xref: /freebsd/sbin/natd/natd.8 (revision d876124d6ae9d56da5b4ff4c6015efd1d0c9222a) 
1.\" $FreeBSD$
2.Dd February 4, 2008
3.Dt NATD 8
4.Os
5.Sh NAME
6.Nm natd
7.Nd Network Address Translation daemon
8.Sh SYNOPSIS
9.Nm
10.Bk -words
11.Op Fl unregistered_only | u
12.Op Fl log | l
13.Op Fl proxy_only
14.Op Fl reverse
15.Op Fl deny_incoming | d
16.Op Fl use_sockets | s
17.Op Fl same_ports | m
18.Op Fl verbose | v
19.Op Fl dynamic
20.Op Fl in_port | i Ar port
21.Op Fl out_port | o Ar port
22.Op Fl port | p Ar port
23.Op Fl alias_address | a Ar address
24.Op Fl target_address | t Ar address
25.Op Fl interface | n Ar interface
26.Op Fl proxy_rule Ar proxyspec
27.Op Fl redirect_port Ar linkspec
28.Op Fl redirect_proto Ar linkspec
29.Op Fl redirect_address Ar linkspec
30.Op Fl config | f Ar configfile
31.Op Fl instance Ar instancename
32.Op Fl globalport Ar port
33.Op Fl log_denied
34.Op Fl log_facility Ar facility_name
35.Op Fl punch_fw Ar firewall_range
36.Op Fl skinny_port Ar port
37.Op Fl log_ipfw_denied
38.Op Fl pid_file | P Ar pidfile
39.Ek
40.Sh DESCRIPTION
41The
42.Nm
43utility provides a Network Address Translation facility for use
44with
45.Xr divert 4
46sockets under
47.Fx .
48.Pp
49(If you need NAT on a PPP link,
50.Xr ppp 8
51provides the
52.Fl nat
53option that gives most of the
54.Nm
55functionality, and uses the same
56.Xr libalias 3
57library.)
58.Pp
59The
60.Nm
61utility normally runs in the background as a daemon.
62It is passed raw IP packets as they travel into and out of the machine,
63and will possibly change these before re-injecting them back into the
64IP packet stream.
65.Pp
66It changes all packets destined for another host so that their source
67IP address is that of the current machine.
68For each packet changed in this manner, an internal table entry is
69created to record this fact.
70The source port number is also changed to indicate the table entry
71applying to the packet.
72Packets that are received with a target IP of the current host are
73checked against this internal table.
74If an entry is found, it is used to determine the correct target IP
75address and port to place in the packet.
76.Pp
77The following command line options are available:
78.Bl -tag -width Fl
79.It Fl log | l
80Log various aliasing statistics and information to the file
81.Pa /var/log/alias.log .
82This file is truncated each time
83.Nm
84is started.
85.It Fl deny_incoming | d
86Do not pass incoming packets that have no
87entry in the internal translation table.
88.Pp
89If this option is not used, then such a packet will be altered
90using the rules in
91.Fl target_address
92below, and the entry will be made in the internal translation table.
93.It Fl log_denied
94Log denied incoming packets via
95.Xr syslog 3
96(see also
97.Fl log_facility ) .
98.It Fl log_facility Ar facility_name
99Use specified log facility when logging information via
100.Xr syslog 3 .
101Argument
102.Ar facility_name
103is one of the keywords specified in
104.Xr syslog.conf 5 .
105.It Fl use_sockets | s
106Allocate a
107.Xr socket 2
108in order to establish an FTP data or IRC DCC send connection.
109This option uses more system resources, but guarantees successful
110connections when port numbers conflict.
111.It Fl same_ports | m
112Try to keep the same port number when altering outgoing packets.
113With this option, protocols such as RPC will have a better chance
114of working.
115If it is not possible to maintain the port number, it will be silently
116changed as per normal.
117.It Fl verbose | v
118Do not call
119.Xr daemon 3
120on startup.
121Instead, stay attached to the controlling terminal and display all packet
122alterations to the standard output.
123This option should only be used for debugging purposes.
124.It Fl unregistered_only | u
125Only alter outgoing packets with an
126.Em unregistered
127source address.
