1.\" $FreeBSD$ 2.Dd June 27, 2000 3.Dt NATD 8 4.Os FreeBSD 5.Sh NAME 6.Nm natd 7.Nd Network Address Translation Daemon 8.Sh SYNOPSIS 9.Nm natd 10.Op Fl unregistered_only | u 11.Op Fl log | l 12.Op Fl proxy_only 13.Op Fl reverse 14.Op Fl deny_incoming | d 15.Op Fl use_sockets | s 16.Op Fl same_ports | m 17.Op Fl verbose | v 18.Op Fl dynamic 19.Op Fl in_port | i Ar port 20.Op Fl out_port | o Ar port 21.Op Fl port | p Ar port 22.Op Fl alias_address | a Ar address 23.Op Fl target_address | t Ar address 24.Op Fl interface | n Ar interface 25.Op Fl proxy_rule Ar proxyspec 26.Op Fl redirect_port Ar linkspec 27.Op Fl redirect_proto Ar linkspec 28.Op Fl redirect_address Ar linkspec 29.Op Fl config | f Ar configfile 30.Op Fl log_denied 31.Op Fl log_facility Ar facility_name 32.Op Fl punch_fw Ar firewall_range 33.Sh DESCRIPTION 34This program provides a Network Address Translation facility for use 35with 36.Xr divert 4 37sockets under 38.Fx . 39It is intended for use with NICs - if you want to do NAT on a PPP link, 40use the 41.Fl nat 42switch to 43.Xr ppp 8 . 44.Pp 45The 46.Nm 47normally runs in the background as a daemon. 48It is passed raw IP packets as they travel into and out of the machine, 49and will possibly change these before re-injecting them back into the 50IP packet stream. 51.Pp 52It changes all packets destined for another host so that their source 53IP number is that of the current machine. 54For each packet changed in this manner, an internal table entry is 55created to record this fact. 56The source port number is also changed to indicate the table entry 57applying to the packet. 58Packets that are received with a target IP of the current host are 59checked against this internal table. 60If an entry is found, it is used to determine the correct target IP 61number and port to place in the packet. 62.Pp 63The following command line options are available. 64.Bl -tag -width Fl 65.It Fl log | l 66Log various aliasing statistics and information to the file 67.Pa /var/log/alias.log . 68This file is truncated each time 69.Nm 70is started. 71.It Fl deny_incoming | d 72Do not pass packets destined for the current IP number that have no 73entry in the internal translation table. 74.It Fl log_denied 75Log denied incoming packets via 76.Xr syslog 3 77.Po 78see also 79.Fl log_facility 80.Pc . 81.It Fl log_facility Ar facility_name 82Use specified log facility when logging information via 83.Xr syslog 3 . 84Argument 85.Ar facility_name 86is one of the keywords specified in 87.Xr syslog.conf 5 . 88.It Fl use_sockets | s 89Allocate a 90.Xr socket 2 91in order to establish an FTP data or IRC DCC send connection. 92This option uses more system resources, but guarantees successful 93connections when port numbers conflict. 94.It Fl same_ports | m 95Try to keep the same port number when altering outgoing packets. 96With this option, protocols such as RPC will have a better chance 97of working. 98If it is not possible to maintain the port number, it will be silently 99changed as per normal. 100.It Fl verbose | v 101Do not call 102.Xr daemon 3 103on startup. 104Instead, stay attached to the controling terminal and display all packet 105alterations to the standard output. 106This option should only be used for debugging purposes. 107.It Fl unregistered_only | u 108Only alter outgoing packets with an 109.Em unregistered 110source address. 111According to RFC 1918, unregistered source addresses are 10.0.0.0/8, 112172.16.0.0/12 and 192.168.0.0/16. 113.It Fl redirect_port Ar proto Xo 114.Ar targetIP Ns : Ns Xo 115.Ar targetPORT Ns Op - Ns Ar targetPORT Xc 116.Op Ar aliasIP Ns : Ns Xo 117.Ar aliasPORT Ns Op - Ns Ar aliasPORT Xc 118.Oo Ar remoteIP Ns Oo : Ns 119.Ar remotePORT Ns Op - Ns Ar remotePORT 120.Oc Oc 121.Xc 122Redirect incoming connections arriving to given port(s) to another host 123and port(s). 124Argument 125.Ar proto 126is either 127.Ar tcp 128or 129.Ar udp , 130.Ar targetIP 131is the desired target IP number, 132.Ar targetPORT 133is the desired target port number or range, 134.Ar aliasPORT 135is the requested port number or range, and 136.Ar aliasIP 137is the aliasing address. 