IPnom Home • Manuals • FreeBSD

 FreeBSD Man Pages

Man Sections:Commands (1)System Calls (2)Library Functions (3)Device Drivers (4)File Formats (5)Miscellaneous (7)System Utilities (8)
Keyword Live Search (10 results max):
 Type in part of a command in the search box.
 
Index:
  IPXrouted(8)
  MAKEDEV(8)
  ac(8)
  accton(8)
  acpiconf(8)
  acpidb(8)
  acpidump(8)
  adding_user(8)
  adduser(8)
  adjkerntz(8)
  amd(8)
  amq(8)
  ancontrol(8)
  apm(8)
  apmconf(8)
  apmd(8)
  arlcontrol(8)
  arp(8)
  asf(8)
  atacontrol(8)
  atm(8)
  atmarpd(8)
  atmconfig(8)
  atrun(8)
  authpf(8)
  badsect(8)
  bcmfw(8)
  boot(8)
  boot0cfg(8)
  boot_i386(8)
  bootparamd(8)
  bootpd(8)
  bootpef(8)
  bootpgw(8)
  bootptest(8)
  bsdlabel(8)
  bt3cfw(8)
  btxld(8)
  burncd(8)
  camcontrol(8)
  catman.local(8)
  ccdconfig(8)
  chat(8)
  chkgrp(8)
  chkprintcap(8)
  chown(8)
  chroot(8)
  clri(8)
  comcontrol(8)
  comsat(8)
  config(8)
  conscontrol(8)
  crash(8)
  cron(8)
  cvsbug(8)
  daemon(8)
  dconschat(8)
  devd(8)
  devfs(8)
  devinfo(8)
  dhclient-script(8)
  dhclient(8)
  digictl(8)
  diskinfo(8)
  disklabel(8)
  diskless(8)
  dmesg(8)
  dnssec-keygen(8)
  dnssec-signzone(8)
  dump(8)
  dumpfs(8)
  dumpon(8)
  editmap(8)
  edquota(8)
  extattrctl(8)
  faithd(8)
  fastboot(8)
  fasthalt(8)
  fdcontrol(8)
  fdisk(8)
  ffsinfo(8)
  fingerd(8)
  fixmount(8)
  flowctl(8)
  fore_dnld(8)
  fsck(8)
  fsck_4.2bsd(8)
  fsck_ffs(8)
  fsck_msdosfs(8)
  fsck_ufs(8)
  fsdb(8)
  fsinfo(8)
  fsirand(8)
  ftp-proxy(8)
  ftpd(8)
  fwcontrol(8)
  gbde(8)
  gconcat(8)
  geom(8)
  getextattr(8)
  getfmac(8)
  getpmac(8)
  getty(8)
  ggatec(8)
  ggated(8)
  ggatel(8)
  glabel(8)
  gmirror(8)
  gnop(8)
  gpt(8)
  graid3(8)
  growfs(8)
  gshsec(8)
  gstat(8)
  gstripe(8)
  halt(8)
  hccontrol(8)
  hcsecd(8)
  hcseriald(8)
  hlfsd(8)
  hprop(8)
  hpropd(8)
  iasl(8)
  ifconfig(8)
  ifmcstat(8)
  ilmid(8)
  inetd(8)
  init(8)
  intro(8)
  iostat(8)
  ip6addrctl(8)
  ip6fw(8)
  ipf(8)
  ipfs(8)
  ipfstat(8)
  ipfw(8)
  ipmon(8)
  isdnd(8)
  isdndebug(8)
