|Main index||Section 8||日本語||한국인||Options|
The natd utility normally runs in the background as a daemon. It is passed raw IP packets as they travel into and out of the machine, and will possibly change these before re-injecting them back into the IP packet stream.
It changes all packets destined for another host so that their source IP address is that of the current machine. For each packet changed in this manner, an internal table entry is created to record this fact. The source port number is also changed to indicate the table entry applying to the packet. Packets that are received with a target IP of the current host are checked against this internal table. If an entry is found, it is used to determine the correct target IP address and port to place in the packet.
The following command line options are available:
|Log various aliasing statistics and information to the file /var/log/alias.log. This file is truncated each time natd is started.|
Do not pass incoming packets that have no
entry in the internal translation table.
If this option is not used, then such a packet will be altered
using the rules in
Log denied incoming packets via
|Use specified log facility when logging information via syslog(3). Argument facility_name is one of the keywords specified in syslog.conf(5).|
|Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection. This option uses more system resources, but guarantees successful connections when port numbers conflict.|
|Try to keep the same port number when altering outgoing packets. With this option, protocols such as RPC will have a better chance of working. If it is not possible to maintain the port number, it will be silently changed as per normal.|
|Do not call daemon(3) on startup. Instead, stay attached to the controlling terminal and display all packet alterations to the standard output. This option should only be used for debugging purposes.|
|Only alter outgoing packets with an unregistered source address. According to RFC 1918, unregistered source addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.|
Redirect incoming connections arriving to given port(s) to another host
is the desired target IP address,
is the desired target port number or range,
is the requested port number or range, and
is the aliasing address.
can be used to specify the connection more accurately if necessary.
is not specified, it is assumed to be all ports.
Arguments targetIP , aliasIP and remoteIP can be given as IP addresses or as hostnames. The targetPORT , aliasPORT and remotePORT ranges need not be the same numerically, but must have the same size. When targetPORT , aliasPORT or remotePORT specifies a singular value (not a range), it can be given as a service name that is searched for in the services(5) database.
For example, the argument
tcp inside1:telnet 6666
means that incoming TCP packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine.
tcp inside2:2300-2399 3300-3399
will redirect incoming connections on ports 3300-3399 to host inside2, ports 2300-2399. The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
Redirect incoming IP packets of protocol
address to a
address and vice versa.
If publicIP is not specified, then the default aliasing address is used. If remoteIP is specified, then only packets coming from/to remoteIP will match the rule.
Redirect traffic for public IP address to a machine on the local
This function is known as
Normally static NAT is useful if your ISP has allocated a small block
of IP addresses to you, but it can even be used in the case of single
redirect_address 10.0.0.8 0.0.0.0
The above command would redirect all incoming traffic to machine 10.0.0.8.
If several address aliases specify the same public address as follows
redirect_address 192.168.0.2 public_addr redirect_address 192.168.0.3 public_addr redirect_address 192.168.0.4 public_addr
the incoming traffic will be directed to the last translated local address (192.168.0.4), but outgoing traffic from the first two addresses will still be aliased to appear from the specified public_addr.
|targetIP: targetPORT[, targetIP: targetPORT[, ... ] ] [aliasIP: ] aliasPORT [remoteIP [:remotePORT] ]|
These forms of
tcp www1:http,www2:http,www3:http www:http
means that incoming HTTP requests for host www will be transparently redirected to one of the www1, www2 or www3, where a host is selected simply on a round-robin basis, without regard to load on the net.
|Read from and write to divert(4) port port, treating all packets as "incoming".|
|Read from and write to divert(4) port port, treating all packets as "outgoing".|
|Read from and write to divert(4) port port, distinguishing packets as "incoming" or "outgoing" using the rules specified in divert(4). If port is not numeric, it is searched for in the services(5) database. If this option is not specified, the divert port named natd will be used as a default.|
as the aliasing address.
