1.\" $FreeBSD: src/sbin/natd/natd.8,v 1.27.2.13 2003/02/23 21:17:43 trhodes Exp $ 2.\" $DragonFly: src/sbin/natd/natd.8,v 1.3 2004/03/11 12:28:54 hmp Exp $ 3.Dd June 27, 2000 4.Dt NATD 8 5.Os 6.Sh NAME 7.Nm natd 8.Nd Network Address Translation daemon 9.Sh SYNOPSIS 10.Nm 11.Bk -words 12.Op Fl unregistered_only | u 13.Op Fl log | l 14.Op Fl proxy_only 15.Op Fl reverse 16.Op Fl deny_incoming | d 17.Op Fl use_sockets | s 18.Op Fl same_ports | m 19.Op Fl verbose | v 20.Op Fl dynamic 21.Op Fl in_port | i Ar port 22.Op Fl out_port | o Ar port 23.Op Fl port | p Ar port 24.Op Fl alias_address | a Ar address 25.Op Fl target_address | t Ar address 26.Op Fl interface | n Ar interface 27.Op Fl proxy_rule Ar proxyspec 28.Op Fl redirect_port Ar linkspec 29.Op Fl redirect_proto Ar linkspec 30.Op Fl redirect_address Ar linkspec 31.Op Fl config | f Ar configfile 32.Op Fl log_denied 33.Op Fl log_facility Ar facility_name 34.Op Fl punch_fw Ar firewall_range 35.Op Fl log_ipfw_denied 36.Ek 37.Sh DESCRIPTION 38The 39.Nm 40utility provides a Network Address Translation facility for use 41with 42.Xr divert 4 43sockets under 44.Dx . 45It is intended for use with NICs - if you want to do NAT on a PPP link, 46use the 47.Fl nat 48switch to 49.Xr ppp 8 . 50.Pp 51The 52.Nm 53utility normally runs in the background as a daemon. 54It is passed raw IP packets as they travel into and out of the machine, 55and will possibly change these before re-injecting them back into the 56IP packet stream. 57.Pp 58It changes all packets destined for another host so that their source 59IP number is that of the current machine. 60For each packet changed in this manner, an internal table entry is 61created to record this fact. 62The source port number is also changed to indicate the table entry 63applying to the packet. 64Packets that are received with a target IP of the current host are 65checked against this internal table. 66If an entry is found, it is used to determine the correct target IP 67number and port to place in the packet. 68.Pp 69The following command line options are available: 70.Bl -tag -width Fl 71.It Fl log | l 72Log various aliasing statistics and information to the file 73.Pa /var/log/alias.log . 74This file is truncated each time 75.Nm 76is started. 77.It Fl deny_incoming | d 78Do not pass incoming packets that have no 79entry in the internal translation table. 80.Pp 81If this option is not used, then such a packet will be altered 82using the rules in 83.Fl target_address 84below, and the entry will be made in the internal translation table. 85.It Fl log_denied 86Log denied incoming packets via 87.Xr syslog 3 88(see also 89.Fl log_facility ) . 90.It Fl log_facility Ar facility_name 91Use specified log facility when logging information via 92.Xr syslog 3 . 93Argument 94.Ar facility_name 95is one of the keywords specified in 96.Xr syslog.conf 5 . 97.It Fl use_sockets | s 98Allocate a 99.Xr socket 2 100in order to establish an FTP data or IRC DCC send connection. 101This option uses more system resources, but guarantees successful 102connections when port numbers conflict. 103.It Fl same_ports | m 104Try to keep the same port number when altering outgoing packets. 105With this option, protocols such as RPC will have a better chance 106of working. 107If it is not possible to maintain the port number, it will be silently 108changed as per normal. 109.It Fl verbose | v 110Do not call 111.Xr daemon 3 112on startup. 113Instead, stay attached to the controlling terminal and display all packet 114alterations to the standard output. 115This option should only be used for debugging purposes. 116.It Fl unregistered_only | u 117Only alter outgoing packets with an 118.Em unregistered 119source address. 120According to RFC 1918, unregistered source addresses are 10.0.0.0/8, 121172.16.0.0/12 and 192.168.0.0/16. 122.It Fl redirect_port Ar proto Xo 123.Ar targetIP Ns : Ns Xo 124.Ar targetPORT Ns Op - Ns Ar targetPORT Xc 125.Op Ar aliasIP Ns : Ns Xo 126.Ar aliasPORT Ns Op - Ns Ar aliasPORT Xc 127.Oo Ar remoteIP Ns Oo : Ns 128.Ar remotePORT Ns Op - Ns Ar remotePORT 129.Oc Oc 130.Xc 131Redirect incoming connections arriving to given port(s) to another host 132and port(s). 