  isdndecode(8)
  isdnmonitor(8)
  isdnphone(8)
  isdntel(8)
  isdntelctl(8)
  isdntrace(8)
  ispcvt(8)
  jail(8)
  jexec(8)
  jls(8)
  kadmin(8)
  kadmind(8)
  kdc(8)
  kerberos(8)
  keyserv(8)
  kgmon(8)
  kgzip(8)
  kldconfig(8)
  kldload(8)
  kldstat(8)
  kldunload(8)
  kldxref(8)
  kpasswdd(8)
  kstash(8)
  ktrdump(8)
  ktutil(8)
  l2control(8)
  l2ping(8)
  lastlogin(8)
  ldconfig(8)
  loader.4th(8)
  loader(8)
  locate.updatedb(8)
  lockd(8)
  lpc(8)
  lpd(8)
  lptcontrol(8)
  lsextattr(8)
  lwresd(8)
  mail.local(8)
  mailstats(8)
  mailwrapper(8)
  makekey(8)
  makemap(8)
  makewhatis.local(8)
  manctl(8)
  map-mbone(8)
  mdconfig(8)
  mdmfs(8)
  memcontrol(8)
  mergemaster(8)
  mixer(8)
  mk-amd-map(8)
  mknetid(8)
  mknod(8)
  mksnap_ffs(8)
  mkuzip(8)
  mld6query(8)
  mlxcontrol(8)
  mount(8)
  mount_cd9660(8)
  mount_devfs(8)
  mount_ext2fs(8)
  mount_fdescfs(8)
  mount_linprocfs(8)
  mount_mfs(8)
  mount_msdosfs(8)
  mount_nfs(8)
  mount_nfs4(8)
  mount_ntfs(8)
  mount_nullfs(8)
  mount_nwfs(8)
  mount_portalfs(8)
  mount_procfs(8)
  mount_smbfs(8)
  mount_std(8)
  mount_udf(8)
  mount_umapfs(8)
  mount_unionfs(8)
  mountd(8)
  moused(8)
  mrinfo(8)
  mrouted(8)
  mtest(8)
  mtrace(8)
  mtree(8)
  named-checkconf(8)
  named-checkzone(8)
  named(8)
  named.reconfig(8)
  named.reload(8)
  natd(8)
  ndiscvt(8)
  ndp(8)
  newfs(8)
  newfs_msdos(8)
  newkey(8)
  newsyslog(8)
  nextboot(8)
  nfsd(8)
  nfsiod(8)
  ngctl(8)
  nghook(8)
  nis(8)
  nologin(8)
  nos-tun(8)
  nsupdate(8)
  ntpd(8)
  ntpdate(8)
  ntpdc(8)
  ntpq(8)
  ntptime(8)
  ntptrace(8)
  pac(8)
  pam_chroot(8)
  pam_deny(8)
  pam_echo(8)
  pam_exec(8)
  pam_ftpusers(8)
  pam_group(8)
  pam_guest(8)
  pam_krb5(8)
  pam_ksu(8)
  pam_lastlog(8)
  pam_login_access(8)
  pam_nologin(8)
  pam_opie(8)
  pam_opieaccess(8)
  pam_passwdqc(8)
  pam_permit(8)
  pam_radius(8)
  pam_rhosts(8)
  pam_rootok(8)
  pam_securetty(8)
  pam_self(8)
  pam_ssh(8)
  pam_tacplus(8)
  pam_unix(8)
  pccardc(8)
  pccardd(8)
  pciconf(8)
  periodic(8)
  pfctl(8)
  pflogd(8)
