diff options
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/natd/natd.8 | 368 |
1 files changed, 168 insertions, 200 deletions
diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8 index eafa573..12cb27f 100644 --- a/sbin/natd/natd.8 +++ b/sbin/natd/natd.8 @@ -47,117 +47,97 @@ Network Address Translation Daemon This program provides a Network Address Translation facility for use with .Xr divert 4 -sockets under FreeBSD. -It is intended for use with NICs - -if you want to do NAT on a PPP link, -use the -nat switch to +sockets under FreeBSD. It is intended for use with NICs - if you want +to do NAT on a PPP link, use the -nat switch to .Xr ppp 8 . .Pp .Nm Natd -normally runs in the background as a daemon. -It is passed raw IP packets as they travel into and out of the machine, -and will possibly change these before re-injecting them back -into the IP packet stream. +normally runs in the background as a daemon. It is passed raw IP packets +as they travel into and out of the machine, and will possibly change these +before re-injecting them back into the IP packet stream. .Pp .Nm Natd -changes all packets destined for another host -so that their source IP number is that of the current machine. -For each packet changed in this manner, -an internal table entry is created to record this fact. -The source port number is also changed -to indicate the table entry applying to the packet. -Packets that are received with a target IP of the current host -are checked against this internal table. -If an entry is found, -it is used to determine the correct target IP number and port -to place in the packet. +changes all packets destined for another host so that their source +IP number is that of the current machine. For each packet changed +in this manner, an internal table entry is created to record this +fact. The source port number is also changed to indicate the +table entry applying to the packet. Packets that are received with +a target IP of the current host are checked against this internal +table. If an entry is found, it is used to determine the correct +target IP number and port to place in the packet. + .Pp The following command line options are available. .Bl -tag -width Fl + .It Fl log | l Log various aliasing statistics and information to the file .Pa /var/log/alias.log . This file is truncated each time natd is started. + .It Fl deny_incoming | d -Reject packets destined for the current IP number -that have no entry in the internal translation table. +Reject packets destined for the current IP number that have no entry +in the internal translation table. + .It Fl log_denied Log denied incoming packets via syslog (see also log_facility) + .It Fl log_facility Ar facility_name Use specified log facility when logging information via syslog. Facility names are as in .Xr syslog.conf 5 + .It Fl use_sockets | s Allocate a .Xr socket 2 -in order to establish an FTP data or IRC DCC send connection. -This option uses more system resources, -but guarantees successful connections when port numbers conflict. +in order to establish an FTP data or IRC DCC send connection. This +option uses more system resources, but guarantees successful connections +when port numbers conflict. + .It Fl same_ports | m Try to keep the same port number when altering outgoing packets. -With this option, -protocols such as RPC will have a better chance of working. -If it is not possible to maintain the port number, -it will be silently changed as per normal. +With this option, protocols such as RPC will have a better chance +of working. If it is not possible to maintain the port number, it +will be silently changed as per normal. + .It Fl verbose | v Don't call .Xr fork 2 or .Xr daemon 3 -on startup. -Instead, stay attached to the controling terminal and -display all packet alterations to the standard output. -This option should only be used for debugging purposes. +on startup. Instead, stay attached to the controling terminal and +display all packet alterations to the standard output. This option +should only be used for debugging purposes. + .It Fl unregistered_only | u Only alter outgoing packets with an unregistered source address. -According to rfc 1918, -unregistered source addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. +According to rfc 1918, unregistered source addresses are 10.0.0.0/8, +172.16.0.0/12 and 192.168.0.0/16. + .It Fl redirect_port Ar proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] Redirect incoming connections arriving to given port(s) to another host and port(s). -.Ar Proto -is either tcp or udp, -.Ar targetIP -is the desired target IP number, -.Ar targetPORT -is the desired target PORT number or range, -.Ar aliasPORT -is the requested