ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

 

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

For more information about the manual page format, see the manual page for manpages(5).



NATD(8)                   BSD System Manager's Manual                  NATD(8)

NAME
     natd -- Network Address Translation daemon

SYNOPSIS
     natd [-unregistered_only | -u] [-log | -l] [-proxy_only] [-reverse] [-deny_incoming | -d]
          [-use_sockets | -s] [-same_ports | -m] [-verbose | -v] [-dynamic] [-in_port | -i port]
          [-out_port | -o port] [-port | -p port] [-alias_address | -a address]
          [-target_address | -t address] [-interface | -n interface] [-proxy_rule proxyspec]
          [-redirect_port linkspec] [-redirect_proto linkspec] [-redirect_address linkspec]
          [-config | -f configfile] [-log_denied] [-log_facility facility_name] [-punch_fw firewall_range]
          [-clamp_mss]

DESCRIPTION
     This program provides a Network Address Translation facility for use with divert(4) sockets under
     FreeBSD.

     The natd normally runs in the background as a daemon.  It is passed raw IP packets as they travel into
     and out of the machine, and will possibly change these before re-injecting them back into the IP packet
     stream.

     It changes all packets destined for another host so that their source IP number is that of the current
     machine.  For each packet changed in this manner, an internal table entry is created to record this
     fact.  The source port number is also changed to indicate the table entry applying to the packet.
     Packets that are received with a target IP of the current host are checked against this internal table.
     If an entry is found, it is used to determine the correct target IP number and port to place in the
     packet.

     The following command line options are available:

     -log | -l   Log various aliasing statistics and information to the file /var/log/alias.log.  This file
                 is truncated each time natd is started.

     -deny_incoming | -d
                 Do not pass incoming packets that have no entry in the internal translation table.

                 If this option is not used, then such a packet will be altered using the rules in
                 -target_address below, and the entry will be made in the internal translation table.

     -log_denied
                 Log denied incoming packets via syslog(3) (see also -log_facility).

     -log_facility facility_name
                 Use specified log facility when logging information via syslog(3).  Argument facility_name
                 is one of the keywords specified in syslog.conf(5).

     -use_sockets | -s
                 Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection.  This
                 option uses more system resources, but guarantees successful connections when port numbers
                 conflict.

     -same_ports | -m
                 Try to keep the same port number when altering outgoing packets.  With this option, proto-cols protocols
                 cols such as RPC will have a better chance of working.  If it is not possible to maintain
                 the port number, it will be silently changed as per normal.

     -verbose | -v
                 Do not call daemon(3) on startup.  Instead, stay attached to the controlling terminal and
                 display all packet alterations to the standard output.  This option should only be used for
                 debugging purposes.

     -unregistered_only | -u
                 Only alter outgoing packets with an unregistered source address.  According to RFC 1918,
                 unregistered source addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

     -redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT]
                 [remoteIP[:remotePORT[-remotePORT]]]
                 Redirect incoming connections arriving to given port(s) to another host and port(s).  Argu-ment Argument
                 ment proto is either tcp or udp, targetIP is the desired target IP number, targetPORT is
                 the desired target port number or range, aliasPORT is the requested port number or range,
                 and aliasIP is the aliasing address.  Arguments remoteIP and remotePORT can be used to
                 specify the connection more accurately if necessary.  The targetPORT range and aliasPORT
                 range need not be the same numerically, but must have the same size.  If remotePORT is not
                 specified, it is assumed to be all ports.  If remotePORT is specified, it must match the
                 size of targetPORT, or be 0 (all ports).  For example, the argument

                       tcp inside1:telnet 6666

                 means that incoming TCP packets destined for port 6666 on this machine will be sent to the
                 telnet port on the inside1 machine.

                       tcp inside2:2300-2399 3300-3399

                 will redirect incoming connections on ports 3300-3399 to host inside2, ports 2300-2399.
                 The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.

     -redirect_proto proto localIP [publicIP [remoteIP]]
                 Redirect incoming IP packets of protocol proto (see protocols(5)) destined for publicIP
                 address to a localIP address and vice versa.

                 If publicIP is not specified, then the default aliasing address is used.  If remoteIP is
                 specified, then only packets coming from/to remoteIP will match the rule.