133Argument 134.Ar proto 135is either 136.Ar tcp 137or 138.Ar udp , 139.Ar targetIP 140is the desired target IP number, 141.Ar targetPORT 142is the desired target port number or range, 143.Ar aliasPORT 144is the requested port number or range, and 145.Ar aliasIP 146is the aliasing address. 147Arguments 148.Ar remoteIP 149and 150.Ar remotePORT 151can be used to specify the connection more accurately if necessary. 152The 153.Ar targetPORT 154range and 155.Ar aliasPORT 156range need not be the same numerically, but must have the same size. 157If 158.Ar remotePORT 159is not specified, it is assumed to be all ports. 160If 161.Ar remotePORT 162is specified, it must match the size of 163.Ar targetPORT , 164or be 0 (all ports). 165For example, the argument 166.Pp 167.Dl Ar tcp inside1:telnet 6666 168.Pp 169means that incoming TCP packets destined for port 6666 on this machine 170will be sent to the telnet port on the inside1 machine. 171.Pp 172.Dl Ar tcp inside2:2300-2399 3300-3399 173.Pp 174will redirect incoming connections on ports 3300-3399 to host 175inside2, ports 2300-2399. 176The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. 177.It Fl redirect_proto Ar proto localIP Oo 178.Ar publicIP Op Ar remoteIP 179.Oc 180Redirect incoming IP packets of protocol 181.Ar proto 182(see 183.Xr protocols 5 ) 184destined for 185.Ar publicIP 186address to a 187.Ar localIP 188address and vice versa. 189.Pp 190If 191.Ar publicIP 192is not specified, then the default aliasing address is used. 193If 194.Ar remoteIP 195is specified, then only packets coming from/to 196.Ar remoteIP 197will match the rule. 198.It Fl redirect_address Ar localIP publicIP 199Redirect traffic for public IP address to a machine on the local 200network. 201This function is known as 202.Em static NAT . 203Normally static NAT is useful if your ISP has allocated a small block 204of IP addresses to you, but it can even be used in the case of single 205address: 206.Pp 207.Dl Ar redirect_address 10.0.0.8 0.0.0.0 208.Pp 209The above command would redirect all incoming traffic 210to machine 10.0.0.8. 211.Pp 212If several address aliases specify the same public address 213as follows 214.Bd -literal -offset indent 215.Ar redirect_address 192.168.0.2 public_addr 216.Ar redirect_address 192.168.0.3 public_addr 217.Ar redirect_address 192.168.0.4 public_addr 218.Ed 219.Pp 220the incoming traffic will be directed to the last 221translated local address (192.168.0.4), but outgoing 222traffic from the first two addresses will still be aliased 223to appear from the specified 224.Ar public_addr . 225.It Fl redirect_port Ar proto Xo 226.Ar targetIP Ns : Ns Xo 227.Ar targetPORT Ns Oo , Ns 228.Ar targetIP Ns : Ns Xo 229.Ar targetPORT Ns Oo , Ns 230.Ar ...\& 231.Oc Oc 232.Xc 233.Xc 234.Op Ar aliasIP Ns : Ns Xo 235.Ar aliasPORT 236.Xc 237.Oo Ar remoteIP Ns 238.Op : Ns Ar remotePORT 239.Oc 240.Xc 241.It Fl redirect_address Xo 242.Ar localIP Ns Oo , Ns 243.Ar localIP Ns Oo , Ns 244.Ar ...\& 245.Oc Oc 246.Ar publicIP 247.Xc 248These forms of 249.Fl redirect_port 250and 251.Fl redirect_address 252are used to transparently offload network load on a single server and 253distribute the load across a pool of servers. 254This function is known as 255.Em LSNAT 256(RFC 2391). 257For example, the argument 258.Pp 259.Dl Ar tcp www1:http,www2:http,www3:http www:http 260.Pp 261means that incoming HTTP requests for host www will be transparently 262redirected to one of the www1, www2 or www3, where a host is selected 263simply on a round-robin basis, without regard to load on the net. 264.It Fl dynamic 265If the 266.Fl n 267or 268.Fl interface 269option is used, 270.Nm 271will monitor the routing socket for alterations to the 272.Ar interface 273passed. 274If the interface's IP number is changed, 275.Nm 276will dynamically alter its concept of the alias address. 277.It Fl in_port | i Ar port 278Read from and write to 279.Xr divert 4 280port 281.Ar port , 282treating all packets as 283.Dq incoming . 284.It Fl out_port | o Ar port 285Read from and write to 286.Xr divert 4 287port 288.Ar port , 289treating all packets as 290.Dq outgoing . 291.It Fl port | p Ar port 292Read from and write to 293.Xr divert 4 294port 295.Ar port , 296distinguishing packets as 297.Dq incoming 298or 299.Dq outgoing 300using the rules specified in 301.Xr divert 4 . 