PORT number or range, -and -.Ar aliasIP -is the aliasing address. -.Ar RemoteIP -and -.Ar remotePORT -can be used to specify the connection more accurately if necessary. -The -.Ar targetPORT -range and -.Ar aliasPORT -range need not be the same numerically, +Proto is either tcp or udp, targetIP is the desired target IP +number, targetPORT is the desired target PORT number or range, aliasPORT +is the requested PORT number or range, and aliasIP is the aliasing address. +RemoteIP and remotePORT can be used to specify the connection +more accurately if necessary. +The targetPORT range and aliasPORT range need not be the same numerically, but must have the same size. -If -.Ar remotePORT -is not specified, -it is assumed to be all ports. -If -.Ar remotePORT -is specified, -it must match the size of targetPORT, -or be 0 +If remotePORT is not specified, it is assumed to be all ports. +If remotePORT is specified, it must match the size of targetPORT, or be 0 (all ports). -For example, -the argument -.Pp +For example, the argument + .Dl Ar tcp inside1:telnet 6666 -.Pp + means that incoming tcp packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. -.Pp + .Dl Ar tcp inside2:2300-2399 3300-3399 -.Pp + will redirect incoming connections on ports 3300-3399 to host inside2, ports 2300-2399. The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. @@ -175,34 +155,34 @@ address and vice versa. .Pp If .Ar publicIP -is not specified, -then the default aliasing address is used. +is not specified, then the default aliasing address is used. If .Ar remoteIP -is specified, -then only packets coming from/to +is specified, then only packets coming from/to .Ar remoteIP will match the rule. .It Fl redirect_address Ar localIP publicIP -Redirect traffic for public IP address to a machine on the local network. -This function is known as "static NAT". -Normally static NAT is useful -if your ISP has allocated a small block of IP addresses to you, +Redirect traffic for public IP address to a machine on the local +network. +This function is known as "static NAT". Normally static NAT +is useful if your ISP has allocated a small block of IP addresses to you, but it can even be used in the case of single address: -.Pp -.Dl Ar redirect_address 10.0.0.8 0.0.0.0 -.Pp -The above command would redirect all incoming traffic to machine 10.0.0.8. -.Pp -If several address aliases specify the same public address as follows -.Pp -.Dl Ar redirect_address 192.168.0.2 public_addr -.Dl Ar redirect_address 192.168.0.3 public_addr -.Dl Ar redirect_address 192.168.0.4 public_addr -.Pp + + redirect_address 10.0.0.8 0.0.0.0 + +The above command would redirect all incoming traffic +to machine 10.0.0.8. + +If several address aliases specify the same public address +as follows + + redirect_address 192.168.0.2 public_addr + redirect_address 192.168.0.3 public_addr + redirect_address 192.168.0.4 public_addr + the incoming traffic will be directed to the last -translated local address (192.168.0.4), -but outgoing traffic to the first two addresses will still be aliased +translated local address (192.168.0.4), but outgoing +traffic to the first two addresses will still be aliased to specified public address. .It Fl redirect_port Ar proto Xo .Ar targetIP Ns : Ns Xo @@ -236,15 +216,13 @@ distribute the load across a pool of servers. This function is known as .Em LSNAT (RFC 2391). -For example, -the argument +For example, the argument .Pp .Dl Ar tcp www1:http,www2:http,www3:http www:http .Pp means that incoming HTTP requests for host www will be transparently -redirected to one of the www1, www2 or www3, -where a host is selected simply on a round-robin basis, -without regard to load on the net. +redirected to one of the www1, www2 or www3, where a host is selected +simply on a round-robin basis, without regard to load on the net. .It Fl dynamic If the .Fl n @@ -254,18 +232,20 @@ option is used, .Nm will monitor the routing socket for alterations to the .Ar interface -passed. -If the interfaces IP number is changed, +passed. If the interfaces IP number is changed, .Nm will dynamically alter its concept of the alias address. + .It Fl i | inport Ar inport Read from and write to .Ar inport , treating all packets as packets coming into the machine. + .It Fl o | outport Ar outport Read from and write to .Ar outport , treating all packets as packets going out of the machine. + .It Fl p | port Ar port Read from and write to .Ar port , @@ -277,54 +257,45 @@ is not numeric, it is searched for in the .Pa /etc/services database using the .Xr getservbyname 3 -function. -If this flag is not specified, -the divert port named natd will be used as a default. -An example entry in the +function. If this flag is not