  picobsd(8)
  ping(8)
  ping6(8)
  pnpinfo(8)
  ppp(8)
  pppctl(8)
  pppd(8)
  pppoed(8)
  pppstats(8)
  praliases(8)
  procctl(8)
  pstat(8)
  pw(8)
  pwd_mkdb(8)
  pxeboot(8)
  quot(8)
  quotacheck(8)
  quotaoff(8)
  quotaon(8)
  rarpd(8)
  raycontrol(8)
  rbootd(8)
  rc(8)
  rc.atm(8)
  rc.d(8)
  rc.early(8)
  rc.firewall(8)
  rc.local(8)
  rc.network(8)
  rc.pccard(8)
  rc.sendmail(8)
  rc.serial(8)
  rc.shutdown(8)
  rc.subr(8)
  rcorder(8)
  rdump(8)
  reboot(8)
  renice(8)
  repquota(8)
  rescue(8)
  restore(8)
  revnetgroup(8)
  rexecd(8)
  rfcomm_pppd(8)
  rip6query(8)
  rlogind(8)
  rmail(8)
  rmextattr(8)
  rmt(8)
  rmuser(8)
  rndc-confgen(8)
  rndc(8)
  route(8)
  route6d(8)
  routed(8)
  rpc.lockd(8)
  rpc.rquotad(8)
  rpc.rstatd(8)
  rpc.rusersd(8)
  rpc.rwalld(8)
  rpc.sprayd(8)
  rpc.statd(8)
  rpc.umntall(8)
  rpc.yppasswdd(8)
  rpc.ypxfrd(8)
  rpcbind(8)
  rpcinfo(8)
  rrenumd(8)
  rrestore(8)
  rshd(8)
  rtadvd(8)
  rtquery(8)
  rtsol(8)
  rtsold(8)
  rwhod(8)
  sa(8)
  savecore(8)
  sconfig(8)
  scspd(8)
  sdpcontrol(8)
  sdpd(8)
  securelevel(8)
  sendmail(8)
  setextattr(8)
  setfmac(8)
  setfsmac(8)
  setkey(8)
  setpmac(8)
  sftp-server(8)
  showmount(8)
  shutdown(8)
  sicontrol(8)
  slattach(8)
  slip(8)
  sliplogin(8)
  slstat(8)
  smbmsg(8)
  smrsh(8)
  spkrtest(8)
  spppcontrol(8)
  spray(8)
  ssh-keysign(8)
  sshd(8)
  sticky(8)
  strfile(8)
  sunlabel(8)
  swapctl(8)
  swapinfo(8)
  swapoff(8)
  swapon(8)
  sync(8)
  sysctl(8)
  sysinstall(8)
  syslogd(8)
  talkd(8)
  tcpd(8)
  tcpdchk(8)
  tcpdmatch(8)
  tcpdrop(8)
  telnetd(8)
  tftpd(8)
  timed(8)
  timedc(8)
  traceroute(8)
  traceroute6(8)
  trpt(8)
  tunefs(8)
  tzsetup(8)
  ugidfw(8)
  umount(8)
  unstr(8)
  updatedb(8)
  usbd(8)
  usbdevs(8)
  verify_krb5_conf(8)
  vinum(8)
  vipw(8)
  vmstat(8)
  vnconfig(8)
  watch(8)
  watchdog(8)
  watchdogd(8)
  wicontrol(8)
  wire-test(8)
  wlconfig(8)
  yp(8)
  yp_mkdb(8)
  ypbind(8)
  ypinit(8)
  yppoll(8)
  yppush(8)
  ypserv(8)
  ypset(8)
  ypxfr(8)
  zdump(8)
  zic(8)
  zzz(8)

