xref: /freebsd/sbin/natd/natd.8 (revision 6990ffd8a95caaba6858ad44ff1b3157d1efba8f) 
1.\" $FreeBSD$
2.Dd June 27, 2000
3.Dt NATD 8
4.Os
5.Sh NAME
6.Nm natd
7.Nd Network Address Translation daemon
8.Sh SYNOPSIS
9.Nm
10.Bk -words
11.Op Fl unregistered_only | u
12.Op Fl log | l
13.Op Fl proxy_only
14.Op Fl reverse
15.Op Fl deny_incoming | d
16.Op Fl use_sockets | s
17.Op Fl same_ports | m
18.Op Fl verbose | v
19.Op Fl dynamic
20.Op Fl in_port | i Ar port
21.Op Fl out_port | o Ar port
22.Op Fl port | p Ar port
23.Op Fl alias_address | a Ar address
24.Op Fl target_address | t Ar address
25.Op Fl interface | n Ar interface
26.Op Fl proxy_rule Ar proxyspec
27.Op Fl redirect_port Ar linkspec
28.Op Fl redirect_proto Ar linkspec
29.Op Fl redirect_address Ar linkspec
30.Op Fl config | f Ar configfile
31.Op Fl log_denied
32.Op Fl log_facility Ar facility_name
33.Op Fl punch_fw Ar firewall_range
34.Ek
35.Sh DESCRIPTION
36This program provides a Network Address Translation facility for use
37with
38.Xr divert 4
39sockets under
40.Fx .
41It is intended for use with NICs - if you want to do NAT on a PPP link,
42use the
43.Fl nat
44switch to
45.Xr ppp 8 .
46.Pp
47The
48.Nm
49normally runs in the background as a daemon.
50It is passed raw IP packets as they travel into and out of the machine,
51and will possibly change these before re-injecting them back into the
52IP packet stream.
53.Pp
54It changes all packets destined for another host so that their source
55IP number is that of the current machine.
56For each packet changed in this manner, an internal table entry is
57created to record this fact.
58The source port number is also changed to indicate the table entry
59applying to the packet.
60Packets that are received with a target IP of the current host are
61checked against this internal table.
62If an entry is found, it is used to determine the correct target IP
63number and port to place in the packet.
64.Pp
65The following command line options are available:
66.Bl -tag -width Fl
67.It Fl log | l
68Log various aliasing statistics and information to the file
69.Pa /var/log/alias.log .
70This file is truncated each time
71.Nm
72is started.
73.It Fl deny_incoming | d
74Do not pass incoming packets that have no
75entry in the internal translation table.
76.Pp
77If this option is not used, then such a packet will be altered
78using the rules in
79.Fl target_address
80below, and the entry will be made in the internal translation table.
81.It Fl log_denied
82Log denied incoming packets via
83.Xr syslog 3
84(see also
85.Fl log_facility ) .
86.It Fl log_facility Ar facility_name
87Use specified log facility when logging information via
88.Xr syslog 3 .
89Argument
90.Ar facility_name
91is one of the keywords specified in
92.Xr syslog.conf 5 .
93.It Fl use_sockets | s
94Allocate a
95.Xr socket 2
96in order to establish an FTP data or IRC DCC send connection.
97This option uses more system resources, but guarantees successful
98connections when port numbers conflict.
99.It Fl same_ports | m
100Try to keep the same port number when altering outgoing packets.
101With this option, protocols such as RPC will have a better chance
102of working.
103If it is not possible to maintain the port number, it will be silently
104changed as per normal.
105.It Fl verbose | v
106Do not call
107.Xr daemon 3
108on startup.
109Instead, stay attached to the controlling terminal and display all packet
110alterations to the standard output.
111This option should only be used for debugging purposes.
112.It Fl unregistered_only | u
113Only alter outgoing packets with an
114.Em unregistered
115source address.
116According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
117172.16.0.0/12 and 192.168.0.0/16.
118.It Fl redirect_port Ar proto Xo
119.Ar targetIP Ns : Ns Xo
120.Ar targetPORT Ns Op - Ns Ar targetPORT Xc
121.Op Ar aliasIP Ns : Ns Xo
122.Ar aliasPORT Ns Op - Ns Ar aliasPORT Xc
123.Oo Ar remoteIP Ns Oo : Ns
124.Ar remotePORT Ns Op - Ns Ar remotePORT
125.Oc Oc
126.Xc
127Redirect incoming connections arriving to given port(s) to another host
128and port(s).
