xref: /freebsd/usr.sbin/ppp/README.nat (revision 0e8011faf58b743cc652e3b2ad0f7671227610df)
1Copyright (c) 2001 Charles Mott <cm@linktel.net>
2All rights reserved.
3
4Redistribution and use in source and binary forms, with or without
5modification, are permitted provided that the following conditions
6are met:
71. Redistributions of source code must retain the above copyright
8   notice, this list of conditions and the following disclaimer.
92. Redistributions in binary form must reproduce the above copyright
10   notice, this list of conditions and the following disclaimer in the
11   documentation and/or other materials provided with the distribution.
12
13THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23SUCH DAMAGE.
24
25User PPP NAT (Packet Aliasing)
26
27
28
290. Contents
30    1. Background
31    2. Setup
32    3. New commands in ppp
33    4. Future Work
34    5. Authors / Acknowledgements
35    6. Revision History for Aliasing Code
36
37
38
391. Background
40
41User mode ppp has embedded NAT (Network Address Translation) code.
42Enabling this, either by the "-nat" command line option or the
43"nat enable yes" command in a ppp.conf file, makes the ppp host
44automatically NAT IP packets forwarded from a local network, making
45them appear to come from the ppp host machine.  Incoming packets
46from the outside world are then appropriately de-NAT'd.
47
48The process of NAT'ing involves both the IP address and the TCP or UDP
49port numbers. ICMP echo and timestamp packets are natted by their id
50numbers.  ICMP error messages can be properly directed by examining the
51fragment of the offending packet which is contained in the body of the
52message.
53
54This software was specifically meant to support users who have
55unregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x
56addresses).  The ppp host can act as a gateway for these networks, and
57computers on the local area net will have some degree of Internet access
58without the need for a registered IP address.  Additionally, there will
59be no need for an Internet service provider to maintain routing tables
60for the local area network.
61
62A disadvantage of NAT is that machines on the local network,
63behind the ppp host, are not visible from the outside world.  They can
64establish TCP connections and make UDP inquiries (such as domain name
65service requests) but the connections seem to come from the ppp host
66itself.  There is, in effect, a partial firewall.  Of course, if this is
67what you want, the disadvantage becomes an advantage.
68
69A second disadvantage is that "IP encoding" protocols, which send IP
70address or port information within the data stream, are not supported
71for the cases where exception code exists.  This implementation has
72workarounds for FTP and IRC DCC, the most well known of the IP encoding
73protocols.  This frees users from depending on using the ftp passive
74mode and avoiding IRC DCC sends, as is sometimes the case with other
75masquerading solutions.
76
77The implementation supports all standard, non-encoding TCP and UDP protocols.
78Examples of these protocols are http, gopher and telnet. The standard UDP
79mode of Real-Audio is not presently supported, but the TCP mode does work
80correctly.
81
82The NAT code also handles many ICMP messages.  In particular,
83ping and traceroute are supported.
84
85
86
872. Packet Aliasing Setup
88
89It is recommended that users first verify correct ppp operation without
90NAT enabled.  This will confirm that the ppp.conf file is
91properly set up and that there are no ppp problems. Then start ppp with
92the "-nat" option on the command line.  The user should verify that
93the ppp host can correctly connect to the Internet in NAT
94mode.  Finally, check that machines on the private network can access
95the Internet.
96
97The NAT software handles all packets, whether they come from
98the host or another computer on the local area network.  Thus, a correctly
99operating ppp host indicates that the software should work properly for
100other computers on the private network.
101
102If the ppp host can access the Internet, but other computers on the local
103network cannot, check that IP forwarding is enabled on the ppp host. Also,
104verify that the other computers use this machine as a gateway.  Of course,
105you should also verify that machines within the local area network
106communicate properly.  A common error is inconsistent subnet addresses
107and masks.
108
109
110
1113. New commands in ppp
112
113In order to control NAT behaviour in a simple manner (no need for
114recompilation), a new command has been added to ppp: nat.  This
115is in addition to the -nat command line option.  System managers and
116more experienced users may prefer to use the ppp command syntax
117within the ppp.conf file.  The nat command also allows NAT
118behaviour to be more precisely specified.
119
120The decision to add a command instead of extending 'set' or 'option' was
121to make obvious that these options only work when NAT is enabled.
122
123The syntax for 'nat' is
124
125    ppp>  nat option [yes|no]
126
127where option is given by one of the following templates.