natd(8)

NAME

     natd -- Network Address Translation daemon


SYNOPSIS

     natd [-unregistered_only | -u] [-log | -l] [-proxy_only] [-reverse]
	  [-deny_incoming | -d] [-use_sockets | -s] [-same_ports | -m]
	  [-verbose | -v] [-dynamic] [-in_port | -i port]
	  [-out_port | -o port] [-port | -p port]
	  [-alias_address | -a address] [-target_address | -t address]
	  [-interface | -n interface] [-proxy_rule proxyspec]
	  [-redirect_port linkspec] [-redirect_proto linkspec]
	  [-redirect_address linkspec] [-config | -f configfile] [-log_denied]
	  [-log_facility facility_name] [-punch_fw firewall_range]
	  [-skinny_port port] [-log_ipfw_denied] [-pid_file | -P pidfile]


DESCRIPTION

     The natd utility provides a Network Address Translation facility for use
     with divert(4) sockets under FreeBSD.

     (If you need NAT on a PPP link, ppp(8) provides the -nat option that
     gives most of the natd functionality, and uses the same libalias(3)
     library.)

     The natd utility normally runs in the background as a daemon.  It is
     passed raw IP packets as they travel into and out of the machine, and
     will possibly change these before re-injecting them back into the IP
     packet stream.

     It changes all packets destined for another host so that their source IP
     address is that of the current machine.  For each packet changed in this
     manner, an internal table entry is created to record this fact.  The
     source port number is also changed to indicate the table entry applying
     to the packet.  Packets that are received with a target IP of the current
     host are checked against this internal table.  If an entry is found, it
     is used to determine the correct target IP address and port to place in
     the packet.

     The following command line options are available:

     -log | -l	 Log various aliasing statistics and information to the file
		 /var/log/alias.log.  This file is truncated each time natd is
		 started.

     -deny_incoming | -d
		 Do not pass incoming packets that have no entry in the inter-
		 nal translation table.

		 If this option is not used, then such a packet will be
		 altered using the rules in -target_address below, and the
		 entry will be made in the internal translation table.

     -log_denied
		 Log denied incoming packets via syslog(3) (see also
		 -log_facility).

     -log_facility facility_name
		 Use specified log facility when logging information via

     -same_ports | -m
		 Try to keep the same port number when altering outgoing pack-
		 ets.  With this option, protocols such as RPC will have a
		 better chance of working.  If it is not possible to maintain
		 the port number, it will be silently changed as per normal.

     -verbose | -v
		 Do not call daemon(3) on startup.  Instead, stay attached to
		 the controlling terminal and display all packet alterations
		 to the standard output.  This option should only be used for
		 debugging purposes.

     -unregistered_only | -u
		 Only alter outgoing packets with an unregistered source
		 address.  According to RFC 1918, unregistered source
		 addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

     -redirect_port proto targetIP:targetPORT[-targetPORT]
		 [aliasIP:]aliasPORT[-aliasPORT]
		 [remoteIP[:remotePORT[-remotePORT]]]
		 Redirect incoming connections arriving to given port(s) to
		 another host and port(s).  Argument proto is either tcp or
		 udp, targetIP is the desired target IP address, targetPORT is
		 the desired target port number or range, aliasPORT is the
		 requested port number or range, and aliasIP is the aliasing
		 address.  Arguments remoteIP and remotePORT can be used to
		 specify the connection more accurately if necessary.  If
		 remotePORT is not specified, it is assumed to be all ports.

		 Arguments targetIP, aliasIP and remoteIP can be given as IP
		 addresses or as hostnames.  The targetPORT, aliasPORT and
		 remotePORT ranges need not be the same numerically, but must
		 have the same size.  When targetPORT, aliasPORT or remotePORT
		 specifies a singular value (not a range), it can be given as
		 a service name that is searched for in the services(5) data-
		 base.

		 For example, the argument

		       tcp inside1:telnet 6666

		 means that incoming TCP packets destined for port 6666 on
		 this machine will be sent to the telnet port on the inside1
		 machine.

		       tcp inside2:2300-2399 3300-3399

		 will redirect incoming connections on ports 3300-3399 to host
		 inside2, ports 2300-2399.  The mapping is 1:1 meaning port
		 3300 maps to 2300, 3301 maps to 2301, etc.

     -redirect_proto proto localIP [publicIP [remoteIP]]
		 Redirect incoming IP packets of protocol proto (see
		 protocols(5)) destined for publicIP address to a localIP
		 address and vice versa.

		 If publicIP is not specified, then the default aliasing
		 case of single address:

		       redirect_address 10.0.0.8 0.0.0.0

		 The above command would redirect all incoming traffic to
		 machine 10.0.0.8.

		 If several address aliases specify the same public address as
		 follows

		       redirect_address 192.168.0.2 public_addr
		       redirect_address 192.168.0.3 public_addr
		       redirect_address 192.168.0.4 public_addr

		 the incoming traffic will be directed to the last translated
		 local address (192.168.0.4), but outgoing traffic from the
		 first two addresses will still be aliased to appear from the
		 specified public_addr.