129Argument
130.Ar proto
131is either
132.Ar tcp
133or
134.Ar udp ,
135.Ar targetIP
136is the desired target IP number,
137.Ar targetPORT
138is the desired target port number or range,
139.Ar aliasPORT
140is the requested port number or range, and
141.Ar aliasIP
142is the aliasing address.
143Arguments
144.Ar remoteIP
145and
146.Ar remotePORT
147can be used to specify the connection more accurately if necessary.
148The
149.Ar targetPORT
150range and
151.Ar aliasPORT
152range need not be the same numerically, but must have the same size.
153If
154.Ar remotePORT
155is not specified, it is assumed to be all ports.
156If
157.Ar remotePORT
158is specified, it must match the size of
159.Ar targetPORT ,
160or be 0 (all ports).
161For example, the argument
162.Pp
163.Dl Ar tcp inside1:telnet 6666
164.Pp
165means that incoming TCP packets destined for port 6666 on this machine
166will be sent to the telnet port on the inside1 machine.
167.Pp
168.Dl Ar tcp inside2:2300-2399 3300-3399
169.Pp
170will redirect incoming connections on ports 3300-3399 to host
171inside2, ports 2300-2399.
172The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
173.It Fl redirect_proto Ar proto localIP Oo
174.Ar publicIP Op Ar remoteIP
175.Oc
176Redirect incoming IP packets of protocol
177.Ar proto
178(see
179.Xr protocols 5 )
180destined for
181.Ar publicIP
182address to a
183.Ar localIP
184address and vice versa.
185.Pp
186If
187.Ar publicIP
188is not specified, then the default aliasing address is used.
189If
190.Ar remoteIP
191is specified, then only packets coming from/to
192.Ar remoteIP
193will match the rule.
194.It Fl redirect_address Ar localIP publicIP
195Redirect traffic for public IP address to a machine on the local
196network.
197This function is known as
198.Em static NAT .
199Normally static NAT is useful if your ISP has allocated a small block
200of IP addresses to you, but it can even be used in the case of single
201address:
202.Pp
203.Dl Ar redirect_address 10.0.0.8 0.0.0.0
204.Pp
205The above command would redirect all incoming traffic
206to machine 10.0.0.8.
207.Pp
208If several address aliases specify the same public address
209as follows
210.Bd -literal -offset indent
211.Ar redirect_address 192.168.0.2 public_addr
212.Ar redirect_address 192.168.0.3 public_addr
213.Ar redirect_address 192.168.0.4 public_addr
214.Ed
215.Pp
216the incoming traffic will be directed to the last
217translated local address (192.168.0.4), but outgoing
218traffic from the first two addresses will still be aliased
219to appear from the specified
220.Ar public_addr .
221.It Fl redirect_port Ar proto Xo
222.Ar targetIP Ns : Ns Xo
223.Ar targetPORT Ns Oo , Ns
224.Ar targetIP Ns : Ns Xo
225.Ar targetPORT Ns Oo , Ns
226.Ar ...\&
227.Oc Oc
228.Xc
229.Xc
230.Op Ar aliasIP Ns : Ns Xo
231.Ar aliasPORT
232.Xc
233.Oo Ar remoteIP Ns
234.Op : Ns Ar remotePORT
235.Oc
236.Xc
237.It Fl redirect_address Xo
238.Ar localIP Ns Oo , Ns
239.Ar localIP Ns Oo , Ns
240.Ar ...\&
241.Oc Oc
242.Ar publicIP
243.Xc
244These forms of
245.Fl redirect_port
246and
247.Fl redirect_address
248are used to transparently offload network load on a single server and
249distribute the load across a pool of servers.
250This function is known as
251.Em LSNAT
252(RFC 2391).
253For example, the argument
254.Pp
255.Dl Ar tcp www1:http,www2:http,www3:http www:http
256.Pp
257means that incoming HTTP requests for host www will be transparently
258redirected to one of the www1, www2 or www3, where a host is selected
259simply on a round-robin basis, without regard to load on the net.
260.It Fl dynamic
261If the
262.Fl n
263or
264.Fl interface
265option is used,
266.Nm
267will monitor the routing socket for alterations to the
268.Ar interface
269passed.
270If the interface's IP number is changed,
271.Nm
272will dynamically alter its concept of the alias address.
273.It Fl in_port | i Ar port
274Read from and write to
275.Xr divert 4
276port
277.Ar port ,
278treating all packets as
279.Dq incoming .