138Arguments 139.Ar remoteIP 140and 141.Ar remotePORT 142can be used to specify the connection more accurately if necessary. 143The 144.Ar targetPORT 145range and 146.Ar aliasPORT 147range need not be the same numerically, but must have the same size. 148If 149.Ar remotePORT 150is not specified, it is assumed to be all ports. 151If 152.Ar remotePORT 153is specified, it must match the size of 154.Ar targetPORT , 155or be 0 (all ports). 156For example, the argument 157.Pp 158.Dl Ar tcp inside1:telnet 6666 159.Pp 160means that incoming TCP packets destined for port 6666 on this machine 161will be sent to the telnet port on the inside1 machine. 162.Pp 163.Dl Ar tcp inside2:2300-2399 3300-3399 164.Pp 165will redirect incoming connections on ports 3300-3399 to host 166inside2, ports 2300-2399. 167The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. 168.It Fl redirect_proto Ar proto localIP Oo 169.Ar publicIP Op Ar remoteIP 170.Oc 171Redirect incoming IP packets of protocol 172.Ar proto 173.Po see Xr protocols 5 174.Pc 175destined for 176.Ar publicIP 177address to a 178.Ar localIP 179address and vice versa. 180.Pp 181If 182.Ar publicIP 183is not specified, then the default aliasing address is used. 184If 185.Ar remoteIP 186is specified, then only packets coming from/to 187.Ar remoteIP 188will match the rule. 189.It Fl redirect_address Ar localIP publicIP 190Redirect traffic for public IP address to a machine on the local 191network. 192This function is known as 193.Em static NAT . 194Normally static NAT is useful if your ISP has allocated a small block 195of IP addresses to you, but it can even be used in the case of single 196address: 197.Pp 198.Dl Ar redirect_address 10.0.0.8 0.0.0.0 199.Pp 200The above command would redirect all incoming traffic 201to machine 10.0.0.8. 202.Pp 203If several address aliases specify the same public address 204as follows 205.Bd -literal -offset indent 206.Ar redirect_address 192.168.0.2 public_addr 207.Ar redirect_address 192.168.0.3 public_addr 208.Ar redirect_address 192.168.0.4 public_addr 209.Ed 210.Pp 211the incoming traffic will be directed to the last 212translated local address (192.168.0.4), but outgoing 213traffic from the first two addresses will still be aliased 214to appear from the specified 215.Ar public_addr . 216.It Fl redirect_port Ar proto Xo 217.Ar targetIP Ns : Ns Xo 218.Ar targetPORT Ns Oo , Ns 219.Ar targetIP Ns : Ns Xo 220.Ar targetPORT Ns Oo , Ns 221.Ar ... 222.Oc Oc 223.Xc 224.Xc 225.Op Ar aliasIP Ns : Ns Xo 226.Ar aliasPORT 227.Xc 228.Oo Ar remoteIP Ns 229.Op : Ns Ar remotePORT 230.Oc 231.Xc 232.It Fl redirect_address Xo 233.Ar localIP Ns Oo , Ns 234.Ar localIP Ns Oo , Ns 235.Ar ... 236.Oc Oc 237.Ar publicIP 238.Xc 239These forms of 240.Fl redirect_port 241and 242.Fl redirect_address 243are used to transparently offload network load on a single server and 244distribute the load across a pool of servers. 245This function is known as 246.Em LSNAT 247(RFC 2391). 248For example, the argument 249.Pp 250.Dl Ar tcp www1:http,www2:http,www3:http www:http 251.Pp 252means that incoming HTTP requests for host www will be transparently 253redirected to one of the www1, www2 or www3, where a host is selected 254simply on a round-robin basis, without regard to load on the net. 255.It Fl dynamic 256If the 257.Fl n 258or 259.Fl interface 260option is used, 261.Nm 262will monitor the routing socket for alterations to the 263.Ar interface 264passed. 265If the interface's IP number is changed, 266.Nm 267will dynamically alter its concept of the alias address. 268.It Fl in_port | i Ar port 269Read from and write to 270.Ar port , 271treating all packets as packets coming into the machine. 272.It Fl out_port | o Ar port 273Read from and write to 274.Ar port , 275treating all packets as packets going out of the machine. 276.It Fl port | p Ar port 277Read from and write to 278.Ar port , 279distinguishing packets as incoming our outgoing using the rules 280specified in 281.Xr divert 4 . 282If 283.Ar port 284is not numeric, it is searched for in the 285.Xr services 5 286database. 