128According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
129172.16.0.0/12 and 192.168.0.0/16.
130.It Fl redirect_port Ar proto Xo
131.Ar targetIP Ns : Ns Xo
132.Ar targetPORT Ns Op - Ns Ar targetPORT Xc
133.Op Ar aliasIP Ns : Ns Xo
134.Ar aliasPORT Ns Op - Ns Ar aliasPORT Xc
135.Oo Ar remoteIP Ns Oo : Ns
136.Ar remotePORT Ns Op - Ns Ar remotePORT
137.Oc Oc
138.Xc
139Redirect incoming connections arriving to given port(s) to another host
140and port(s).
141Argument
142.Ar proto
143is either
144.Ar tcp
145or
146.Ar udp ,
147.Ar targetIP
148is the desired target IP address,
149.Ar targetPORT
150is the desired target port number or range,
151.Ar aliasPORT
152is the requested port number or range, and
153.Ar aliasIP
154is the aliasing address.
155Arguments
156.Ar remoteIP
157and
158.Ar remotePORT
159can be used to specify the connection more accurately if necessary.
160If
161.Ar remotePORT
162is not specified, it is assumed to be all ports.
163.Pp
164Arguments
165.Ar targetIP , aliasIP
166and
167.Ar remoteIP
168can be given as IP addresses or as hostnames.
169The
170.Ar targetPORT , aliasPORT
171and
172.Ar remotePORT
173ranges need not be the same numerically, but must have the same size.
174When
175.Ar targetPORT , aliasPORT
176or
177.Ar remotePORT
178specifies a singular value (not a range), it can be given as a service
179name that is searched for in the
180.Xr services 5
181database.
182.Pp
183For example, the argument
184.Pp
185.Dl Ar tcp inside1:telnet 6666
186.Pp
187means that incoming TCP packets destined for port 6666 on this machine
188will be sent to the telnet port on the inside1 machine.
189.Pp
190.Dl Ar tcp inside2:2300-2399 3300-3399
191.Pp
192will redirect incoming connections on ports 3300-3399 to host
193inside2, ports 2300-2399.
194The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
195.It Fl redirect_proto Ar proto localIP Oo
196.Ar publicIP Op Ar remoteIP
197.Oc
198Redirect incoming IP packets of protocol
199.Ar proto
200(see
201.Xr protocols 5 )
202destined for
203.Ar publicIP
204address to a
205.Ar localIP
206address and vice versa.
207.Pp
208If
209.Ar publicIP
210is not specified, then the default aliasing address is used.
211If
212.Ar remoteIP
213is specified, then only packets coming from/to
214.Ar remoteIP
215will match the rule.
216.It Fl redirect_address Ar localIP publicIP
217Redirect traffic for public IP address to a machine on the local
218network.
219This function is known as
220.Em static NAT .
221Normally static NAT is useful if your ISP has allocated a small block
222of IP addresses to you, but it can even be used in the case of single
223address:
224.Pp
225.Dl Ar redirect_address 10.0.0.8 0.0.0.0
226.Pp
227The above command would redirect all incoming traffic
228to machine 10.0.0.8.
229.Pp
230If several address aliases specify the same public address
231as follows
232.Bd -literal -offset indent
233redirect_address 192.168.0.2 public_addr
234redirect_address 192.168.0.3 public_addr
235redirect_address 192.168.0.4 public_addr
236.Ed
237.Pp
238the incoming traffic will be directed to the last
239translated local address (192.168.0.4), but outgoing
240traffic from the first two addresses will still be aliased
241to appear from the specified
242.Ar public_addr .
243.It Fl redirect_port Ar proto Xo
244.Ar targetIP Ns : Ns Xo
245.Ar targetPORT Ns Oo , Ns
246.Ar targetIP Ns : Ns Xo
247.Ar targetPORT Ns Oo , Ns
248.Ar ...\&
249.Oc Oc
250.Xc
251.Xc
252.Op Ar aliasIP Ns : Ns Xo
253.Ar aliasPORT
254.Xc
255.Oo Ar remoteIP Ns
256.Op : Ns Ar remotePORT
257.Oc
258.Xc
259.It Fl redirect_address Xo
260.Ar localIP Ns Oo , Ns
261.Ar localIP Ns Oo , Ns
262.Ar ...\&
263.Oc Oc
264.Ar publicIP
265.Xc
266These forms of
267.Fl redirect_port
268and
269.Fl redirect_address
270are used to transparently offload network load on a single server and
271distribute the load across a pool of servers.
