mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-23 11:18:54 +00:00
src/usr.sbin/natd -> src/sbin/natd (after a repo-copy by jdp)
This commit is contained in:
parent
cad59f82df
commit
2f9a9cb08c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=44690
@ -1,5 +1,5 @@
|
||||
# @(#)Makefile 8.5 (Berkeley) 3/31/94
|
||||
# $Id: Makefile,v 1.65 1999/02/27 02:25:06 jkh Exp $
|
||||
# $Id: Makefile,v 1.66 1999/02/27 10:54:06 jkh Exp $
|
||||
|
||||
# XXX MISSING: icheck ncheck
|
||||
|
||||
@ -41,6 +41,7 @@ SUBDIR= adjkerntz \
|
||||
mount_umap \
|
||||
mount_union \
|
||||
mountd \
|
||||
natd \
|
||||
newfs \
|
||||
newfs_msdos \
|
||||
nfsd \
|
||||
|
@ -1,5 +1,5 @@
|
||||
# From: @(#)Makefile 5.20 (Berkeley) 6/12/93
|
||||
# $Id: Makefile,v 1.147 1999/01/11 18:03:54 msmith Exp $
|
||||
# $Id: Makefile,v 1.148 1999/02/21 21:30:13 rnordier Exp $
|
||||
|
||||
# XXX MISSING: mkproto
|
||||
SUBDIR= IPXrouted \
|
||||
@ -46,7 +46,6 @@ SUBDIR= IPXrouted \
|
||||
named \
|
||||
named.reload \
|
||||
named.restart \
|
||||
natd \
|
||||
ndc \
|
||||
newsyslog \
|
||||
nslookup \
|
||||
|
@ -1,146 +0,0 @@
|
||||
* Version 0.1
|
||||
|
||||
Initial version of natd.
|
||||
|
||||
* Version 0.2
|
||||
|
||||
- Alias address can now be set by giving interface name with
|
||||
new (-n) command-line option.
|
||||
|
||||
- New Makefile based on bsd.prog.mk.
|
||||
|
||||
- Error messages are written to syslog
|
||||
after natd has become a daemon.
|
||||
|
||||
* Version 1.0
|
||||
|
||||
- Support for using only single socket (-p option)
|
||||
|
||||
* Version 1.1
|
||||
|
||||
- -a option now understands a hostname also.
|
||||
- -a option no longer dumps core.
|
||||
- Packet aliasing software upgraded to v. 1.9
|
||||
- added long option names (like -address)
|
||||
|
||||
* Version 1.2
|
||||
|
||||
- Fixed core dump with -port option.
|
||||
- Added -Wall to CFLAGS and some headers added to natd.c
|
||||
to get clean compile by Brian Somers [brian@awfulhak.org].
|
||||
|
||||
* Version 1.3
|
||||
|
||||
- Aliasing address initialization is delayed until first
|
||||
packet arrives. This allows natd to start up before
|
||||
interface address is set.
|
||||
- SIGTERM is now catched to allow kernel to close
|
||||
existing connections when system is shutting down.
|
||||
- SIGHUP is now catched to allow natd to refresh aliasing
|
||||
address from interface, which might be useful to tun devices.
|
||||
|
||||
* Version 1.4
|
||||
|
||||
- Changed command line options to be compatible with
|
||||
command names used in ppp+packetAlias package (which is the
|
||||
original application using aliasing routines).
|
||||
|
||||
The options which map directly to packet aliasing options are:
|
||||
|
||||
-unregistered_only [yes|no]
|
||||
-log [yes|no]
|
||||
-deny_incoming [yes|no]
|
||||
-use_sockets [yes|no]
|
||||
-same_ports [yes|no]
|
||||
|
||||
The short option names are the same as in previous
|
||||
releases.
|
||||
|
||||
- Command line parser rewritten to provide more flexible
|
||||
way to support new packet aliasing options.
|
||||
|
||||
- Support for natd.cf configuration file has been added.
|
||||
|
||||
- SIGHUP no longer causes problems when running without
|
||||
interface name option.
|
||||
|
||||
- When using -interface command line option, routing socket
|
||||
is optionally listened for interface address changes. This
|
||||
mode is activated by -dynamic option.
|
||||
|
||||
- Directory tree reorganized, alias package is now a library.
|
||||
|
||||
- Manual page written by Brian Somers <brian@awfulhak.org> added.
|
||||
- README file updated.
|
||||
|
||||
* Version 1.5
|
||||
|
||||
- Support for sending ICMP 'need fragmentation' messages
|
||||
when packet size exceeds mtu size of outgoing network interface.