Either this or the
All data passing
will be rewritten with a source address equal to
All data coming
will be checked to see if it matches any already-aliased outgoing
If it does, the packet is altered accordingly.
If not, all
Set the target address.
When an incoming packet not associated with any pre-existing link
arrives at the host machine, it will be sent to the specified
The target address may be set to
in which case all new incoming packets go to the alias address set by
If this option is not used, or called with the argument 0.0.0.0, then all new incoming packets go to the address specified in the packet. This allows external machines to talk directly to internal machines if they can route packets to the machine in question.
to determine the aliasing address.
If there is a possibility that the IP address associated with
may change, the
The specified interface is usually the "public" (or "external") network interface.
Read configuration from
should contain a list of options, one per line, in the same form
as the long form of the above command line options.
For example, the line
would specify an alias address of 184.108.40.206. Options that do not take an argument are specified with an argument of yes or no in the configuration file. For example, the line
is synonymous with
Options can be divided to several sections. Each section applies to own natd instance. This ability allows the configuration of one natd process for several NAT instances. The first instance that always exists is a "default" instance. Each another instance should begin with
At the next should be placed a configuration option. Example:
# default instance
# second instance
Trailing spaces and empty lines are ignored. A ‘#’ sign will mark the rest of the line as a comment.
This option switches command line options processing to configure instance
(creating it if necessary) till the next
|Read from and write to divert(4) port port, treating all packets as "outgoing". This option is intended to be used with multiple instances: packets received on this port are checked against internal translation tables of every configured instance. If an entry is found, packet is aliased according to that entry. If no entry was found in any of the instances, packet is passed unchanged, and no new entry will be created. See the section MULTIPLE INSTANCES for more details.|
This option makes
reverse the way it handles
packets, allowing it to operate on the
network interface rather than the
This can be useful in some transparent proxying situations when outgoing traffic is redirected to the local machine and natd is running on the internal interface (it usually runs on the external interface).
|Force natd to perform transparent proxying only. Normal address translation is not performed.|
|[type encode_ip_hdr | encode_tcp_stream] port xxxx server a.b.c.d:yyyy Enable transparent proxying. Outgoing TCP packets with the given port going through this host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use encode_ip_hdr to put this information into the IP option field or encode_tcp_stream to inject the data into the beginning of the TCP stream.|
This option directs
based firewall for FTP/IRC DCC connections.
This is done dynamically by installing temporary firewall rules which
allow a particular connection (and only that connection) to go through
The rules are removed once the corresponding connection terminates.
A maximum of count rules starting from the rule number basenumber will be used for punching firewall holes. The range will be cleared for all rules on startup. This option has no effect when the kernel is in security level 3, see init(8) for more information.
|This option allows you to specify the TCP port used for the Skinny Station protocol. Skinny is used by Cisco IP phones to communicate with Cisco Call Managers to set up voice over IP calls. By default, Skinny aliasing is not performed. The typical port value for Skinny is 2000.|
Log when a packet cannot be re-injected because an
rule blocks it.
This is the default with
|Specify an alternate file in which to store the process ID. The default is /var/run/natd.pid.|
|Specify delay in ms before daemon exit after signal. The default is 10000.|
options IPFIREWALL options IPDIVERT
Refer to the handbook for detailed instructions on building a custom kernel.
in the /etc/rc.conf file or using the command
Running natd is fairly straight forward. The line
natd -interface ed0
should suffice in most cases (substituting the correct interface name). Please check rc.conf(5) on how to configure it to be started automatically during boot. Once natd is running, you must ensure that traffic is diverted to natd:
/sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any
The second line depends on your interface (change ‘ed0’ as appropriate).
You should be aware of the fact that, with these firewall settings, everyone on your local network can fake his source-address using your host as gateway. If there are other hosts on your local network, you are strongly encouraged to create firewall rules that only allow traffic to and from trusted hosts.
If you specify real firewall rules, it is best to specify line 2 at the start of the script so that natd sees all packets before they are dropped by the firewall.