128
129
130 - nat enable [yes|no]  (default no)
131
132Enable NAT functionality.  If disabled, no other NAT
133options will have any effect.  You should usually enable NAT
134before routing any packets over the link; good points are in the
135initial script or right before adding a route.  If you do not always
136want NAT, consider using the -nat option to ppp instead of this
137command.
138
139
140 - nat deny_incoming [yes|no] (default yes)
141
142Set to "yes" to disable all incoming connections.  This just drops
143connections to, for example, ftp, telnet or web servers.  The NAT
144mechanism prevents these connections. Technically, this option denies
145all incoming TCP and UDP requests, making the NAT software a
146fairly efficient one-way firewall.  The default is no, which will allow
147all incoming connections to telnetd, ftpd, etc.
148
149
150 - nat log [yes|no]
151
152Controls logging of NAT link creation to "/var/log/alias.log" - this
153is usually only useful if debugging a setup, to see if the bug is in
154the PPP NATing.  The debugging information is fairly limited, listing
155the number of NAT links open for different protocols.
156
157
158 - nat same_ports [yes|no] (default yes)
159
160When a connection is being established going through the NAT
161routines, it will normally have its port number changed to allow the
162NAT code to track it.  If same_ports is enabled, the NAT
163software attempts to keep the connection's source port unchanged.
164This will allow rsh, RPC and other specialised protocols to work
165_most of the time_, at least on the host machine.  Please, do not
166report this being unstable as a bug - it is a result of the way
167NAT has to work. TCP/IP was intended to have one IP address
168per machine.
169
170
171 - nat use_sockets [yes|no] (default yes)
172
173This is a fairly obscure option.  For the most part, the NAT
174software does not have to allocate system sockets when it chooses a
175NAT port number.  Under very specific circumstances, FTP data
176connections (which don't know the remote port number, though it is
177usually 20) and IRC DCC send (which doesn't know either the address or
178the port from which the connection will come), there can potentially be
179some interference with an open server socket having the same port number
180on the ppp host machine.  This possibility for interference only exists
181until the TCP connection has been acknowledged on both sides.  The safe
182option is yes, though fewer system resources are consumed by specifying
183no.
184
185
186 - nat unregistered_only [yes|no] (default no)
187
188NAT normally remaps all packets coming from the local area
189network to the ppp host machine address.  Set this option to only map
190addresses from the following standard ranges for private, unregistered
191addresses:
192
193                10.0.0.0     ->   10.255.255.255
194                172.16.0.0   ->   172.31.255.255
195                192.168.0.0  ->   192.168.255.255  */
196
197In the instance that there is a subnet of public addresses and another
198subnet of private addresses being routed by the ppp host, then only the
199packets on the private subnet will be NAT'd.
200
201
202- nat port <proto> <local addr>:<port>  <nat port>
203
204This command allows incoming traffic to <nat port> on the host
205machine to be redirected to a specific machine and port on the
206local area network.  One example of this would be:
207
208    nat port tcp 192.168.0.4:telnet  8066
209
210All traffic to port 8066 of the ppp host would then be sent to
211the telnet port (23) of machine 192.168.0.4.  Port numbers
212can either be designated numerically or by symbolic names
213listed in /etc/services.  Similarly, addresses can be either
214in dotted quad notation or in /etc/hosts.
215
216
217- nat addr <local addr> <public addr>
218
219This command allows traffic for a public IP address to be
220redirected to a machine on the local network.  This function
221is known as "static NAT".  An address assignment of 0 refers
222to the default address of the ppp host.  Normally static
223NAT is useful if your ISP has allocated a small block of
224IP addresses to the user, but it can even be used in the
225case of a single, dynamically allocated IP address:
226
227    nat addr 10.0.0.8 0
228
229The above command would redirect all incoming traffic to
230machine 10.0.0.8.
231
232If several address NATs specify the same public address
233as follows
234
235    nat addr 192.168.0.2  public_addr
236    nat addr 192.168.0.3  public_addr
237    nat addr 192.168.0.4  public_addr
238
239then incoming traffic will be directed to the last
240translated local address (192.168.0.4), but outgoing
241traffic to the first two addresses will still be NAT'd
242to the specified public address.
243
244
245
2464. Future Work
247
248What is called NAT here has been variously called masquerading, packet
249aliasing and transparent proxying by others.  It is an extremely useful
250function to many users, but it is also necessarily imperfect.  The
251occasional IP-encoding protocols always need workarounds (hacks).
252Users who are interested in supporting new IP-encoding protocols
253can follow the examples of alias_ftp.c and alias_irc.c.
254
255ICMP error messages are currently handled only in the incoming direction.