287If this option is not specified, the divert port named 288.Em natd 289will be used as a default. 290.It Fl alias_address | a Ar address 291Use 292.Ar address 293as the aliasing address. 294If this option is not specified, the 295.Fl interface 296option must be used. 297The specified address is usually the address assigned to the 298public network interface. 299.Pp 300All data passing 301.Em out 302will be rewritten with a source address equal to 303.Ar address . 304All data coming 305.Em in 306will be checked to see if it matches any already-aliased outgoing 307connection. 308If it does, the packet is altered accordingly. 309If not, all 310.Fl redirect_port , 311.Fl redirect_proto 312and 313.Fl redirect_address 314assignments are checked and actioned. 315If no other action can be made and if 316.Fl deny_incoming 317is not specified, the packet is delivered unaltered to the local 318machine and port as specified in the packet, but see the 319.Fl target_address 320option below. 321.It Fl t | target_address Ar address 322Set the target address. 323When an incoming packet not associated with any pre-existing link 324arrives at the host machine, it will be sent to the specified 325.Ar address . 326.Pp 327The target address may be set to 328.Ar 255.255.255.255 , 329in which case all new incoming packets go to the alias address set by 330.Fl alias_address 331or 332.Fl interface . 333.Pp 334If this option is not used, or called with the argument 335.Ar 0.0.0.0 , 336then all new incoming packets go to the address specified in 337the packet. 338This allows external machines to talk directly to internal machines if 339they can route packets to the machine in question. 340.It Fl interface | n Ar interface 341Use 342.Ar interface 343to determine the aliasing address. 344If there is a possibility that the IP number associated with 345.Ar interface 346may change, the 347.Fl dynamic 348option should also be used. 349If this option is not specified, the 350.Fl alias_address 351option must be used. 352.Pp 353The specified 354.Ar interface 355is usually the public network interface. 356.It Fl config | f Ar file 357Read configuration from 358.Ar file . 359A 360.Ar file 361should contain a list of options, one per line, in the same form 362as the long form of the above command line options. 363For example, the line 364.Pp 365.Dl alias_address 158.152.17.1 366.Pp 367would specify an alias address of 158.152.17.1. 368Options that do not take an argument are specified with an option of 369.Ar yes 370or 371.Ar no 372in the configuration file. 373For example, the line 374.Pp 375.Dl log yes 376.Pp 377is synonymous with 378.Fl log . 379.Pp 380Trailing spaces and empty lines are ignored. 381A 382.Ql \&# 383sign will mark the rest of the line as a comment. 384.It Fl reverse 385This option makes 386.Nm 387reverse the way it handles incoming and outgoing packets, 388allowing it to operate on the internal interface rather than 389the external one. 390.Pp 391This can be useful in some transparent proxying situations 392when outgoing traffic is redirected to the local machine 393and 394.Nm 395is running on the internal interface (it usually runs on the 396external interface). 397.It Fl proxy_only 398Force 399.Nm 400to perform transparent proxying only. 401Normal address translation is not performed. 402.It Fl proxy_rule Xo 403.Op Ar type encode_ip_hdr | encode_tcp_stream 404.Ar port xxxx 405.Ar server a.b.c.d:yyyy 406.Xc 407Enable transparent proxying. 408Outgoing TCP packets with the given port going through this 409host to any other host are redirected to the given server and port. 410Optionally, the original target address can be encoded into the packet. 411Use 412.Ar encode_ip_hdr 413to put this information into the IP option field or 414.Ar encode_tcp_stream 415to inject the data into the beginning of the TCP stream. 416.It Fl punch_fw Xo 417.Ar basenumber Ns : Ns Ar count 418.Xc 419This option directs 420.Nm 421to 422.Dq punch holes 423in an 424.Xr ipfirewall 4 425based firewall for FTP/IRC DCC connections. 