.An Charles Mott Aq cmott@scientech.com 526(packet aliasing) 527.An Eivind Eklund Aq perhaps@yes.no 528(IRC support & misc additions) 529.An Ari Suutari Aq suutari@iki.fi 530(natd) 531.An Dru Nelson Aq dnelson@redwoodsoft.com 532(PPTP support) 533.An Brian Somers Aq brian@awfulhak.org 534(glue) 535