256A handler needs to be added to correctly NAT outgoing error messages.
257
258IRC and FTP exception handling make reasonable, though not strictly correct
259assumptions, about how IP encoded messages will appear in the control
260stream.  Programmers may wish to consider how to make this process more
261robust.
262
263The NAT engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c
264and alias_util.c) runs in user space, and is intended to be both portable
265and reusable for interfaces other than ppp.  To access the basic engine
266only requires four simple function calls (initialisation, communication of
267host address, outgoing NAT and incoming de-NATing).
268
269
270
2715. Authors / Acknowledgements
272
273Charles Mott (cm@linktel.net)  <versions 1.0 - 1.8, 2.0, 2.1>
274Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands>
275
276Listed below, in chronological order, are individuals who have provided
277valuable comments and/or debugging assistance.
278
279    Gary Roberts
280    Tom Torrance
281    Reto Burkhalter
282    Martin Renters
283    Brian Somers
284    Paul Traina
285    Ari Suutari
286    J. Fortes
287    Andrzej Bialeki
288
289
290
2916. Revision History for Aliasing Code
292
293Version 1.0: August 11, 1996 (cjm)
294
295Version 1.1:  August 20, 1996  (cjm)
296    PPP host accepts incoming connections for ports 0 to 1023.
297
298Version 1.2:  September 7, 1996 (cjm)
299    Fragment handling error in alias_db.c corrected.
300
301Version 1.3: September 15, 1996 (cjm)
302    - Generalised mechanism for handling incoming connections
303      (no more 0 to 1023 restriction).
304    - Increased ICMP support (will handle traceroute now).
305    - Improved TCP close connection logic.
306
307Version 1.4: September 16, 1996
308    Can't remember (this version only lasted a day -- cjm).
309
310Version 1.5: September 17, 1996 (cjm)
311    Corrected error in handling incoming UDP packets
312    with zero checksum.
313
314Version 1.6: September 18, 1996
315    Simplified ICMP data storage.  Will now handle
316    tracert from Win95 as well as FreeBSD traceroute.
317
318Version 1.7: January 9, 1997 (cjm)
319    - Reduced malloc() activity for ICMP echo and
320      timestamp requests.
321    - Added handling for out-of-order IP fragments.
322    - Switched to differential checksum computation
323      for IP headers (TCP, UDP and ICMP checksums
324      were already differential).
325    - Accepts FTP data connections from other than
326      port 20.  This allows one ftp connections
327      from two hosts which are both running packet
328      aliasing.
329
330Version 1.8: January 14, 1997 (cjm)
331    - Fixed data type error in function StartPoint()
332      in alias_db.c (this bug did not exist before v1.7)
333
334Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>)
335    - Upgraded base PPP version to be the source code from
336      FreeBSD 2.1.6, with additional security patches.  This
337      version should still be possible to run on 2.1.5, though -
338      I've run it with a 2.1.5 kernel without problems.
339      (Update done with the permission of cjm)
340
341Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>)
342    - Added support for IRC DCC (ee)
343    - Changed the aliasing routines to use ANSI style throughout -
344      minor API changes for integration with other programs than PPP (ee)
345    - Changed the build process, making all options switchable
346      from the Makefile (ee)
347    - Fixed minor security hole in alias_ftp.c for other applications
348      of the aliasing software.  Hole could _not_ manifest in
349      PPP+pktAlias, but could potentially manifest in other
350      applications of the aliasing. (ee)
351    - Connections initiated from packet aliasing host machine will
352      not have their port number aliased unless it conflicts with
353      an aliasing port already being used. (There is an option to
354      disable this for debugging) (cjm)
355    - Sockets will be allocated in cases where there might be
356      port interference with the host machine.  This can be disabled
357      in cases where the ppp host will be acting purely as a
358      masquerading router and not generate any traffic of its own.
359      (cjm)
360
361Version 2.0: March, 1997 (cjm)
362    - Incoming packets which are not recognised by the packet
363      aliasing engine are now completely dropped in ip.c.
364    - Aliasing links are cleared when a host interface address
365      changes (due to re-dial and dynamic address allocation).
366    - PacketAliasPermanentLink() API added.
367    - Option for only aliasing private, unregistered IP addresses
368      added.
369    - Substantial rework to the aliasing lookup engine.
370
371Version 2.1: May, 1997 (cjm)
372    - Continuing rework to the aliasing lookup engine to support
373      multiple incoming addresses and static NAT.
374    - Now supports outgoing as well as incoming ICMP error messages/
375    - PPP commands to support address and port redirection.
376
377