426This is done dynamically by installing temporary firewall rules which 427allow a particular connection (and only that connection) to go through 428the firewall. 429The rules are removed once the corresponding connection terminates. 430.Pp 431A maximum of 432.Ar count 433rules starting from the rule number 434.Ar basenumber 435will be used for punching firewall holes. 436The range will be cleared for all rules on startup. 437.El 438.Sh RUNNING NATD 439The following steps are necessary before attempting to run 440.Nm natd : 441.Bl -enum 442.It 443Build a custom kernel with the following options: 444.Bd -literal -offset indent 445options IPFIREWALL 446options IPDIVERT 447.Ed 448.Pp 449Refer to the handbook for detailed instructions on building a custom 450kernel. 451.It 452Ensure that your machine is acting as a gateway. 453This can be done by specifying the line 454.Pp 455.Dl gateway_enable=YES 456.Pp 457in the 458.Pa /etc/rc.conf 459file or using the command 460.Pp 461.Dl sysctl -w net.inet.ip.forwarding=1 462.Pp 463.It 464If you use the 465.Fl interface 466option, make sure that your interface is already configured. 467If, for example, you wish to specify tun0 as your 468.Ar interface , 469and you are using 470.Xr ppp 8 471on that interface, you must make sure that you start 472.Nm ppp 473prior to starting 474.Nm natd . 475.El 476.Pp 477Running 478.Nm 479is fairly straight forward. 480The line 481.Pp 482.Dl natd -interface ed0 483.Pp 484should suffice in most cases (substituting the correct interface name). 485Please check 486.Xr rc.conf 5 487on how to configure it to be started automatically during boot. 488Once 489.Nm 490is running, you must ensure that traffic is diverted to 491.Nm natd : 492.Bl -enum 493.It 494You will need to adjust the 495.Pa /etc/rc.firewall 496script to taste. 497If you are not interested in having a firewall, the 498following lines will do: 499.Bd -literal -offset indent 500/sbin/ipfw -f flush 501/sbin/ipfw add divert natd all from any to any via ed0 502/sbin/ipfw add pass all from any to any 503.Ed 504.Pp 505The second line depends on your interface (change ed0 as appropriate). 506.Pp 507You should be aware of the fact that, with these firewall settings, 508everyone on your local network can fake his source-address using your 509host as gateway. 510If there are other hosts on your local network, you are strongly 511encouraged to create firewall rules that only allow traffic to and 512from trusted hosts. 513.Pp 514If you specify real firewall rules, it is best to specify line 2 at 515the start of the script so that 516.Nm 517sees all packets before they are dropped by the firewall. 518.Pp 519After translation by 520.Nm natd , 521packets re-enter the firewall at the rule number following the rule number 522that caused the diversion (not the next rule if there are several at the 523same number). 524.It 525Enable your firewall by setting 526.Pp 527.Dl firewall_enable=YES 528.Pp 529in 530.Pa /etc/rc.conf . 531This tells the system startup scripts to run the 532.Pa /etc/rc.firewall 533script. 534If you do not wish to reboot now, just run this by hand from the console. 535NEVER run this from a remote session unless you put it into the background. 536If you do, you will lock yourself out after the flush takes place, and 537execution of 538.Pa /etc/rc.firewall 539will stop at this point - blocking all accesses permanently. 540Running the script in the background should be enough to prevent this 541disaster. 542.El 543.Sh SEE ALSO 544.Xr divert 4 , 545.Xr protocols 5 , 546.Xr rc.conf 5 , 547.Xr services 5 , 548.Xr syslog.conf 5 , 549.Xr ipfw 8 , 550.Xr ppp 8 . 551.Sh AUTHORS 552This program is the result of the efforts of many people at different 553times: 554.Pp 555.An Archie Cobbs Aq archie@whistle.com 556(divert sockets) 557.An Charles Mott Aq cmott@scientech.com 558(packet aliasing) 559.An Eivind Eklund Aq perhaps@yes.no 560(IRC support & misc additions) 561.An Ari Suutari Aq suutari@iki.fi 562(natd) 563.An Dru Nelson Aq dnelson@redwoodsoft.com 564(early PPTP support) 565.An Brian Somers Aq brian@awfulhak.org 566(glue) 567