272This function is known as
273.Em LSNAT
274(RFC 2391).
275For example, the argument
276.Pp
277.Dl Ar tcp www1:http,www2:http,www3:http www:http
278.Pp
279means that incoming HTTP requests for host www will be transparently
280redirected to one of the www1, www2 or www3, where a host is selected
281simply on a round-robin basis, without regard to load on the net.
282.It Fl dynamic
283If the
284.Fl n
285or
286.Fl interface
287option is used,
288.Nm
289will monitor the routing socket for alterations to the
290.Ar interface
291passed.
292If the interface's IP address is changed,
293.Nm
294will dynamically alter its concept of the alias address.
295.It Fl in_port | i Ar port
296Read from and write to
297.Xr divert 4
298port
299.Ar port ,
300treating all packets as
301.Dq incoming .
302.It Fl out_port | o Ar port
303Read from and write to
304.Xr divert 4
305port
306.Ar port ,
307treating all packets as
308.Dq outgoing .
309.It Fl port | p Ar port
310Read from and write to
311.Xr divert 4
312port
313.Ar port ,
314distinguishing packets as
315.Dq incoming
316or
317.Dq outgoing
318using the rules specified in
319.Xr divert 4 .
320If
321.Ar port
322is not numeric, it is searched for in the
323.Xr services 5
324database.
325If this option is not specified, the divert port named
326.Ar natd
327will be used as a default.
328.It Fl alias_address | a Ar address
329Use
330.Ar address
331as the aliasing address.
332Either this or the
333.Fl interface
334option must be used (but not both),
335if the
336.Fl proxy_only
337option is not specified.
338The specified address is usually the address assigned to the
339.Dq public
340network interface.
341.Pp
342All data passing
343.Em out
344will be rewritten with a source address equal to
345.Ar address .
346All data coming
347.Em in
348will be checked to see if it matches any already-aliased outgoing
349connection.
350If it does, the packet is altered accordingly.
351If not, all
352.Fl redirect_port ,
353.Fl redirect_proto
354and
355.Fl redirect_address
356assignments are checked and actioned.
357If no other action can be made and if
358.Fl deny_incoming
359is not specified, the packet is delivered to the local machine
360using the rules specified in
361.Fl target_address
362option below.
363.It Fl t | target_address Ar address
364Set the target address.
365When an incoming packet not associated with any pre-existing link
366arrives at the host machine, it will be sent to the specified
367.Ar address .
368.Pp
369The target address may be set to
370.Ar 255.255.255.255 ,
371in which case all new incoming packets go to the alias address set by
372.Fl alias_address
373or
374.Fl interface .
375.Pp
376If this option is not used, or called with the argument
377.Ar 0.0.0.0 ,
378then all new incoming packets go to the address specified in
379the packet.
380This allows external machines to talk directly to internal machines if
381they can route packets to the machine in question.
382.It Fl interface | n Ar interface
383Use
384.Ar interface
385to determine the aliasing address.
386If there is a possibility that the IP address associated with
387.Ar interface
388may change, the
389.Fl dynamic
390option should also be used.
391If this option is not specified, the
392.Fl alias_address
393option must be used.
394.Pp
395The specified
396.Ar interface
397is usually the
398.Dq public
399(or
400.Dq external )
401network interface.
402.It Fl config | f Ar file
403Read configuration from
404.Ar file .
405A
406.Ar file
407should contain a list of options, one per line, in the same form
408as the long form of the above command line options.
409For example, the line
410.Pp
411.Dl alias_address 158.152.17.1
412.Pp
413would specify an alias address of 158.152.17.1.
414Options that do not take an argument are specified with an argument of
415.Ar yes
416or
417.Ar no
418in the configuration file.