|
||||
|
||||
- ipfw rule example in manual page fixed.
|
||||
|
||||
* Version 1.6
|
||||
|
||||
- Upgrade to new packet aliasing engine (2.1)
|
||||
- redirect_port and redirect_address configuration
|
||||
parameters added.
|
||||
- It is no longer necessary to quote complex parameter values
|
||||
in command line.
|
||||
- Manual page fixed (same_port -> same_ports).
|
||||
|
||||
* Version 1.7
|
||||
|
||||
- A bug in command-line parsing fixed (it appeared due
|
||||
to changes made in 1.6).
|
||||
|
||||
* Version 1.8
|
||||
|
||||
- Fixed problems with -dynamic option.
|
||||
- Added /var/run/natd.pid
|
||||
|
||||
* Version 1.9
|
||||
|
||||
- Changes to manual page by
|
||||
Brian Somers <brian@awfulhak.org> integrated.
|
||||
- Checksum for incoming packets is always recalculated
|
||||
for FreeBSD 2.2 and never recalculated for newer
|
||||
versions. This should fix the problem with wrong
|
||||
checksum of fragmented packets.
|
||||
- Buffer space problem found by Sergio Lenzi <lenzi@bsi.com.br>
|
||||
fixed. Natd now waits with select(2) for buffer space
|
||||
to become available if write fails.
|
||||
- Packet aliasing library upgraded to 2.2.
|
||||
|
||||
* Version 1.10
|
||||
|
||||
- Ignored incoming packets are now dropped when
|
||||
deny_incoming option is set to yes.
|
||||
- Packet aliasing library upgraded to 2.4.
|
||||
|
||||
* Version 1.11
|
||||
|
||||
- Code cleanup work done in FreeBSD-current development merged.
|
||||
- Port numbers are now unsigned as they should always have been.
|
||||
|
||||
* Version 1.12
|
||||
|
||||
- Typos in comment fixed. Copyright message added to
|
||||
source & header files that were missing it.
|
||||
- A small patch to libalias to make static NAT work correctly.
|
||||
|
||||
* Version 2.0
|
||||
|
||||
- Upgrade to libalias 3.0 which gives:
|
||||
- Transparent proxy support.
|
||||
- permanent_link is now obsolete, use redirect_port instead.
|
||||
- Drop support for early FreeBSD 2.2 versions
|
||||
- If separate input & output sockets are being used
|
||||
use them to find out packet direction instead of
|
||||
normal mechanism. This can be handy in complex environments
|
||||
with multiple interfaces.
|
||||
- libalias is no longer part of this distribution.
|
||||
- New sample configuration file
|
||||
from Ted Mittelstaedt <tedm@portsoft.com>.
|
||||
- PPTP redirect support by Dru Nelson <dnelson@redwoodsoft.com> added.
|
||||
- Logging enhancements from Martin Machacek <mm@i.cz> added.
|
@ -1,8 +0,0 @@
|
||||
PROG = natd
|
||||
SRCS = natd.c icmp.c
|
||||
CFLAGS += -Wall
|
||||
LDADD = -lalias
|
||||
DPADD = ${LIBALIAS}
|
||||
MAN8 = natd.8
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -1,53 +0,0 @@
|
||||
|
||||
A Network Address Translation Daemon for FreeBSD
|
||||
|
||||
|
||||
1. WHAT IS NATD ?
|
||||
|
||||
This is a simple daemon based on FreeBSD divert sockets
|
||||
which performs network address translation (or masquerading)
|
||||
for IP packets (see related RFCs 1631 and 1918).
|
||||
It is based on packet aliasing package (see README.alias)
|
||||
written by Charles Mott (cmott@srv.net).
|
||||
|
||||
This package works with any network interface (doesn't have
|
||||
to be ppp). I run it on a computer having two ethernet cards,
|
||||
one connected to internet and the other one to local network.
|
||||
|
||||
2. GETTING IT RUNNING
|
||||
|
||||
1) Get FreeBSD 2.2 - I think the divert sockets are
|
||||
not available on earlier versions,
|
||||
|
||||
2) Compile this software by executing "make".
|
||||
|
||||
3) Install the software by executing "make install".
|
||||
|
||||
4) See man natd for further instructions.
|
||||
|
||||
3. FTP SITES FOR NATD
|
||||
|
||||
This package is available at ftp://ftp.suutari.iki.fi/pub/natd.