280.It Fl out_port | o Ar port
281Read from and write to
282.Xr divert 4
283port
284.Ar port ,
285treating all packets as
286.Dq outgoing .
287.It Fl port | p Ar port
288Read from and write to
289.Xr divert 4
290port
291.Ar port ,
292distinguishing packets as
293.Dq incoming
294or
295.Dq outgoing
296using the rules specified in
297.Xr divert 4 .
298If
299.Ar port
300is not numeric, it is searched for in the
301.Xr services 5
302database.
303If this option is not specified, the divert port named
304.Ar natd
305will be used as a default.
306.It Fl alias_address | a Ar address
307Use
308.Ar address
309as the aliasing address.
310If this option is not specified, the
311.Fl interface
312option must be used.
313The specified address is usually the address assigned to the
314.Dq public
315network interface.
316.Pp
317All data passing
318.Em out
319will be rewritten with a source address equal to
320.Ar address .
321All data coming
322.Em in
323will be checked to see if it matches any already-aliased outgoing
324connection.
325If it does, the packet is altered accordingly.
326If not, all
327.Fl redirect_port ,
328.Fl redirect_proto
329and
330.Fl redirect_address
331assignments are checked and actioned.
332If no other action can be made and if
333.Fl deny_incoming
334is not specified, the packet is delivered to the local machine
335using the rules specified in
336.Fl target_address
337option below.
338.It Fl t | target_address Ar address
339Set the target address.
340When an incoming packet not associated with any pre-existing link
341arrives at the host machine, it will be sent to the specified
342.Ar address .
343.Pp
344The target address may be set to
345.Ar 255.255.255.255 ,
346in which case all new incoming packets go to the alias address set by
347.Fl alias_address
348or
349.Fl interface .
350.Pp
351If this option is not used, or called with the argument
352.Ar 0.0.0.0 ,
353then all new incoming packets go to the address specified in
354the packet.
355This allows external machines to talk directly to internal machines if
356they can route packets to the machine in question.
357.It Fl interface | n Ar interface
358Use
359.Ar interface
360to determine the aliasing address.
361If there is a possibility that the IP number associated with
362.Ar interface
363may change, the
364.Fl dynamic
365option should also be used.
366If this option is not specified, the
367.Fl alias_address
368option must be used.
369.Pp
370The specified
371.Ar interface
372is usually the
373.Dq public
374(or
375.Dq external )
376network interface.
377.It Fl config | f Ar file
378Read configuration from
379.Ar file .
380A
381.Ar file
382should contain a list of options, one per line, in the same form
383as the long form of the above command line options.
384For example, the line
385.Pp
386.Dl alias_address 158.152.17.1
387.Pp
388would specify an alias address of 158.152.17.1.
389Options that do not take an argument are specified with an argument of
390.Ar yes
391or
392.Ar no
393in the configuration file.
394For example, the line
395.Pp
396.Dl log yes
397.Pp
398is synonymous with
399.Fl log .
400.Pp
401Trailing spaces and empty lines are ignored.
402A
403.Ql \&#
404sign will mark the rest of the line as a comment.
405.It Fl reverse
406This option makes
407.Nm
408reverse the way it handles
409.Dq incoming
410and
411.Dq outgoing
412packets, allowing it to operate on the
413.Dq internal
414network interface rather than the
415.Dq external
416one.
417.Pp
418This can be useful in some transparent proxying situations
419when outgoing traffic is redirected to the local machine
420and
421.Nm
422is running on the internal interface (it usually runs on the
423external interface).
424.It Fl proxy_only
425Force
426.Nm
427to perform transparent proxying only.
428Normal address translation is not performed.
429.It Fl proxy_rule Xo
430.Op Ar type encode_ip_hdr | encode_tcp_stream
431.Ar port xxxx
432.Ar server a.b.c.d:yyyy
433.Xc
434Enable transparent proxying.
435Outgoing TCP packets with the given port going through this
436host to any other host are redirected to the given server and port.
437Optionally, the original target address can be encoded into the packet.
438Use
439.Ar encode_ip_hdr
440to put this information into the IP option field or
441.Ar encode_tcp_stream
442to inject the data into the beginning of the TCP stream.
443.It Fl punch_fw Xo
444.Ar basenumber Ns : Ns Ar count
445.Xc
446This option directs
447.Nm
448to
449.Dq punch holes
450in an
451.Xr ipfirewall 4
452based firewall for FTP/IRC DCC connections.