     -redirect_port proto targetIP:targetPORT[,targetIP:targetPORT[,...]]
		 [aliasIP:]aliasPORT [remoteIP[:remotePORT]]

     -redirect_address localIP[,localIP[,...]] publicIP
		 These forms of -redirect_port and -redirect_address are used
		 to transparently offload network load on a single server and
		 distribute the load across a pool of servers.	This function
		 is known as LSNAT (RFC 2391).	For example, the argument

		       tcp www1:http,www2:http,www3:http www:http

		 means that incoming HTTP requests for host www will be trans-
		 parently redirected to one of the www1, www2 or www3, where a
		 host is selected simply on a round-robin basis, without
		 regard to load on the net.

     -dynamic	 If the -n or -interface option is used, natd will monitor the
		 routing socket for alterations to the interface passed.  If
		 the interface's IP address is changed, natd will dynamically
		 alter its concept of the alias address.

     -in_port | -i port
		 Read from and write to divert(4) port port, treating all
		 packets as ``incoming''.

     -out_port | -o port
		 Read from and write to divert(4) port port, treating all
		 packets as ``outgoing''.

     -port | -p port
		 Read from and write to divert(4) port port, distinguishing
		 packets as ``incoming'' or ``outgoing'' using the rules spec-
		 ified in divert(4).  If port is not numeric, it is searched
		 for in the services(5) database.  If this option is not spec-
		 ified, the divert port named natd will be used as a default.

     -alias_address | -a address
		 Use address as the aliasing address.  Either this or the
		 -interface option must be used (but not both), if the
		 -redirect_port, -redirect_proto and -redirect_address assign-
		 ments are checked and actioned.  If no other action can be
		 made and if -deny_incoming is not specified, the packet is
		 delivered to the local machine using the rules specified in
		 -target_address option below.

     -t | -target_address address
		 Set the target address.  When an incoming packet not associ-
		 ated with any pre-existing link arrives at the host machine,
		 it will be sent to the specified address.

		 The target address may be set to 255.255.255.255, in which
		 case all new incoming packets go to the alias address set by
		 -alias_address or -interface.

		 If this option is not used, or called with the argument
		 0.0.0.0, then all new incoming packets go to the address
		 specified in the packet.  This allows external machines to
		 talk directly to internal machines if they can route packets
		 to the machine in question.

     -interface | -n interface
		 Use interface to determine the aliasing address.  If there is
		 a possibility that the IP address associated with interface
		 may change, the -dynamic option should also be used.  If this
		 option is not specified, the -alias_address option must be
		 used.

		 The specified interface is usually the ``public'' (or
		 ``external'') network interface.

     -config | -f file
		 Read configuration from file.	A file should contain a list
		 of options, one per line, in the same form as the long form
		 of the above command line options.  For example, the line

		       alias_address 158.152.17.1

		 would specify an alias address of 158.152.17.1.  Options that
		 do not take an argument are specified with an argument of yes
		 or no in the configuration file.  For example, the line

		       log yes

		 is synonymous with -log.

		 Trailing spaces and empty lines are ignored.  A `#' sign will
		 mark the rest of the line as a comment.

     -reverse	 This option makes natd reverse the way it handles
		 ``incoming'' and ``outgoing'' packets, allowing it to operate
		 on the ``internal'' network interface rather than the
		 ``external'' one.

		 This can be useful in some transparent proxying situations
		 when outgoing traffic is redirected to the local machine and
		 natd is running on the internal interface (it usually runs on
		 the external interface).
		 given port going through this host to any other host are
		 redirected to the given server and port.  Optionally, the
		 original target address can be encoded into the packet.  Use
		 encode_ip_hdr to put this information into the IP option
		 field or encode_tcp_stream to inject the data into the begin-
		 ning of the TCP stream.