specified, the divert port named natd will +be used as a default. An example entry in the .Pa /etc/services database would be: -.Pp -natd 8668/divert # Network Address Translation socket -.Pp + + natd 8668/divert # Network Address Translation socket + Refer to .Xr services 5 for further details. + .It Fl a | alias_address Ar address Use .Ar address -as the alias address. -If this option is not specified, the +as the alias address. If this option is not specified, the .Fl n or .Fl interface -option must be used. -The specified address should be the address assigned +option must be used. The specified address should be the address assigned to the public network interface. .Pp All data passing out through this addresses interface will be rewritten with a source address equal to .Ar address . All data arriving at the interface from outside will be checked to -see if it matches any already-aliased outgoing connection. -If it does, -the packet is altered accordingly. -If not, -all +see if it matches any already-aliased outgoing connection. If it does, +the packet is altered accordingly. If not, all .Fl redirect_port and .Fl redirect_address -assignments are checked and actioned. -If no other action can be made, +assignments are checked and actioned. If no other action can be made, and if .Fl deny_incoming -is not specified, -the packet is delivered to the local machine and port +is not specified, the packet is delivered to the local machine and port as specified in the packet. .It Fl t | target_address Ar address Set the target address. When an incoming packet not associated with any pre-existing link -arrives at the host machine, -it will be sent to the specified +arrives at the host machine, it will be sent to the specified .Ar address . .Pp The target address may be set to @@ -334,22 +305,21 @@ in which case all new incoming packets go to the alias address set by or .Fl interface . .Pp -If this option is not used, -or called with the argument +If this option is not used, or called with the argument .Dq 0.0.0.0 , -then all new incoming packets go to the address specified in the packet. +then all new incoming packets go to the address specified in +the packet. This allows external machines to talk directly to internal machines if they can route packets to the machine in question. .It Fl n | interface Ar interface Use .Ar interface -to determine the alias address. -If there is a possibility that the IP number associated with +to determine the alias address. If there is a possibility that the +IP number associated with .Ar interface may change, the .Fl dynamic -flag should also be used. -If this option is not specified, the +flag should also be used. If this option is not specified, the .Fl a or .Fl alias_address @@ -362,22 +332,20 @@ must be the public network interface. Read configuration from .Ar configfile . .Ar Configfile -contains a list of options, -one per line in the same form as the long form of the above command line flags. -For example, the line -.Pp -alias_address 158.152.17.1 -.Pp -would specify an alias address of 158.152.17.1. -Options that don't take an argument are specified with an option of +contains a list of options, one per line in the same form as the +long form of the above command line flags. For example, the line + + alias_address 158.152.17.1 + +would specify an alias address of 158.152.17.1. Options that don't +take an argument are specified with an option of .Ar yes or .Ar no -in the configuration file. -For example, the line -.Pp -log yes -.Pp +in the configuration file. For example, the line + + log yes + is synonomous with .Fl log . .Pp @@ -385,21 +353,23 @@ Trailing spaces and empty lines are ignored. A .Ql \&# sign will mark the rest of the line as a comment. + .It Fl reverse Reverse operation of natd. -This can be useful in some transparent proxying situations, -when outgoing traffic is redirected to the local machine -and natd is running on the incoming interface -(it usually runs on the outgoing interface). +This can be useful in some +transparent proxying situations when outgoing traffic +is redirected to the local machine and natd is running on the +incoming interface (it usually runs on the outgoing interface). .It Fl proxy_only Force natd to perform transparent proxying only. Normal address translation is not performed. + .It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy Enable transparent proxying. -Packets with the given port going through this host to any other host -are redirected to the given server and port. +Packets with the given port going through this +host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use .Dq encode_ip_hdr @@ -407,134 +377,132 @@ to put this information into the IP option field