|
||||
|
||||
4. AUTHORS
|
||||
|
||||
This program is the result of the efforts of many people
|
||||
at different times:
|
||||
|
||||
Archie Cobbs <archie@whistle.com> Divert sockets
|
||||
Charles Mott <cmott@srv.net> Packet aliasing engine
|
||||
Eivind Eklund <eivind@dimaga.com> Packet aliasing engine
|
||||
Ari Suutari <suutari@iki.fi> Natd
|
||||
Brian Somers <brian@awfulhak.org> Manual page, glue and
|
||||
bunch of good ideas.
|
||||
|
||||
The original package written by Charles Mott
|
||||
is available at http://www.srv.net/~cmott.
|
||||
It is described in README.alias.
|
||||
|
||||
Happy Networking - comments and fixes are welcome!
|
||||
|
||||
Ari S. (suutari@iki.fi)
|
||||
|
||||
|
||||
|
@ -1,127 +0,0 @@
|
||||
/*
|
||||
* natd - Network Address Translation Daemon for FreeBSD.
|
||||
*
|
||||
* This software is provided free of charge, with no
|
||||
* warranty of any kind, either expressed or implied.
|
||||
* Use at your own risk.
|
||||
*
|
||||
* You may copy, modify and distribute this software (icmp.c) freely.
|
||||
*
|
||||
* Ari Suutari <suutari@iki.fi>
|
||||
*
|
||||
* $Id:$
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/time.h>
|
||||
#include <errno.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include <netdb.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <machine/in_cksum.h>
|
||||
|
||||
#include <alias.h>
|
||||
|
||||
#include "natd.h"
|
||||
|
||||
int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu)
|
||||
{
|
||||
char icmpBuf[IP_MAXPACKET];
|
||||
struct ip* ip;
|
||||
struct icmp* icmp;
|
||||
int icmpLen;
|
||||
int failBytes;
|
||||
int failHdrLen;
|
||||
struct sockaddr_in addr;
|
||||
int wrote;
|
||||
struct in_addr swap;
|
||||
/*
|
||||
* Don't send error if packet is
|
||||
* not the first fragment.
|
||||
*/
|
||||
if (ntohs (failedDgram->ip_off) & ~(IP_MF | IP_DF))
|
||||
return 0;
|
||||
/*
|
||||
* Dont respond if failed datagram is ICMP.
|
||||
*/
|
||||
if (failedDgram->ip_p == IPPROTO_ICMP)
|
||||
return 0;
|
||||
/*
|
||||
* Start building the message.
|
||||
*/
|
||||
ip = (struct ip*) icmpBuf;
|
||||
icmp = (struct icmp*) (icmpBuf + sizeof (struct ip));
|
||||
/*
|
||||
* Complete ICMP part.
|
||||
*/
|
||||
icmp->icmp_type = ICMP_UNREACH;
|
||||
icmp->icmp_code = ICMP_UNREACH_NEEDFRAG;
|
||||
icmp->icmp_cksum = 0;
|
||||
icmp->icmp_void = 0;
|
||||
icmp->icmp_nextmtu = htons (mtu);
|
||||
/*
|
||||
* Copy header + 64 bits of original datagram.
|
||||
*/
|
||||
failHdrLen = (failedDgram->ip_hl << 2);
|
||||
failBytes = failedDgram->ip_len - failHdrLen;
|
||||
if (failBytes > 8)
|
||||
failBytes = 8;
|
||||
|
||||
failBytes += failHdrLen;
|
||||
icmpLen = ICMP_MINLEN + failBytes;
|
||||
|
||||
memcpy (&icmp->icmp_ip, failedDgram, failBytes);
|
||||
/*
|
||||
* Calculate checksum.
|
||||
*/
|
||||
icmp->icmp_cksum = PacketAliasInternetChecksum ((u_short*) icmp,
|
||||
icmpLen);
|
||||
/*
|
||||
* Add IP header using old IP header as template.
|
||||
*/
|
||||
memcpy (ip, failedDgram, sizeof (struct ip));
|
||||
|
||||
ip->ip_v = 4;
|
||||
ip->ip_hl = 5;
|
||||
ip->ip_len = htons (sizeof (struct ip) + icmpLen);
|
||||
ip->ip_p = IPPROTO_ICMP;
|
||||
ip->ip_tos = 0;
|
||||
|
||||
swap = ip->ip_dst;
|
||||
ip->ip_dst = ip->ip_src;
|
||||
ip->ip_src = swap;
|
||||
|
||||
PacketAliasIn ((char*) ip, IP_MAXPACKET);
|
||||
|
||||
addr.sin_family = AF_INET;
|
||||
addr.sin_addr = ip->ip_dst;
|
||||
addr.sin_port = 0;
|
||||
/*
|
||||
* Put packet into processing queue.