After translation by natd, packets re-enter the firewall at the rule number following the rule number that caused the diversion (not the next rule if there are several at the same number).
in /etc/rc.conf. This tells the system startup scripts to run the /etc/rc.firewall script. If you do not wish to reboot now, just run this by hand from the console. NEVER run this from a remote session unless you put it into the background. If you do, you will lock yourself out after the flush takes place, and execution of /etc/rc.firewall will stop at this point - blocking all accesses permanently. Running the script in the background should be enough to prevent this disaster.
net 220.127.116.11/24 18.104.22.168 ------------------ sis0 (router) (22.214.171.124) net 10.0.0.0/24 sis1 ------------------- 10.0.0.2 (10.0.0.1) net 126.96.36.199/24 188.8.131.52 ------------------ sis2 (router) (184.108.40.206)
Default route is out via ‘sis0’.
Interior machine (10.0.0.2) is accessible on TCP port 122 through both exterior IPs, and outgoing connections choose a path randomly between ‘sis0’ and ‘sis2’.
The way this works is that natd.conf builds two instances of the aliasing engine.
In addition to these instances' private divert(4) sockets, a third socket called the "globalport" is created; packets sent to natd via this one will be matched against all instances and translated if an existing entry is found, and unchanged if no entry is found. The following lines are placed into /etc/natd.conf:
log deny_incoming verbose
instance default interface sis0 port 1000 redirect_port tcp 10.0.0.2:122 122
instance sis2 interface sis2 port 2000 redirect_port tcp 10.0.0.2:122 122
And the following ipfw(8) rules are used:
ipfw -f flush
ipfw add allow ip from any to any via sis1
ipfw add skipto 1000 ip from any to any in via sis0 ipfw add skipto 2000 ip from any to any out via sis0 ipfw add skipto 3000 ip from any to any in via sis2 ipfw add skipto 4000 ip from any to any out via sis2
ipfw add 1000 count ip from any to any
ipfw add divert 1000 ip from any to any ipfw add allow ip from any to any
ipfw add 2000 count ip from any to any
ipfw add divert 3000 ip from any to any
ipfw add allow ip from 220.127.116.11 to any ipfw add skipto 5000 ip from 18.104.22.168 to any
ipfw add prob .5 skipto 4000 ip from any to any
ipfw add divert 1000 ip from any to any ipfw add allow ip from any to any
ipfw add 3000 count ip from any to any
ipfw add divert 2000 ip from any to any ipfw add allow ip from any to any
ipfw add 4000 count ip from any to any
ipfw add divert 2000 ip from any to any
ipfw add 5000 fwd 22.214.171.124 ip from 126.96.36.199 to not 188.8.131.52/24 ipfw add allow ip from any to any
Here the packet from internal network to Internet goes out via ‘sis0’ (rule number 2000) and gets caught by the globalport socket (3000). After that, either a match is found in a translation table of one of the two instances, or the packet is passed to one of the two other divert(4) ports (1000 or 2000), with equal probability. This ensures that load balancing is done on a per-flow basis (i.e., packets from a single TCP connection always flow through the same interface). Translated packets with source IP of a non-default interface (‘sis2’) are forwarded to the appropriate router on that interface.
Archie Cobbs <Mt archie@FreeBSD.org> (divert sockets) Charles Mott <Mt firstname.lastname@example.org> (packet aliasing) Eivind Eklund <Mt email@example.com> (IRC support & misc additions) Ari Suutari <Mt firstname.lastname@example.org> (natd) Dru Nelson <Mt email@example.com> (early PPTP support) Brian Somers <Mt firstname.lastname@example.org> (glue) Ruslan Ermilov <Mt ru@FreeBSD.org> (natd, packet aliasing, glue) Poul-Henning Kamp <Mt phk@FreeBSD.org> (multiple instances)
|NATD (8)||October 5, 2016|
|Main index||Section 8||日本語||한국인||Options|
|“||To err is human...to really foul up requires the root password.||”|