419For example, the line
420.Pp
421.Dl log yes
422.Pp
423is synonymous with
424.Fl log .
425.Pp
426Options can be divided to several sections.
427Each section applies to own
428.Nm
429instance.
430This ability allows to configure one
431.Nm
432process for several NAT instances.
433The first instance that always exists is a "default" instance.
434Each another instance should begin with
435.Pp
436.Dl instance Ar instance_name
437.Pp
438At the next should be placed a configuration option.
439Example:
440.Pp
441.Dl \&# default instance
442.Dl port 8668
443.Dl alias_address 158.152.17.1
444.Pp
445.Dl \&# second instance
446.Dl instance dsl1
447.Dl port 8888
448.Dl alias_address 192.168.0.1
449.Pp
450Trailing spaces and empty lines are ignored.
451A
452.Ql \&#
453sign will mark the rest of the line as a comment.
454.It Fl instance Ar instancename
455This option switches command line options processing to configure instance
456.Ar instancename
457(creating it if necessary) till the next
458.Fl instance
459option or end of command line.
460It is easier to set up multiple instances in the configuration file
461specified with the
462.Fl config
463option rather than on a command line.
464.It Fl globalport Ar port
465Read from and write to
466.Xr divert 4
467port
468.Ar port ,
469treating all packets as
470.Dq outgoing .
471This option is intended to be used with multiple instances:
472packets received on this port are checked against
473internal translation tables of every configured instance.
474If an entry is found, packet is aliased according to that entry.
475In no entry was found in any of the instances, packet is passed
476unchanged, and no new entry will be created.
477See the section
478.Sx MULTIPLE INSTANCES
479for more details.
480.It Fl reverse
481This option makes
482.Nm
483reverse the way it handles
484.Dq incoming
485and
486.Dq outgoing
487packets, allowing it to operate on the
488.Dq internal
489network interface rather than the
490.Dq external
491one.
492.Pp
493This can be useful in some transparent proxying situations
494when outgoing traffic is redirected to the local machine
495and
496.Nm
497is running on the internal interface (it usually runs on the
498external interface).
499.It Fl proxy_only
500Force
501.Nm
502to perform transparent proxying only.
503Normal address translation is not performed.
504.It Fl proxy_rule Xo
505.Op Ar type encode_ip_hdr | encode_tcp_stream
506.Ar port xxxx
507.Ar server a.b.c.d:yyyy
508.Xc
509Enable transparent proxying.
510Outgoing TCP packets with the given port going through this
511host to any other host are redirected to the given server and port.
512Optionally, the original target address can be encoded into the packet.
513Use
514.Ar encode_ip_hdr
515to put this information into the IP option field or
516.Ar encode_tcp_stream
517to inject the data into the beginning of the TCP stream.
518.It Fl punch_fw Xo
519.Ar basenumber Ns : Ns Ar count
520.Xc
521This option directs
522.Nm
523to
524.Dq punch holes
525in an
526.Xr ipfirewall 4
527based firewall for FTP/IRC DCC connections.
528This is done dynamically by installing temporary firewall rules which
529allow a particular connection (and only that connection) to go through
530the firewall.
531The rules are removed once the corresponding connection terminates.
532.Pp
533A maximum of
534.Ar count
535rules starting from the rule number
536.Ar basenumber
537will be used for punching firewall holes.
538The range will be cleared for all rules on startup.
539This option has no effect when the kernel is in security
540level 3, see
541.Xr init 8
542for more information.
543.It Fl skinny_port Ar port
544This option allows you to specify the TCP port used for
545the Skinny Station protocol.
546Skinny is used by Cisco IP phones to communicate with
547Cisco Call Managers to set up voice over IP calls.
548By default, Skinny aliasing is not performed.
549The typical port value for Skinny is 2000.
550.It Fl log_ipfw_denied
551Log when a packet cannot be re-injected because an
552.Xr ipfw 8
553rule blocks it.
554This is the default with
555.Fl verbose .
556.It Fl pid_file | P Ar file
557Specify an alternate file in which to store the process ID.
558The default is
559.Pa /var/run/natd.pid .