|
||||
*/
|
||||
wrote = sendto (sock,
|
||||
icmp,
|
||||
icmpLen,
|
||||
0,
|
||||
(struct sockaddr*) &addr,
|
||||
sizeof addr);
|
||||
|
||||
if (wrote != icmpLen)
|
||||
Warn ("Cannot send ICMP message.");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -1,426 +0,0 @@
|
||||
.\" manual page [] for natd 1.4
|
||||
.\" $Id:$
|
||||
.Dd 15 April 1997
|
||||
.Os FreeBSD
|
||||
.Dt NATD 8
|
||||
.Sh NAME
|
||||
.Nm natd
|
||||
.Nd
|
||||
Network Address Translation Daemon
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl ldsmvu
|
||||
.Op Fl dynamic
|
||||
.Op Fl i Ar inport
|
||||
.Op Fl o Ar outport
|
||||
.Op Fl p Ar port
|
||||
.Op Fl a Ar address
|
||||
.Op Fl n Ar interface
|
||||
.Op Fl f Ar configfile
|
||||
|
||||
.Nm
|
||||
.Op Fl log
|
||||
.Op Fl deny_incoming
|
||||
.Op Fl log_denied
|
||||
.Op Fl use_sockets
|
||||
.Op Fl same_ports
|
||||
.Op Fl verbose
|
||||
.Op Fl log_facility Ar facility_name
|
||||
.Op Fl unregistered_only
|
||||
.Op Fl dynamic
|
||||
.Op Fl inport Ar inport
|
||||
.Op Fl outport Ar outport
|
||||
.Op Fl port Ar port
|
||||
.Op Fl alias_address Ar address
|
||||
.Op Fl interface Ar interface
|
||||
.Op Fl config Ar configfile
|
||||
.Op Fl redirect_port Ar linkspec
|
||||
.Op Fl redirect_address Ar localIP publicIP
|
||||
.Op Fl reverse
|
||||
.Op Fl proxy_only
|
||||
.Op Fl proxy_rule Ar proxyspec
|
||||
.Op Fl pptpalias Ar localIP
|
||||
|
||||
.Sh DESCRIPTION
|
||||
This program provides a Network Address Translation facility for use
|
||||
with
|
||||
.Xr divert 4
|
||||
sockets under FreeBSD. Most of the command line options are available
|
||||
in a single character short form or in a long form. Use of the long
|
||||
form is encouraged as it makes things clearer to the casual observer.
|
||||
|
||||
.Pp
|
||||
.Nm Natd
|
||||
normally runs in the background as a daemon. It is passed raw IP packets
|
||||
as they travel into and out of the machine, and will possibly change these
|
||||
before re-injecting them back into the IP packet stream.
|
||||
|
||||
.Pp
|
||||
.Nm Natd
|
||||
changes all packets destined for another host so that their source
|
||||
IP number is that of the current machine. For each packet changed
|
||||
in this manner, an internal table entry is created to record this
|
||||
fact. The source port number is also changed to indicate the
|
||||
table entry applying to the packet. Packets that are received with
|
||||
a target IP of the current host are checked against this internal
|
||||
table. If an entry is found, it is used to determine the correct
|
||||
target IP number and port to place in the packet.
|
||||
|
||||
.Pp
|
||||
The following command line options are available.
|
||||
.Bl -tag -width Fl
|
||||
|
||||
.It Fl log | l
|
||||
Log various aliasing statistics and information to the file
|
||||
.Pa /var/log/alias.log .
|
||||
This file is truncated each time natd is started.
|
||||
|
||||
.It Fl deny_incoming | d
|
||||
Reject packets destined for the current IP number that have no entry
|
||||
in the internal translation table.
|
||||
|
||||
.It Fl log_denied
|
||||
Log denied incoming packets via syslog (see also log_facility)
|
||||
|
||||
.It Fl log_facility Ar facility_name
|
||||
Use specified log facility when logging information via syslog.
|
||||
Facility names are as in
|
||||
.Xr syslog.conf 5
|
||||
|
||||
.It Fl use_sockets | s
|
||||
Allocate a
|
||||
.Xr socket 2
|
||||
in order to establish an FTP data or IRC DCC send connection. This
|
||||
option uses more system resources, but guarantees successful connections
|
||||
when port numbers conflict.
