1Copyright (c) 2001 Charles Mott <cm@linktel.net> 2All rights reserved. 3 4Redistribution and use in source and binary forms, with or without 5modification, are permitted provided that the following conditions 6are met: 71. Redistributions of source code must retain the above copyright 8 notice, this list of conditions and the following disclaimer. 92. Redistributions in binary form must reproduce the above copyright 10 notice, this list of conditions and the following disclaimer in the 11 documentation and/or other materials provided with the distribution. 12 13THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23SUCH DAMAGE. 24 25User PPP NAT (Packet Aliasing) 26 27 28 290. Contents 30 1. Background 31 2. Setup 32 3. New commands in ppp 33 4. Future Work 34 5. Authors / Acknowledgements 35 6. Revision History for Aliasing Code 36 37 38 391. Background 40 41User mode ppp has embedded NAT (Network Address Translation) code. 42Enabling this, either by the "-nat" command line option or the 43"nat enable yes" command in a ppp.conf file, makes the ppp host 44automatically NAT IP packets forwarded from a local network, making 45them appear to come from the ppp host machine. Incoming packets 46from the outside world are then appropriately de-NAT'd. 47 48The process of NAT'ing involves both the IP address and the TCP or UDP 49port numbers. ICMP echo and timestamp packets are natted by their id 50numbers. ICMP error messages can be properly directed by examining the 51fragment of the offending packet which is contained in the body of the 52message. 53 54This software was specifically meant to support users who have 55unregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x 56addresses). The ppp host can act as a gateway for these networks, and 57computers on the local area net will have some degree of Internet access 58without the need for a registered IP address. Additionally, there will 59be no need for an Internet service provider to maintain routing tables 60for the local area network. 61 62A disadvantage of NAT is that machines on the local network, 63behind the ppp host, are not visible from the outside world. They can 64establish TCP connections and make UDP inquiries (such as domain name 65service requests) but the connections seem to come from the ppp host 66itself. There is, in effect, a partial firewall. Of course, if this is 67what you want, the disadvantage becomes an advantage. 68 69A second disadvantage is that "IP encoding" protocols, which send IP 70address or port information within the data stream, are not supported 71for the cases where exception code exists. This implementation has 72workarounds for FTP and IRC DCC, the most well known of the IP encoding 73protocols. This frees users from depending on using the ftp passive 74mode and avoiding IRC DCC sends, as is sometimes the case with other 75masquerading solutions. 76 77The implementation supports all standard, non-encoding TCP and UDP protocols. 78Examples of these protocols are http, gopher and telnet. The standard UDP 79mode of Real-Audio is not presently supported, but the TCP mode does work 80correctly. 81 82The NAT code also handles many ICMP messages. In particular, 83ping and traceroute are supported. 84 85 86 872. Packet Aliasing Setup 88 89It is recommended that users first verify correct ppp operation without 90NAT enabled. This will confirm that the ppp.conf file is 91properly set up and that there are no ppp problems. Then start ppp with 92the "-nat" option on the command line. The user should verify that 93the ppp host can correctly connect to the Internet in NAT 94mode. Finally, check that machines on the private network can access 95the Internet. 96 97The NAT software handles all packets, whether they come from 98the host or another computer on the local area network. Thus, a correctly 99operating ppp host indicates that the software should work properly for 100other computers on the private network. 101 102If the ppp host can access the Internet, but other computers on the local 103network cannot, check that IP forwarding is enabled on the ppp host. Also, 104verify that the other computers use this machine as a gateway. Of course, 105you should also verify that machines within the local area network 106communicate properly. A common error is inconsistent subnet addresses 107and masks. 108 109 110 1113. New commands in ppp 112 113In order to control NAT behaviour in a simple manner (no need for 114recompilation), a new command has been added to ppp: nat. This 115is in addition to the -nat command line option. System managers and 116more experienced users may prefer to use the ppp command syntax 117within the ppp.conf file. The nat command also allows NAT 118behaviour to be more precisely specified. 119 120The decision to add a command instead of extending 'set' or 'option' was 121to make obvious that these options only work when NAT is enabled. 122 123The syntax for 'nat' is 124 125 ppp> nat option [yes|no] 126 127where option is given by one of the following templates. 