560.El
561.Sh RUNNING NATD
562The following steps are necessary before attempting to run
563.Nm :
564.Bl -enum
565.It
566Build a custom kernel with the following options:
567.Bd -literal -offset indent
568options IPFIREWALL
569options IPDIVERT
570.Ed
571.Pp
572Refer to the handbook for detailed instructions on building a custom
573kernel.
574.It
575Ensure that your machine is acting as a gateway.
576This can be done by specifying the line
577.Pp
578.Dl gateway_enable=YES
579.Pp
580in the
581.Pa /etc/rc.conf
582file or using the command
583.Pp
584.Dl "sysctl net.inet.ip.forwarding=1"
585.Pp
586.It
587If you use the
588.Fl interface
589option, make sure that your interface is already configured.
590If, for example, you wish to specify
591.Ql tun0
592as your
593.Ar interface ,
594and you are using
595.Xr ppp 8
596on that interface, you must make sure that you start
597.Nm ppp
598prior to starting
599.Nm .
600.El
601.Pp
602Running
603.Nm
604is fairly straight forward.
605The line
606.Pp
607.Dl natd -interface ed0
608.Pp
609should suffice in most cases (substituting the correct interface name).
610Please check
611.Xr rc.conf 5
612on how to configure it to be started automatically during boot.
613Once
614.Nm
615is running, you must ensure that traffic is diverted to
616.Nm :
617.Bl -enum
618.It
619You will need to adjust the
620.Pa /etc/rc.firewall
621script to taste.
622If you are not interested in having a firewall, the
623following lines will do:
624.Bd -literal -offset indent
625/sbin/ipfw -f flush
626/sbin/ipfw add divert natd all from any to any via ed0
627/sbin/ipfw add pass all from any to any
628.Ed
629.Pp
630The second line depends on your interface (change
631.Ql ed0
632as appropriate).
633.Pp
634You should be aware of the fact that, with these firewall settings,
635everyone on your local network can fake his source-address using your
636host as gateway.
637If there are other hosts on your local network, you are strongly
638encouraged to create firewall rules that only allow traffic to and
639from trusted hosts.
640.Pp
641If you specify real firewall rules, it is best to specify line 2 at
642the start of the script so that
643.Nm
644sees all packets before they are dropped by the firewall.
645.Pp
646After translation by
647.Nm ,
648packets re-enter the firewall at the rule number following the rule number
649that caused the diversion (not the next rule if there are several at the
650same number).
651.It
652Enable your firewall by setting
653.Pp
654.Dl firewall_enable=YES
655.Pp
656in
657.Pa /etc/rc.conf .
658This tells the system startup scripts to run the
659.Pa /etc/rc.firewall
660script.
661If you do not wish to reboot now, just run this by hand from the console.
662NEVER run this from a remote session unless you put it into the background.
663If you do, you will lock yourself out after the flush takes place, and
664execution of
665.Pa /etc/rc.firewall
666will stop at this point - blocking all accesses permanently.
667Running the script in the background should be enough to prevent this
668disaster.
669.El
670.Sh MULTIPLE INSTANCES
671It is not so uncommon to have a need of aliasing to several external IP
672addresses.
673While this traditionally was achieved by running several
674.Nm
675processes with independent configurations,
676.Nm
677can have multiple aliasing instances in a single process,
678also allowing them to be not so independent of each other.
679For example, let us see a common task of load balancing two
680channels to different providers on a machine with two external
681interfaces
682.Ql sis0
683(with IP 1.2.3.4) and
684.Ql sis2
685(with IP 2.3.4.5):
686.Bd -literal -offset indent
687          net 1.2.3.0/24
6881.2.3.1 ------------------ sis0
689(router)                (1.2.3.4)
690                                         net 10.0.0.0/24
691                                  sis1 ------------------- 10.0.0.2
692                               (10.0.0.1)
693          net 2.3.4.0/24
6942.3.4.1 ------------------ sis2
695(router)                (2.3.4.5)
696.Ed
697.Pp
698Default route is out via
699.Ql sis0 .