|
||||
|
||||
.It Fl same_ports | m
|
||||
Try to keep the same port number when altering outgoing packets.
|
||||
With this option, protocols such as RPC will have a better chance
|
||||
of working. If it is not possible to maintain the port number, it
|
||||
will be silently changed as per normal.
|
||||
|
||||
.It Fl verbose | v
|
||||
Don't call
|
||||
.Xr fork 2
|
||||
or
|
||||
.Xr daemon 3
|
||||
on startup. Instead, stay attached to the controling terminal and
|
||||
display all packet alterations to the standard output. This option
|
||||
should only be used for debugging purposes.
|
||||
|
||||
.It Fl unregistered_only | u
|
||||
Only alter outgoing packets with an unregistered source address.
|
||||
According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
|
||||
172.16.0.0/12 and 192.168.0.0/16.
|
||||
|
||||
.It Fl redirect_port Ar proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
|
||||
Redirect incoming connections arriving to given port to another host and port.
|
||||
Proto is either tcp or udp, targetIP is the desired target IP
|
||||
number, targetPORT is the desired target PORT number, aliasPORT
|
||||
is the requested PORT number and aliasIP is the aliasing address.
|
||||
RemoteIP and remotePORT can be used to specify the connection
|
||||
more accurately if necessary.
|
||||
For example, the argument
|
||||
|
||||
.Ar tcp inside1:telnet 6666
|
||||
|
||||
means that tcp packets destined for port 6666 on this machine will
|
||||
be sent to the telnet port on the inside1 machine.
|
||||
|
||||
.It Fl redirect_address Ar localIP publicIP
|
||||
Redirect traffic for public IP address to a machine on the local
|
||||
network. This function is known as "static NAT". Normally static NAT
|
||||
is useful if your ISP has allocated a small block of IP addresses to you,
|
||||
but it can even be used in the case of single address:
|
||||
|
||||
redirect_address 10.0.0.8 0.0.0.0
|
||||
|
||||
The above command would redirect all incoming traffic
|
||||
to machine 10.0.0.8.
|
||||
|
||||
If several address aliases specify the same public address
|
||||
as follows
|
||||
|
||||
redirect_address 192.168.0.2 public_addr
|
||||
redirect_address 192.168.0.3 public_addr
|
||||
redirect_address 192.168.0.4 public_addr
|
||||
|
||||
the incoming traffic will be directed to the last
|
||||
translated local address (192.168.0.4), but outgoing
|
||||
traffic to the first two addresses will still be aliased
|
||||
to specified public address.
|
||||
|
||||
.It Fl dynamic
|
||||
If the
|
||||
.Fl n
|
||||
or
|
||||
.Fl interface
|
||||
option is used,
|
||||
.Nm
|
||||
will monitor the routing socket for alterations to the
|
||||
.Ar interface
|
||||
passed. If the interfaces IP number is changed,
|
||||
.Nm
|
||||
will dynamically alter its concept of the alias address.
|
||||
|
||||
.It Fl i | inport Ar inport
|
||||
Read from and write to
|
||||
.Ar inport ,
|
||||
treating all packets as packets coming into the machine.
|
||||
|
||||
.It Fl o | outport Ar outport
|
||||
Read from and write to
|
||||
.Ar outport ,
|
||||
treating all packets as packets going out of the machine.
|
||||
|
||||
.It Fl p | port Ar port
|
||||
Read from and write to
|
||||
.Ar port ,
|
||||
distinguishing packets as incoming our outgoing using the rules specified in
|
||||
.Xr divert 4 .
|
||||
If
|
||||
.Ar port
|
||||
is not numeric, it is searched for in the
|
||||
.Pa /etc/services
|
||||
database using the
|
||||
.Xr getservbyname 3
|
||||
function. If this flag is not specified, the divert port named natd will
|
||||
be used as a default. An example entry in the
|
||||
.Pa /etc/services
|
||||
database would be:
|
||||
|
||||
natd 8668/divert # Network Address Translation socket
|
||||
|
||||
Refer to
|
||||
.Xr services 5
|
||||
for further details.
|
||||
|
||||
.It Fl a | alias_address Ar address
|
||||
Use
|
||||
.Ar address
|
||||
as the alias address. If this option is not specified, the
|
||||
.Fl n
|
||||
or
|
||||
.Fl interface
|
||||
option must be used. The specified address should be the address assigned
|
||||
to the public network interface.
|
||||
.Pp
|
||||
All data passing out through this addresses interface will be rewritten
|
||||
with a source address equal to
|
||||
.Ar address .