128 129 130 - nat enable [yes|no] (default no) 131 132Enable NAT functionality. If disabled, no other NAT 133options will have any effect. You should usually enable NAT 134before routing any packets over the link; good points are in the 135initial script or right before adding a route. If you do not always 136want NAT, consider using the -nat option to ppp instead of this 137command. 138 139 140 - nat deny_incoming [yes|no] (default yes) 141 142Set to "yes" to disable all incoming connections. This just drops 143connections to, for example, ftp, telnet or web servers. The NAT 144mechanism prevents these connections. Technically, this option denies 145all incoming TCP and UDP requests, making the NAT software a 146fairly efficient one-way firewall. The default is no, which will allow 147all incoming connections to telnetd, ftpd, etc. 148 149 150 - nat log [yes|no] 151 152Controls logging of NAT link creation to "/var/log/alias.log" - this 153is usually only useful if debugging a setup, to see if the bug is in 154the PPP NATing. The debugging information is fairly limited, listing 155the number of NAT links open for different protocols. 156 157 158 - nat same_ports [yes|no] (default yes) 159 160When a connection is being established going through the NAT 161routines, it will normally have its port number changed to allow the 162NAT code to track it. If same_ports is enabled, the NAT 163software attempts to keep the connection's source port unchanged. 164This will allow rsh, RPC and other specialised protocols to work 165_most of the time_, at least on the host machine. Please, do not 166report this being unstable as a bug - it is a result of the way 167NAT has to work. TCP/IP was intended to have one IP address 168per machine. 169 170 171 - nat use_sockets [yes|no] (default yes) 172 173This is a fairly obscure option. For the most part, the NAT 174software does not have to allocate system sockets when it chooses a 175NAT port number. Under very specific circumstances, FTP data 176connections (which don't know the remote port number, though it is 177usually 20) and IRC DCC send (which doesn't know either the address or 178the port from which the connection will come), there can potentially be 179some interference with an open server socket having the same port number 180on the ppp host machine. This possibility for interference only exists 181until the TCP connection has been acknowledged on both sides. The safe 182option is yes, though fewer system resources are consumed by specifying 183no. 184 185 186 - nat unregistered_only [yes|no] (default no) 187 188NAT normally remaps all packets coming from the local area 189network to the ppp host machine address. Set this option to only map 190addresses from the following standard ranges for private, unregistered 191addresses: 192 193 10.0.0.0 -> 10.255.255.255 194 172.16.0.0 -> 172.31.255.255 195 192.168.0.0 -> 192.168.255.255 */ 196 197In the instance that there is a subnet of public addresses and another 198subnet of private addresses being routed by the ppp host, then only the 199packets on the private subnet will be NAT'd. 200 201 202- nat port <proto> <local addr>:<port> <nat port> 203 204This command allows incoming traffic to <nat port> on the host 205machine to be redirected to a specific machine and port on the 206local area network. One example of this would be: 207 208 nat port tcp 192.168.0.4:telnet 8066 209 210All traffic to port 8066 of the ppp host would then be sent to 211the telnet port (23) of machine 192.168.0.4. Port numbers 212can either be designated numerically or by symbolic names 213listed in /etc/services. Similarly, addresses can be either 214in dotted quad notation or in /etc/hosts. 215 216 217- nat addr <local addr> <public addr> 218 219This command allows traffic for a public IP address to be 220redirected to a machine on the local network. This function 221is known as "static NAT". An address assignment of 0 refers 222to the default address of the ppp host. Normally static 223NAT is useful if your ISP has allocated a small block of 224IP addresses to the user, but it can even be used in the 225case of a single, dynamically allocated IP address: 226 227 nat addr 10.0.0.8 0 228 229The above command would redirect all incoming traffic to 230machine 10.0.0.8. 231 232If several address NATs specify the same public address 233as follows 234 235 nat addr 192.168.0.2 public_addr 236 nat addr 192.168.0.3 public_addr 237 nat addr 192.168.0.4 public_addr 238 239then incoming traffic will be directed to the last 240translated local address (192.168.0.4), but outgoing 241traffic to the first two addresses will still be NAT'd 242to the specified public address. 243 244 245 2464. Future Work 247 248What is called NAT here has been variously called masquerading, packet 249aliasing and transparent proxying by others. It is an extremely useful 250function to many users, but it is also necessarily imperfect. The 251occasional IP-encoding protocols always need workarounds (hacks). 