     -redirect_address localIP publicIP
                 Redirect traffic for public IP address to a machine on the local network.  This function is
                 known as static NAT.  Normally static NAT is useful if your ISP has allocated a small block
                 of IP addresses to you, but it can even be used in the case of single address:

                       redirect_address 10.0.0.8 0.0.0.0

                 The above command would redirect all incoming traffic to machine 10.0.0.8.

                 If several address aliases specify the same public address as follows

                       redirect_address 192.168.0.2 public_addr
                       redirect_address 192.168.0.3 public_addr
                       redirect_address 192.168.0.4 public_addr

                 the incoming traffic will be directed to the last translated local address (192.168.0.4),
                 but outgoing traffic from the first two addresses will still be aliased to appear from the
                 specified public_addr.

     -redirect_port proto targetIP:targetPORT[,targetIP:targetPORT[,...]] [aliasIP:]aliasPORT
                 [remoteIP[:remotePORT]]

     -redirect_address localIP[,localIP[,...]] publicIP
                 These forms of -redirect_port and -redirect_address are used to transparently offload net-work network
                 work load on a single server and distribute the load across a pool of servers.  This func-tion function
                 tion is known as LSNAT (RFC 2391).  For example, the argument

                       tcp www1:http,www2:http,www3:http www:http

                 means that incoming HTTP requests for host www will be transparently redirected to one of
                 the www1, www2 or www3, where a host is selected simply on a round-robin basis, without
                 regard to load on the net.

     -dynamic    If the -n or -interface option is used, natd will monitor the routing socket for alter-ations alterations
                 ations to the interface passed.  If the interface's IP number is changed, natd will dynami-cally dynamically
                 cally alter its concept of the alias address.

     -in_port | -i port
                 Read from and write to divert(4) port port, treating all packets as ``incoming''.

     -out_port | -o port
                 Read from and write to divert(4) port port, treating all packets as ``outgoing''.

     -port | -p port
                 Read from and write to divert(4) port port, distinguishing packets as ``incoming'' or
                 ``outgoing'' using the rules specified in divert(4).  If port is not numeric, it is
                 searched for in the services(5) database.  If this option is not specified, the divert port
                 named natd will be used as a default.

     -alias_address | -a address
                 Use address as the aliasing address.  If this option is not specified, the -interface
                 option must be used.  The specified address is usually the address assigned to the
                 ``public'' network interface.

                 All data passing out will be rewritten with a source address equal to address.  All data
                 coming in will be checked to see if it matches any already-aliased outgoing connection.  If
                 it does, the packet is altered accordingly.  If not, all -redirect_port, -redirect_proto
                 and -redirect_address assignments are checked and actioned.  If no other action can be made
                 and if -deny_incoming is not specified, the packet is delivered to the local machine using
                 the rules specified in -target_address option below.

     -t | -target_address address
                 Set the target address.  When an incoming packet not associated with any pre-existing link
                 arrives at the host machine, it will be sent to the specified address.

                 The target address may be set to 255.255.255.255, in which case all new incoming packets go
                 to the alias address set by -alias_address or -interface.

                 If this option is not used, or called with the argument 0.0.0.0, then all new incoming
                 packets go to the address specified in the packet.  This allows external machines to talk
                 directly to internal machines if they can route packets to the machine in question.

     -interface | -n interface
                 Use interface to determine the aliasing address.  If there is a possibility that the IP
                 number associated with interface may change, the -dynamic option should also be used.  If
                 this option is not specified, the -alias_address option must be used.

                 The specified interface is usually the ``public'' (or ``external'') network interface.

     -config | -f file
                 Read configuration from file.  A file should contain a list of options, one per line, in
                 the same form as the long form of the above command line options.  For example, the line

                       alias_address 158.152.17.1

                 would specify an alias address of 158.152.17.1.  Options that do not take an argument are
                 specified with an argument of yes or no in the configuration file.  For example, the line
                   log yes is synonymous with -log.

                 Trailing spaces and empty lines are ignored.  A `#' sign will mark the rest of the line as
                 a comment.

     -reverse    This option makes natd reverse the way it handles ``incoming'' and ``outgoing'' packets,
                 allowing it to operate on the ``internal'' network interface rather than the ``external''
                 one.

                 This can be useful in some transparent proxying situations when outgoing traffic is redi-rected redirected
                 rected to the local machine and natd is running on the internal interface (it usually runs
                 on the external interface).