|
||||
All data arriving at the interface from outside will be checked to
|
||||
see if it matches any already-aliased outgoing connection. If it does,
|
||||
the packet is altered accordingly. If not, all
|
||||
.Fl redirect_port
|
||||
and
|
||||
.Fl redirect_address
|
||||
assignments are checked and actioned. If no other action can be made,
|
||||
and if
|
||||
.Fl deny_incoming
|
||||
is not specified, the packet is delivered to the local machine and port
|
||||
as specified in the packet.
|
||||
|
||||
.It Fl n | interface Ar interface
|
||||
Use
|
||||
.Ar interface
|
||||
to determine the alias address. If there is a possibility that the
|
||||
IP number associated with
|
||||
.Ar interface
|
||||
may change, the
|
||||
.Fl dynamic
|
||||
flag should also be used. If this option is not specified, the
|
||||
.Fl a
|
||||
or
|
||||
.Fl alias_address
|
||||
flag must be used.
|
||||
.Pp
|
||||
The specified
|
||||
.Ar interface
|
||||
must be the public network interface.
|
||||
.It Fl f | config Ar configfile
|
||||
Read configuration from
|
||||
.Ar configfile .
|
||||
.Ar Configfile
|
||||
contains a list of options, one per line in the same form as the
|
||||
long form of the above command line flags. For example, the line
|
||||
|
||||
alias_address 158.152.17.1
|
||||
|
||||
would specify an alias address of 158.152.17.1. Options that don't
|
||||
take an argument are specified with an option of
|
||||
.Ar yes
|
||||
or
|
||||
.Ar no
|
||||
in the configuration file. For example, the line
|
||||
|
||||
log yes
|
||||
|
||||
is synonomous with
|
||||
.Fl log .
|
||||
Empty lines and lines beginning with '#' are ignored.
|
||||
|
||||
.It Fl reverse
|
||||
Reverse operation of natd. This can be useful in some
|
||||
transparent proxying situations when outgoing traffic
|
||||
is redirected to the local machine and natd is running on the
|
||||
incoming interface (it usually runs on the outgoing interface).
|
||||
|
||||
.It Fl proxy_only
|
||||
Force natd to perform transparent proxying
|
||||
only. Normal address translation is not performed.
|
||||
|
||||
.It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy
|
||||
Enable transparent proxying. Packets with the given port going through this
|
||||
host to any other host are redirected to the given server and port.
|
||||
Optionally, the original target address can be encoded into the packet. Use
|
||||
.Dq encode_ip_hdr
|
||||
to put this information into the IP option field or
|
||||
.Dq encode_tcp_stream
|
||||
to inject the data into the beginning of the TCP stream.
|
||||
|
||||
.It Fl pptpalias Ar localIP
|
||||
Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure
|
||||
IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic,
|
||||
it uses an old IP encapsulation protocol called GRE (47). This
|
||||
natd option will translate any traffic of this protocol to a
|
||||
single, specified IP address. This would allow either one client or one server
|
||||
to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic
|
||||
for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active.
|
||||
|
||||
.El
|
||||
|
||||
.Sh RUNNING NATD
|
||||
The following steps are necessary before attempting to run
|
||||
.Nm natd :
|
||||
|
||||
.Bl -enum
|
||||
.It
|
||||
Get FreeBSD version 2.2 or higher. Versions before this do not support
|
||||
.Xr divert 4
|
||||
sockets.
|
||||
|
||||
.It
|
||||
Build a custom kernel with the following options:
|
||||
|
||||
options IPFIREWALL
|
||||
options IPDIVERT
|
||||
|
||||
Refer to the handbook for detailed instructions on building a custom
|
||||
kernel.
|
||||
|
||||
.It
|
||||
Ensure that your machine is acting as a gateway. This can be done by
|
||||
specifying the line
|
||||
|
||||
gateway_enable=YES
|
||||
|
||||
in
|
||||
.Pa /etc/rc.conf ,
|
||||
or using the command
|
||||
|
||||
sysctl -w net.inet.ip.forwarding=1
|
||||
|
||||
.It
|
||||
If you wish to use the
|
||||
.Fl n
|
||||
or
|
||||
.Fl interface
|
||||
flags, make sure that your interface is already configured. If, for
|
||||
example, you wish to specify tun0 as your
|
||||
.Ar interface ,
|
||||
and you're using
|
||||
.Xr ppp 8
|
||||
on that interface, you must make sure that you start
|
||||
.Nm ppp
|
||||
prior to starting
|
||||
.Nm natd .