252Users who are interested in supporting new IP-encoding protocols 253can follow the examples of alias_ftp.c and alias_irc.c. 254 255ICMP error messages are currently handled only in the incoming direction. 256A handler needs to be added to correctly NAT outgoing error messages. 257 258IRC and FTP exception handling make reasonable, though not strictly correct 259assumptions, about how IP encoded messages will appear in the control 260stream. Programmers may wish to consider how to make this process more 261robust. 262 263The NAT engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c 264and alias_util.c) runs in user space, and is intended to be both portable 265and reusable for interfaces other than ppp. To access the basic engine 266only requires four simple function calls (initialisation, communication of 267host address, outgoing NAT and incoming de-NATing). 268 269 270 2715. Authors / Acknowledgements 272 273Charles Mott (cm@linktel.net) <versions 1.0 - 1.8, 2.0, 2.1> 274Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands> 275 276Listed below, in chronological order, are individuals who have provided 277valuable comments and/or debugging assistance. 278 279 Gary Roberts 280 Tom Torrance 281 Reto Burkhalter 282 Martin Renters 283 Brian Somers 284 Paul Traina 285 Ari Suutari 286 J. Fortes 287 Andrzej Bialeki 288 289 290 2916. Revision History for Aliasing Code 292 293Version 1.0: August 11, 1996 (cjm) 294 295Version 1.1: August 20, 1996 (cjm) 296 PPP host accepts incoming connections for ports 0 to 1023. 297 298Version 1.2: September 7, 1996 (cjm) 299 Fragment handling error in alias_db.c corrected. 300 301Version 1.3: September 15, 1996 (cjm) 302 - Generalised mechanism for handling incoming connections 303 (no more 0 to 1023 restriction). 304 - Increased ICMP support (will handle traceroute now). 305 - Improved TCP close connection logic. 306 307Version 1.4: September 16, 1996 308 Can't remember (this version only lasted a day -- cjm). 309 310Version 1.5: September 17, 1996 (cjm) 311 Corrected error in handling incoming UDP packets 312 with zero checksum. 313 314Version 1.6: September 18, 1996 315 Simplified ICMP data storage. Will now handle 316 tracert from Win95 as well as FreeBSD traceroute. 317 318Version 1.7: January 9, 1997 (cjm) 319 - Reduced malloc() activity for ICMP echo and 320 timestamp requests. 321 - Added handling for out-of-order IP fragments. 322 - Switched to differential checksum computation 323 for IP headers (TCP, UDP and ICMP checksums 324 were already differential). 325 - Accepts FTP data connections from other than 326 port 20. This allows one ftp connections 327 from two hosts which are both running packet 328 aliasing. 329 330Version 1.8: January 14, 1997 (cjm) 331 - Fixed data type error in function StartPoint() 332 in alias_db.c (this bug did not exist before v1.7) 333 334Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>) 335 - Upgraded base PPP version to be the source code from 336 FreeBSD 2.1.6, with additional security patches. This 337 version should still be possible to run on 2.1.5, though - 338 I've run it with a 2.1.5 kernel without problems. 339 (Update done with the permission of cjm) 340 341Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>) 342 - Added support for IRC DCC (ee) 343 - Changed the aliasing routines to use ANSI style throughout - 344 minor API changes for integration with other programs than PPP (ee) 345 - Changed the build process, making all options switchable 346 from the Makefile (ee) 347 - Fixed minor security hole in alias_ftp.c for other applications 348 of the aliasing software. Hole could _not_ manifest in 349 PPP+pktAlias, but could potentially manifest in other 350 applications of the aliasing. (ee) 351 - Connections initiated from packet aliasing host machine will 352 not have their port number aliased unless it conflicts with 353 an aliasing port already being used. (There is an option to 354 disable this for debugging) (cjm) 355 - Sockets will be allocated in cases where there might be 356 port interference with the host machine. This can be disabled 357 in cases where the ppp host will be acting purely as a 358 masquerading router and not generate any traffic of its own. 359 (cjm) 360 361Version 2.0: March, 1997 (cjm) 362 - Incoming packets which are not recognised by the packet 363 aliasing engine are now completely dropped in ip.c. 364 - Aliasing links are cleared when a host interface address 365 changes (due to re-dial and dynamic address allocation). 366 - PacketAliasPermanentLink() API added. 367 - Option for only aliasing private, unregistered IP addresses 368 added. 369 - Substantial rework to the aliasing lookup engine. 370 371Version 2.1: May, 1997 (cjm) 372 - Continuing rework to the aliasing lookup engine to support 373 multiple incoming addresses and static NAT. 374 - Now supports outgoing as well as incoming ICMP error messages/ 375 - PPP commands to support address and port redirection. 376 377