     -punch_fw basenumber:count
		 This option directs natd to ``punch holes'' in an
		 ipfirewall(4) based firewall for FTP/IRC DCC connections.
		 This is done dynamically by installing temporary firewall
		 rules which allow a particular connection (and only that con-
		 nection) to go through the firewall.  The rules are removed
		 once the corresponding connection terminates.

		 A maximum of count rules starting from the rule number
		 basenumber will be used for punching firewall holes.  The
		 range will be cleared for all rules on startup.

     -skinny_port port
		 This option allows you to specify the TCP port used for the
		 Skinny Station protocol.  Skinny is used by Cisco IP phones
		 to communicate with Cisco Call Managers to set up voice over
		 IP calls.  By default, Skinny aliasing is not performed.  The
		 typical port value for Skinny is 2000.

     -log_ipfw_denied
		 Log when a packet cannot be re-injected because an ipfw(8)
		 rule blocks it.  This is the default with -verbose.

     -pid_file | -P file
		 Specify an alternate file in which to store the process ID.
		 The default is /var/run/natd.pid.


RUNNING NATD

     The following steps are necessary before attempting to run natd:

     1.   Build a custom kernel with the following options:

		options IPFIREWALL
		options IPDIVERT

	  Refer to the handbook for detailed instructions on building a custom
	  kernel.

     2.   Ensure that your machine is acting as a gateway.  This can be done
	  by specifying the line

		gateway_enable=YES

	  in the /etc/rc.conf file or using the command

		sysctl net.inet.ip.forwarding=1

     3.   If you use the -interface option, make sure that your interface is
	  already configured.  If, for example, you wish to specify `tun0' as
	  your interface, and you are using ppp(8) on that interface, you must
	  make sure that you start ppp prior to starting natd.
     diverted to natd:

     1.   You will need to adjust the /etc/rc.firewall script to taste.  If
	  you are not interested in having a firewall, the following lines
	  will do:

		/sbin/ipfw -f flush
		/sbin/ipfw add divert natd all from any to any via ed0
		/sbin/ipfw add pass all from any to any

	  The second line depends on your interface (change `ed0' as appropri-
	  ate).

	  You should be aware of the fact that, with these firewall settings,
	  everyone on your local network can fake his source-address using
	  your host as gateway.  If there are other hosts on your local net-
	  work, you are strongly encouraged to create firewall rules that only
	  allow traffic to and from trusted hosts.

	  If you specify real firewall rules, it is best to specify line 2 at
	  the start of the script so that natd sees all packets before they
	  are dropped by the firewall.

	  After translation by natd, packets re-enter the firewall at the rule
	  number following the rule number that caused the diversion (not the
	  next rule if there are several at the same number).

     2.   Enable your firewall by setting

		firewall_enable=YES

	  in /etc/rc.conf.  This tells the system startup scripts to run the
	  /etc/rc.firewall script.  If you do not wish to reboot now, just run
	  this by hand from the console.  NEVER run this from a remote session
	  unless you put it into the background.  If you do, you will lock
	  yourself out after the flush takes place, and execution of
	  /etc/rc.firewall will stop at this point - blocking all accesses
	  permanently.	Running the script in the background should be enough
	  to prevent this disaster.


SEE ALSO

     libalias(3), divert(4), protocols(5), rc.conf(5), services(5),
     syslog.conf(5), ipfw(8), ppp(8)


AUTHORS

     This program is the result of the efforts of many people at different
     times:

     Archie Cobbs <archie@FreeBSD.org> (divert sockets)
     Charles Mott <cm@linktel.net> (packet aliasing)
     Eivind Eklund <perhaps@yes.no> (IRC support & misc additions)
     Ari Suutari <suutari@iki.fi> (natd)
     Dru Nelson <dnelson@redwoodsoft.com> (early PPTP support)
     Brian Somers <brian@awfulhak.org> (glue)
     Ruslan Ermilov <ru@FreeBSD.org> (natd, packet aliasing, glue)

FreeBSD 5.4		       February 28, 2003		   FreeBSD 5.4

SPONSORED LINKS




Man(1) output converted with man2html , sed , awk