|
||||
|
||||
.It
|
||||
Create an entry in
|
||||
.Pa /etc/services :
|
||||
|
||||
natd 8668/divert # Network Address Translation socket
|
||||
|
||||
This gives a default for the
|
||||
.Fl p
|
||||
or
|
||||
.Fl port
|
||||
flag.
|
||||
|
||||
.El
|
||||
.Pp
|
||||
Running
|
||||
.Nm
|
||||
is fairly straight forward. The line
|
||||
|
||||
natd -interface ed0
|
||||
|
||||
should suffice in most cases (substituting the correct interface name). Once
|
||||
.Nm
|
||||
is running, you must ensure that traffic is diverted to natd:
|
||||
|
||||
.Bl -enum
|
||||
.It
|
||||
You will need to adjust the
|
||||
.Pa /etc/rc.firewall
|
||||
script to taste. If you're not interested in having a firewall, the
|
||||
following lines will do:
|
||||
|
||||
/sbin/ipfw -f flush
|
||||
/sbin/ipfw add divert natd all from any to any via ed0
|
||||
/sbin/ipfw add pass all from any to any
|
||||
|
||||
The second line depends on your interface (change ed0 as appropriate)
|
||||
and assumes that you've updated
|
||||
.Pa /etc/services
|
||||
with the natd entry as above. If you specify real firewall rules, it's
|
||||
best to specify line 2 at the start of the script so that
|
||||
.Nm
|
||||
sees all packets before they are dropped by the firewall. The firewall
|
||||
rules will be run again on each packet after translation by
|
||||
.Nm natd ,
|
||||
minus any divert rules.
|
||||
|
||||
.It
|
||||
Enable your firewall by setting
|
||||
|
||||
firewall_enable=YES
|
||||
|
||||
in
|
||||
.Pa /etc/rc.conf .
|
||||
This tells the system startup scripts to run the
|
||||
.Pa /etc/rc.firewall
|
||||
script. If you don't wish to reboot now, just run this by hand from the
|
||||
console. NEVER run this from a virtual session unless you put it into
|
||||
the background. If you do, you'll lock yourself out after the flush
|
||||
takes place, and execution of
|
||||
.Pa /etc/rc.firewall
|
||||
will stop at this point - blocking all accesses permanently. Running
|
||||
the script in the background should be enough to prevent this disaster.
|
||||
|
||||
.El
|
||||
|
||||
.Sh SEE ALSO
|
||||
.Xr getservbyname 2 ,
|
||||
.Xr socket 2 ,
|
||||
.Xr divert 4 ,
|
||||
.Xr services 5 ,
|
||||
.Xr ipfw 8
|
||||
|
||||
.Sh AUTHORS
|
||||
This program is the result of the efforts of many people at different
|
||||
times:
|
||||
|
||||
.An Archie Cobbs Aq archie@whistle.com
|
||||
(divert sockets)
|
||||
.An Charles Mott Aq cmott@srv.net
|
||||
(packet aliasing)
|
||||
.An Eivind Eklund Aq perhaps@yes.no
|
||||
(IRC support & misc additions)
|
||||
.An Ari Suutari Aq suutari@iki.fi
|
||||
(natd)
|
||||
.An Dru Nelson Aq dnelson@redwoodsoft.com
|
||||
(PPTP support)
|
||||
.An Brian Somers Aq brian@awfulhak.org
|
||||
(glue)
|
1477
usr.sbin/natd/natd.c
1477
usr.sbin/natd/natd.c
File diff suppressed because it is too large
Load Diff
@ -1,24 +0,0 @@
|
||||
/*
|
||||
* natd - Network Address Translation Daemon for FreeBSD.
|
||||
*
|
||||
* This software is provided free of charge, with no
|
||||
* warranty of any kind, either expressed or implied.
|
||||
* Use at your own risk.
|
||||
*
|
||||
* You may copy, modify and distribute this software (natd.h) freely.