302If 303.Ar port 304is not numeric, it is searched for in the 305.Xr services 5 306database. 307If this option is not specified, the divert port named 308.Ar natd 309will be used as a default. 310.It Fl alias_address | a Ar address 311Use 312.Ar address 313as the aliasing address. 314If this option is not specified, the 315.Fl interface 316option must be used. 317The specified address is usually the address assigned to the 318.Dq public 319network interface. 320.Pp 321All data passing 322.Em out 323will be rewritten with a source address equal to 324.Ar address . 325All data coming 326.Em in 327will be checked to see if it matches any already-aliased outgoing 328connection. 329If it does, the packet is altered accordingly. 330If not, all 331.Fl redirect_port , 332.Fl redirect_proto 333and 334.Fl redirect_address 335assignments are checked and actioned. 336If no other action can be made and if 337.Fl deny_incoming 338is not specified, the packet is delivered to the local machine 339using the rules specified in 340.Fl target_address 341option below. 342.It Fl t | target_address Ar address 343Set the target address. 344When an incoming packet not associated with any pre-existing link 345arrives at the host machine, it will be sent to the specified 346.Ar address . 347.Pp 348The target address may be set to 349.Ar 255.255.255.255 , 350in which case all new incoming packets go to the alias address set by 351.Fl alias_address 352or 353.Fl interface . 354.Pp 355If this option is not used, or called with the argument 356.Ar 0.0.0.0 , 357then all new incoming packets go to the address specified in 358the packet. 359This allows external machines to talk directly to internal machines if 360they can route packets to the machine in question. 361.It Fl interface | n Ar interface 362Use 363.Ar interface 364to determine the aliasing address. 365If there is a possibility that the IP number associated with 366.Ar interface 367may change, the 368.Fl dynamic 369option should also be used. 370If this option is not specified, the 371.Fl alias_address 372option must be used. 373.Pp 374The specified 375.Ar interface 376is usually the 377.Dq public 378(or 379.Dq external ) 380network interface. 381.It Fl config | f Ar file 382Read configuration from 383.Ar file . 384A 385.Ar file 386should contain a list of options, one per line, in the same form 387as the long form of the above command line options. 388For example, the line 389.Pp 390.Dl alias_address 158.152.17.1 391.Pp 392would specify an alias address of 158.152.17.1. 393Options that do not take an argument are specified with an argument of 394.Ar yes 395or 396.Ar no 397in the configuration file. 398For example, the line 399.Pp 400.Dl log yes 401.Pp 402is synonymous with 403.Fl log . 404.Pp 405Trailing spaces and empty lines are ignored. 406A 407.Ql \&# 408sign will mark the rest of the line as a comment. 409.It Fl reverse 410This option makes 411.Nm 412reverse the way it handles 413.Dq incoming 414and 415.Dq outgoing 416packets, allowing it to operate on the 417.Dq internal 418network interface rather than the 419.Dq external 420one. 421.Pp 422This can be useful in some transparent proxying situations 423when outgoing traffic is redirected to the local machine 424and 425.Nm 426is running on the internal interface (it usually runs on the 427external interface). 428.It Fl proxy_only 429Force 430.Nm 431to perform transparent proxying only. 432Normal address translation is not performed. 433.It Fl proxy_rule Xo 434.Op Ar type encode_ip_hdr | encode_tcp_stream 435.Ar port xxxx 436.Ar server a.b.c.d:yyyy 437.Xc 438Enable transparent proxying. 439Outgoing TCP packets with the given port going through this 440host to any other host are redirected to the given server and port. 441Optionally, the original target address can be encoded into the packet. 442Use 443.Ar encode_ip_hdr 444to put this information into the IP option field or 445.Ar encode_tcp_stream 446to inject the data into the beginning of the TCP stream. 447.It Fl punch_fw Xo 448.Ar basenumber Ns : Ns Ar count 449.Xc 450This option directs 451.Nm 452to 453.Dq punch holes 454in an 455.Xr ipfirewall 4 456based firewall for FTP/IRC DCC connections. 