     -proxy_only
                 Force natd to perform transparent proxying only.  Normal address translation is not per-formed. performed.
                 formed.

     -proxy_rule [type encode_ip_hdr | encode_tcp_stream] port xxxx server a.b.c.d:yyyy
                 Enable transparent proxying.  Outgoing TCP packets with the given port going through this
                 host to any other host are redirected to the given server and port.  Optionally, the origi-nal original
                 nal target address can be encoded into the packet.  Use encode_ip_hdr to put this informa-tion information
                 tion into the IP option field or encode_tcp_stream to inject the data into the beginning of
                 the TCP stream.

     -punch_fw basenumber:count
                 This option directs natd to ``punch holes'' in an ipfirewall(4) based firewall for FTP/IRC
                 DCC connections.  This is done dynamically by installing temporary firewall rules which
                 allow a particular connection (and only that connection) to go through the firewall.  The
                 rules are removed once the corresponding connection terminates.

                 A maximum of count rules starting from the rule number basenumber will be used for punching
                 firewall holes.  The range will be cleared for all rules on startup.

     -clamp_mss
                 This option enables MSS clamping.  The MSS value is derived from the MTU of the interface
                 specified in the -interface option.

RUNNING NATD
     The following steps are necessary before attempting to run natd:

     1.   Build a custom kernel with the following options:

                options IPFIREWALL
                options IPDIVERT

          Refer to the handbook for detailed instructions on building a custom kernel.

     2.   Ensure that your machine is acting as a gateway.  This can be done by specifying the line

                gateway_enable=YES

          in the /etc/rc.conf file or using the command

                sysctl -w net.inet.ip.forwarding=1

     3.   If you use the -interface option, make sure that your interface is already configured.  If, for
          example, you wish to specify `tun0' as your interface, and you are using ppp(8) on that interface,
          you must make sure that you start ppp prior to starting natd.

     Running natd is fairly straight forward.  The line

           natd -interface en0

     should suffice in most cases (substituting the correct interface name).  Please check rc.conf(5) on how
     to configure it to be started automatically during boot.  Once natd is running, you must ensure that
     traffic is diverted to natd:

     1.   You will need to adjust the /etc/rc.firewall script to taste.  If you are not interested in having
          a firewall, the following lines will do:

                /sbin/ipfw -f flush
                /sbin/ipfw add divert natd all from any to any via ed0
                /sbin/ipfw add pass all from any to any

          The second line depends on your interface (change `en0' as appropriate).

          You should be aware of the fact that, with these firewall settings, everyone on your local network
          can fake his source-address using your host as gateway.  If there are other hosts on your local
          network, you are strongly encouraged to create firewall rules that only allow traffic to and from
          trusted hosts.

          If you specify real firewall rules, it is best to specify line 2 at the start of the script so
          that natd sees all packets before they are dropped by the firewall.

          After translation by natd, packets re-enter the firewall at the rule number following the rule
          number that caused the diversion (not the next rule if there are several at the same number).

     2.   Enable your firewall by setting

                firewall_enable=YES

          in /etc/rc.conf.  This tells the system startup scripts to run the /etc/rc.firewall script.  If
          you do not wish to reboot now, just run this by hand from the console.  NEVER run this from a
          remote session unless you put it into the background.  If you do, you will lock yourself out after
          the flush takes place, and execution of /etc/rc.firewall will stop at this point - blocking all
          accesses permanently.  Running the script in the background should be enough to prevent this dis-aster. disaster.
          aster.

SEE ALSO
     divert(4), protocols(5), rc.conf(5), services(5), syslog.conf(5), ipfw(8), ppp(8)

AUTHORS
     This program is the result of the efforts of many people at different times:

     Archie Cobbs <archie@whistle.com> (divert sockets)
     Charles Mott <cmott@scientech.com> (packet aliasing)
     Eivind Eklund <perhaps@yes.no> (IRC support & misc additions)
     Ari Suutari <suutari@iki.fi> (natd)
     Dru Nelson <dnelson@redwoodsoft.com> (early PPTP support)
     Brian Somers <brian@awfulhak.org> (glue)
     Ruslan Ermilov <ru@FreeBSD.org> (natd, packet aliasing, glue)

Darwin                           June 27, 2000                          Darwin

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.