or .Dq encode_tcp_stream to inject the data into the beginning of the TCP stream. .El + .Sh RUNNING NATD The following steps are necessary before attempting to run .Nm natd : + .Bl -enum .It Get FreeBSD version 2.2 or higher. Versions before this do not support .Xr divert 4 sockets. + .It Build a custom kernel with the following options: -.Pp -options IPFIREWALL -options IPDIVERT -.Pp + + options IPFIREWALL + options IPDIVERT + Refer to the handbook for detailed instructions on building a custom kernel. + .It -Ensure that your machine is acting as a gateway. -This can be done by specifying the line -.Pp -gateway_enable=YES -.Pp +Ensure that your machine is acting as a gateway. This can be done by +specifying the line + + gateway_enable=YES + in .Pa /etc/rc.conf , or using the command -.Pp -.Nm sysctl Fl w Ar net.inet.ip.forwarding=1 + + sysctl -w net.inet.ip.forwarding=1 + .It If you wish to use the .Fl n or .Fl interface -flags, -make sure that your interface is already configured. -If, for example, you wish to specify tun0 as your +flags, make sure that your interface is already configured. If, for +example, you wish to specify tun0 as your .Ar interface , and you're using .Xr ppp 8 -on that interface, -you must make sure that you start +on that interface, you must make sure that you start .Nm ppp prior to starting .Nm natd . + .It Create an entry in .Pa /etc/services : -.Pp -natd 8668/divert # Network Address Translation socket -.Pp + + natd 8668/divert # Network Address Translation socket + This gives a default for the .Fl p or .Fl port flag. + .El .Pp Running .Nm is fairly straight forward. The line -.Pp -.Nm natd Fl interface Ar ed0 -.Pp -should suffice in most cases -(substituting the correct interface name). -Once + + natd -interface ed0 + +should suffice in most cases (substituting the correct interface name). Once .Nm -is running, -you must ensure that traffic is diverted to natd: +is running, you must ensure that traffic is diverted to natd: + .Bl -enum .It You will need to adjust the .Pa /etc/rc.firewall script to taste. If you're not interested in having a firewall, the following lines will do: -.Pp -/sbin/ipfw -f flush -/sbin/ipfw add divert natd all from any to any via ed0 -/sbin/ipfw add pass all from any to any -.Pp + + /sbin/ipfw -f flush + /sbin/ipfw add divert natd all from any to any via ed0 + /sbin/ipfw add pass all from any to any + The second line depends on your interface (change ed0 as appropriate) and assumes that you've updated .Pa /etc/services -with the natd entry as above. -.Pp -You should be aware of the fact, -that with these firewall settings everyone on your local network -can fake his source-address using your box as gateway. -If there are other machines on your local network, -it is highly recommended to create firewall-rules that only allow traffic -from and to your own machines. -.Pp -If you specify real firewall rules, -it's best to specify line 2 at the start of the script so that +with the natd entry as above. If you specify real firewall rules, it's +best to specify line 2 at the start of the script so that .Nm sees all packets before they are dropped by the firewall. .Pp After translation by .Nm natd , packets re-enter the firewall at the rule number following the rule number -that caused the diversion -(not the next rule if there are several at the same number). +that caused the diversion (not the next rule if there are several at the +same number). + .It Enable your firewall by setting -.Pp -firewall_enable=YES -.Pp + + firewall_enable=YES + in .Pa /etc/rc.conf . This tells the system startup scripts to run the .Pa /etc/rc.firewall -script. -If you don't wish to reboot now, just run this by hand from the console. -NEVER run this from a virtual session unless you put it into the background. -If you do, you'll lock yourself out after the flush takes place, -and execution of +script. If you don't wish to reboot now, just run this by hand from the +console. NEVER run this from a virtual session unless you put it into +the background. If you do, you'll lock yourself out after the flush +takes place, and execution of .Pa /etc/rc.firewall -will stop at this point - blocking all accesses permanently. -Running the script in the background should be enough to prevent this disaster. +will stop at this point - blocking all accesses permanently. Running +the script in the background should be enough to prevent this disaster. + .El + .Sh SEE ALSO .Xr socket 2 , .Xr getservbyname 3 , .Xr divert 4 , .Xr services 5 , .Xr ipfw 8 + .Sh AUTHORS This program is the result of the efforts of many people at different times: + .An Archie Cobbs Aq archie@whistle.com (divert sockets) .An Charles Mott Aq cmott@scientech.com |