457This is done dynamically by installing temporary firewall rules which 458allow a particular connection (and only that connection) to go through 459the firewall. 460The rules are removed once the corresponding connection terminates. 461.Pp 462A maximum of 463.Ar count 464rules starting from the rule number 465.Ar basenumber 466will be used for punching firewall holes. 467The range will be cleared for all rules on startup. 468.It Fl log_ipfw_denied 469Log when a packet cannot be re-injected because an 470.Xr ipfw 8 471rule blocks it. 472This is the default with 473.Fl verbose . 474.El 475.Sh RUNNING NATD 476The following steps are necessary before attempting to run 477.Nm : 478.Bl -enum 479.It 480Build a custom kernel with the following options: 481.Bd -literal -offset indent 482options IPFIREWALL 483options IPDIVERT 484.Ed 485.Pp 486Refer to the handbook for detailed instructions on building a custom 487kernel. 488.It 489Ensure that your machine is acting as a gateway. 490This can be done by specifying the line 491.Pp 492.Dl gateway_enable=YES 493.Pp 494in the 495.Pa /etc/rc.conf 496file or using the command 497.Pp 498.Dl "sysctl net.inet.ip.forwarding=1" 499.Pp 500.It 501If you use the 502.Fl interface 503option, make sure that your interface is already configured. 504If, for example, you wish to specify 505.Ql tun0 506as your 507.Ar interface , 508and you are using 509.Xr ppp 8 510on that interface, you must make sure that you start 511.Nm ppp 512prior to starting 513.Nm . 514.El 515.Pp 516Running 517.Nm 518is fairly straight forward. 519The line 520.Pp 521.Dl natd -interface ed0 522.Pp 523should suffice in most cases (substituting the correct interface name). 524Please check 525.Xr rc.conf 5 526on how to configure it to be started automatically during boot. 527Once 528.Nm 529is running, you must ensure that traffic is diverted to 530.Nm : 531.Bl -enum 532.It 533You will need to adjust the 534.Pa /etc/rc.firewall 535script to taste. 536If you are not interested in having a firewall, the 537following lines will do: 538.Bd -literal -offset indent 539/sbin/ipfw -f flush 540/sbin/ipfw add divert natd all from any to any via ed0 541/sbin/ipfw add pass all from any to any 542.Ed 543.Pp 544The second line depends on your interface (change 545.Ql ed0 546as appropriate). 547.Pp 548You should be aware of the fact that, with these firewall settings, 549everyone on your local network can fake his source-address using your 550host as gateway. 551If there are other hosts on your local network, you are strongly 552encouraged to create firewall rules that only allow traffic to and 553from trusted hosts. 554.Pp 555If you specify real firewall rules, it is best to specify line 2 at 556the start of the script so that 557.Nm 558sees all packets before they are dropped by the firewall. 559.Pp 560After translation by 561.Nm , 562packets re-enter the firewall at the rule number following the rule number 563that caused the diversion (not the next rule if there are several at the 564same number). 565.It 566Enable your firewall by setting 567.Pp 568.Dl firewall_enable=YES 569.Pp 570in 571.Pa /etc/rc.conf . 572This tells the system startup scripts to run the 573.Pa /etc/rc.firewall 574script. 575If you do not wish to reboot now, just run this by hand from the console. 576NEVER run this from a remote session unless you put it into the background. 577If you do, you will lock yourself out after the flush takes place, and 578execution of 579.Pa /etc/rc.firewall 580will stop at this point - blocking all accesses permanently. 581Running the script in the background should be enough to prevent this 582disaster. 583.El 584.Sh SEE ALSO 585.Xr divert 4 , 586.Xr protocols 5 , 587.Xr rc.conf 5 , 588.Xr services 5 , 589.Xr syslog.conf 5 , 590.Xr ipfw 8 , 591.Xr ppp 8 592.Sh AUTHORS 593This program is the result of the efforts of many people at different 594times: 595.Pp 596.An Archie Cobbs Aq archie@FreeBSD.org 597(divert sockets) 598.An Charles Mott Aq cmott@scientech.com 599(packet aliasing) 600.An Eivind Eklund Aq perhaps@yes.no 601(IRC support & misc additions) 602.An Ari Suutari Aq suutari@iki.fi 603(natd) 604.An Dru Nelson Aq dnelson@redwoodsoft.com 605(early PPTP support) 606.An Brian Somers Aq brian@awfulhak.org 607(glue) 608.An Ruslan Ermilov Aq ru@FreeBSD.org 609(natd, packet aliasing, glue) 610