453This is done dynamically by installing temporary firewall rules which
454allow a particular connection (and only that connection) to go through
455the firewall.
456The rules are removed once the corresponding connection terminates.
457.Pp
458A maximum of
459.Ar count
460rules starting from the rule number
461.Ar basenumber
462will be used for punching firewall holes.
463The range will be cleared for all rules on startup.
464.El
465.Sh RUNNING NATD
466The following steps are necessary before attempting to run
467.Nm :
468.Bl -enum
469.It
470Build a custom kernel with the following options:
471.Bd -literal -offset indent
472options IPFIREWALL
473options IPDIVERT
474.Ed
475.Pp
476Refer to the handbook for detailed instructions on building a custom
477kernel.
478.It
479Ensure that your machine is acting as a gateway.
480This can be done by specifying the line
481.Pp
482.Dl gateway_enable=YES
483.Pp
484in the
485.Pa /etc/rc.conf
486file or using the command
487.Pp
488.Dl sysctl -w net.inet.ip.forwarding=1
489.Pp
490.It
491If you use the
492.Fl interface
493option, make sure that your interface is already configured.
494If, for example, you wish to specify
495.Ql tun0
496as your
497.Ar interface ,
498and you are using
499.Xr ppp 8
500on that interface, you must make sure that you start
501.Nm ppp
502prior to starting
503.Nm .
504.El
505.Pp
506Running
507.Nm
508is fairly straight forward.
509The line
510.Pp
511.Dl natd -interface ed0
512.Pp
513should suffice in most cases (substituting the correct interface name).
514Please check
515.Xr rc.conf 5
516on how to configure it to be started automatically during boot.
517Once
518.Nm
519is running, you must ensure that traffic is diverted to
520.Nm :
521.Bl -enum
522.It
523You will need to adjust the
524.Pa /etc/rc.firewall
525script to taste.
526If you are not interested in having a firewall, the
527following lines will do:
528.Bd -literal -offset indent
529/sbin/ipfw -f flush
530/sbin/ipfw add divert natd all from any to any via ed0
531/sbin/ipfw add pass all from any to any
532.Ed
533.Pp
534The second line depends on your interface (change
535.Ql ed0
536as appropriate).
537.Pp
538You should be aware of the fact that, with these firewall settings,
539everyone on your local network can fake his source-address using your
540host as gateway.
541If there are other hosts on your local network, you are strongly
542encouraged to create firewall rules that only allow traffic to and
543from trusted hosts.
544.Pp
545If you specify real firewall rules, it is best to specify line 2 at
546the start of the script so that
547.Nm
548sees all packets before they are dropped by the firewall.
549.Pp
550After translation by
551.Nm ,
552packets re-enter the firewall at the rule number following the rule number
553that caused the diversion (not the next rule if there are several at the
554same number).
555.It
556Enable your firewall by setting
557.Pp
558.Dl firewall_enable=YES
559.Pp
560in
561.Pa /etc/rc.conf .
562This tells the system startup scripts to run the
563.Pa /etc/rc.firewall
564script.
565If you do not wish to reboot now, just run this by hand from the console.
566NEVER run this from a remote session unless you put it into the background.
567If you do, you will lock yourself out after the flush takes place, and
568execution of
569.Pa /etc/rc.firewall
570will stop at this point - blocking all accesses permanently.
571Running the script in the background should be enough to prevent this
572disaster.
573.El
574.Sh SEE ALSO
575.Xr divert 4 ,
576.Xr protocols 5 ,
577.Xr rc.conf 5 ,
578.Xr services 5 ,
579.Xr syslog.conf 5 ,
580.Xr ipfw 8 ,
581.Xr ppp 8
582.Sh AUTHORS
583This program is the result of the efforts of many people at different
584times:
585.Pp
586.An Archie Cobbs Aq archie@whistle.com
587(divert sockets)
588.An Charles Mott Aq cmott@scientech.com
589(packet aliasing)
590.An Eivind Eklund Aq perhaps@yes.no
591(IRC support & misc additions)
592.An Ari Suutari Aq suutari@iki.fi
593(natd)
594.An Dru Nelson Aq dnelson@redwoodsoft.com
595(early PPTP support)
596.An Brian Somers Aq brian@awfulhak.org
597(glue)
598.An Ruslan Ermilov Aq ru@FreeBSD.org
599(natd, packet aliasing, glue)
600