|
||||
*
|
||||
* Ari Suutari <suutari@iki.fi>
|
||||
*
|
||||
* $Id:$
|
||||
*/
|
||||
|
||||
#define PIDFILE "/var/run/natd.pid"
|
||||
#define INPUT 1
|
||||
#define OUTPUT 2
|
||||
#define DONT_KNOW 3
|
||||
|
||||
extern void Quit (char* msg);
|
||||
extern void Warn (char* msg);
|
||||
extern int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu);
|
||||
|
||||
|
@ -1,94 +0,0 @@
|
||||
#
|
||||
# $Id:$
|
||||
#
|
||||
#
|
||||
# Configuration file for natd.
|
||||
#
|
||||
#
|
||||
# Enable logging to file /var/log/alias.log
|
||||
#
|
||||
log no
|
||||
#
|
||||
# Incoming connections. Should NEVER be set to "yes" if redirect_port,
|
||||
# redirect_address, or permanent_link statements are activated in this file!
|
||||
#
|
||||
# Setting to yes provides additional anti-crack protection
|
||||
#
|
||||
deny_incoming no
|
||||
#
|
||||
# Use sockets to avoid port clashes. Uses additional system resources, but
|
||||
# guarantees successful connections when port numbers conflict
|
||||
#
|
||||
use_sockets no
|
||||
#
|
||||
# Avoid port changes if possible when altering outbound packets. Makes rlogin
|
||||
# work in most cases.
|
||||
#
|
||||
same_port yes
|
||||
#
|
||||
# Verbose mode. Enables dumping of packets and disables
|
||||
# forking to background. Only set to yes for debugging.
|
||||
#
|
||||
verbose no
|
||||
#
|
||||
# Divert port. Can be a name in /etc/services or numeric value.
|
||||
#
|
||||
port 32000
|
||||
#
|
||||
# Interface name or address being aliased. Either one,
|
||||
# not both is required.
|
||||
#
|
||||
# Obtain interface name from the command output of "ifconfig -a"
|
||||
#
|
||||
# alias_address 192.168.0.1
|
||||
interface ep0
|
||||
#
|
||||
# Alias unregistered addresses or all addresses. Set this to yes if
|
||||
# the inside network is all RFC1918 addresses.
|
||||
#
|
||||
unregistered_only no
|
||||
#
|
||||
# Configure permanent links. If you use host names instead
|
||||
# of addresses here, be sure that name server works BEFORE
|
||||
# natd is up - this is usually not the case. So either use
|
||||
# numeric addresses or hosts that are in /etc/hosts.
|
||||
#
|
||||
# Note: Current versions of FreeBSD all call /etc/rc.firewall
|
||||
# BEFORE running named, so if the DNS server and NAT are on the same
|
||||
# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
|
||||
#
|
||||
# Map connections coming to port 30000 to telnet in my_private_host.
|
||||
# Remember to allow the connection /etc/rc.firewall also.
|
||||
#
|
||||
# The following permanent_link and redirect_port statements are equivalent
|
||||
#permanent_link tcp my_private_host:telnet 0.0.0.0:0 30000
|
||||
#redirect_port tcp my_private_host:telnet 30000
|
||||
#
|
||||
# Map connections coming from host.xyz.com to port 30001 to
|
||||
# telnet in another_host.
|
||||
#permanent_link tcp another_host:telnet host.xyz.com:0 30001
|
||||
#
|
||||
# Static NAT address mapping:
|
||||
#
|
||||
# ipconfig must apply any legal IP numbers that inside hosts
|
||||
# will be known by to the outside interface. These are sometimes known as
|
||||
# virtual IP numbers. It's suggested to use the "interface" directive
|
||||
# instead of the "alias_address" directive to make it more clear what is
|
||||
# going on. (although both will work)
|
||||
#
|
||||
# DNS in this situation can get hairy. For example, an inside host
|
||||
# named aweb.company.com is located at 192.168.1.56, and needs to be
|
||||
# accessible through a legal IP number like 198.105.232.1. If both
|
||||
# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
|
||||
# for aweb.company.com, then external hosts attempting to access
|
||||
# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
|
||||
#
|
||||
# The obvious solution is to use only a single address for the name, the
|
||||
# outside address. However, this creates needless traffic through the
|
||||
# NAT, because inside hosts will go through the NAT to get to the legal
|
||||
# number, even when the inside number is on the same subnet as they are!
|
||||
#
|
||||
# It's probably not a good idea to use DNS names in redirect_address statements
|
||||
#
|
||||
#The following mapping points outside address 198.105.232.1 to 192.168.1.56
|
||||
#redirect_address 192.168.1.56 198.105.232.1
|
@ -1,14 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ $# != 1 ]
|
||||
then
|
||||
echo "usage: natd.test ifname"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ipfw flush
|
||||
ipfw add divert 32000 ip from any to any via $1
|
||||
ipfw add pass ip from any to any
|
||||
|
||||
./natd -port 32000 -interface $1 -verbose
|
||||
|
Loading…
Reference in New Issue
Block a user