700.Pp
701Interior machine (10.0.0.2) is accessible on TCP port 122 through
702both exterior IPs, and outgoing connections choose a path randomly
703between
704.Ql sis0
705and
706.Ql sis2 .
707.Pp
708The way this works is that
709.Pa natd.conf
710builds two instances of the aliasing engine.
711.Pp
712In addition to these instances' private
713.Xr divert 4
714sockets, a third socket called the
715.Dq globalport
716is created; packets sent to
717.Nm
718via this one will be matched against all instances and translated
719if an existing entry is found, and unchanged if no entry is found.
720The following lines are placed into
721.Pa /etc/natd.conf :
722.Bd -literal -offset indent
723log
724deny_incoming
725verbose
726
727instance default
728interface sis0
729port 1000
730redirect_port tcp 10.0.0.2:122 122
731
732instance sis2
733interface sis2
734port 2000
735redirect_port tcp 10.0.0.2:122 122
736
737globalport 3000
738.Ed
739.Pp
740And the following
741.Xr ipfw 8
742rules are used:
743.Bd -literal -offset indent
744ipfw -f flush
745
746ipfw add      allow ip from any to any via sis1
747
748ipfw add      skipto 1000 ip from any to any in via sis0
749ipfw add      skipto 2000 ip from any to any out via sis0
750ipfw add      skipto 3000 ip from any to any in via sis2
751ipfw add      skipto 4000 ip from any to any out via sis2
752
753ipfw add 1000 count ip from any to any
754
755ipfw add      divert 1000 ip from any to any
756ipfw add      allow ip from any to any
757
758ipfw add 2000 count ip from any to any
759
760ipfw add      divert 3000 ip from any to any
761
762ipfw add      allow ip from 1.2.3.4 to any
763ipfw add      skipto 5000 ip from 2.3.4.5 to any
764
765ipfw add      prob .5 skipto 4000 ip from any to any
766
767ipfw add      divert 1000 ip from any to any
768ipfw add      allow ip from any to any
769
770ipfw add 3000 count ip from any to any
771
772ipfw add      divert 2000 ip from any to any
773ipfw add      allow ip from any to any
774
775ipfw add 4000 count ip from any to any
776
777ipfw add      divert 2000 ip from any to any
778
779ipfw add 5000 fwd 2.3.4.1 ip from 2.3.4.5 to not 2.3.4.0/24
780ipfw add      allow ip from any to any
781.Ed
782.Pp
783Here the packet from internal network to Internet goes out via
784.Ql sis0
785(rule number 2000) and gets catched by the
786.Ic globalport
787socket (3000).
788After that, either a match is found in a translation table
789of one of the two instances, or the packet is passed to one
790of the two other
791.Xr divert 4
792ports (1000 or 2000), with equal probability.
793This ensures that load balancing is done on a per-flow basis
794(i.e., packets from a single TCP connection always flow through the
795same interface).
796Translated packets with source IP of a non-default interface
797.Pq Ql sis2
798are forwarded to the appropriate router on that interface.
799.Sh SEE ALSO
800.Xr libalias 3 ,
801.Xr divert 4 ,
802.Xr protocols 5 ,
803.Xr rc.conf 5 ,
804.Xr services 5 ,
805.Xr syslog.conf 5 ,
806.Xr init 8 ,
807.Xr ipfw 8 ,
808.Xr ppp 8
809.Sh AUTHORS
810This program is the result of the efforts of many people at different
811times:
812.Pp
813.An Archie Cobbs Aq archie@FreeBSD.org
814(divert sockets)
815.An Charles Mott Aq cm@linktel.net
816(packet aliasing)
817.An Eivind Eklund Aq perhaps@yes.no
818(IRC support & misc additions)
819.An Ari Suutari Aq suutari@iki.fi
820(natd)
821.An Dru Nelson Aq dnelson@redwoodsoft.com
822(early PPTP support)
823.An Brian Somers Aq brian@awfulhak.org
824(glue)
825.An Ruslan Ermilov Aq ru@FreeBSD.org
826(natd, packet aliasing, glue)
827.An Poul-Henning Kamp Aq phk@FreeBSD.org
828(multiple instances)
829