mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
src/usr.sbin/natd -> src/sbin/natd (after a repo-copy by jdp)
This commit is contained in:
parent
cad59f82df
commit
2f9a9cb08c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=44690
@ -1,5 +1,5 @@
|
|||||||
# @(#)Makefile 8.5 (Berkeley) 3/31/94
|
# @(#)Makefile 8.5 (Berkeley) 3/31/94
|
||||||
# $Id: Makefile,v 1.65 1999/02/27 02:25:06 jkh Exp $
|
# $Id: Makefile,v 1.66 1999/02/27 10:54:06 jkh Exp $
|
||||||
|
|
||||||
# XXX MISSING: icheck ncheck
|
# XXX MISSING: icheck ncheck
|
||||||
|
|
||||||
@ -41,6 +41,7 @@ SUBDIR= adjkerntz \
|
|||||||
mount_umap \
|
mount_umap \
|
||||||
mount_union \
|
mount_union \
|
||||||
mountd \
|
mountd \
|
||||||
|
natd \
|
||||||
newfs \
|
newfs \
|
||||||
newfs_msdos \
|
newfs_msdos \
|
||||||
nfsd \
|
nfsd \
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# From: @(#)Makefile 5.20 (Berkeley) 6/12/93
|
# From: @(#)Makefile 5.20 (Berkeley) 6/12/93
|
||||||
# $Id: Makefile,v 1.147 1999/01/11 18:03:54 msmith Exp $
|
# $Id: Makefile,v 1.148 1999/02/21 21:30:13 rnordier Exp $
|
||||||
|
|
||||||
# XXX MISSING: mkproto
|
# XXX MISSING: mkproto
|
||||||
SUBDIR= IPXrouted \
|
SUBDIR= IPXrouted \
|
||||||
@ -46,7 +46,6 @@ SUBDIR= IPXrouted \
|
|||||||
named \
|
named \
|
||||||
named.reload \
|
named.reload \
|
||||||
named.restart \
|
named.restart \
|
||||||
natd \
|
|
||||||
ndc \
|
ndc \
|
||||||
newsyslog \
|
newsyslog \
|
||||||
nslookup \
|
nslookup \
|
||||||
|
@ -1,146 +0,0 @@
|
|||||||
* Version 0.1
|
|
||||||
|
|
||||||
Initial version of natd.
|
|
||||||
|
|
||||||
* Version 0.2
|
|
||||||
|
|
||||||
- Alias address can now be set by giving interface name with
|
|
||||||
new (-n) command-line option.
|
|
||||||
|
|
||||||
- New Makefile based on bsd.prog.mk.
|
|
||||||
|
|
||||||
- Error messages are written to syslog
|
|
||||||
after natd has become a daemon.
|
|
||||||
|
|
||||||
* Version 1.0
|
|
||||||
|
|
||||||
- Support for using only single socket (-p option)
|
|
||||||
|
|
||||||
* Version 1.1
|
|
||||||
|
|
||||||
- -a option now understands a hostname also.
|
|
||||||
- -a option no longer dumps core.
|
|
||||||
- Packet aliasing software upgraded to v. 1.9
|
|
||||||
- added long option names (like -address)
|
|
||||||
|
|
||||||
* Version 1.2
|
|
||||||
|
|
||||||
- Fixed core dump with -port option.
|
|
||||||
- Added -Wall to CFLAGS and some headers added to natd.c
|
|
||||||
to get clean compile by Brian Somers [brian@awfulhak.org].
|
|
||||||
|
|
||||||
* Version 1.3
|
|
||||||
|
|
||||||
- Aliasing address initialization is delayed until first
|
|
||||||
packet arrives. This allows natd to start up before
|
|
||||||
interface address is set.
|
|
||||||
- SIGTERM is now catched to allow kernel to close
|
|
||||||
existing connections when system is shutting down.
|
|
||||||
- SIGHUP is now catched to allow natd to refresh aliasing
|
|
||||||
address from interface, which might be useful to tun devices.
|
|
||||||
|
|
||||||
* Version 1.4
|
|
||||||
|
|
||||||
- Changed command line options to be compatible with
|
|
||||||
command names used in ppp+packetAlias package (which is the
|
|
||||||
original application using aliasing routines).
|
|
||||||
|
|
||||||
The options which map directly to packet aliasing options are:
|
|
||||||
|
|
||||||
-unregistered_only [yes|no]
|
|
||||||
-log [yes|no]
|
|
||||||
-deny_incoming [yes|no]
|
|
||||||
-use_sockets [yes|no]
|
|
||||||
-same_ports [yes|no]
|
|
||||||
|
|
||||||
The short option names are the same as in previous
|
|
||||||
releases.
|
|
||||||
|
|
||||||
- Command line parser rewritten to provide more flexible
|
|
||||||
way to support new packet aliasing options.
|
|
||||||
|
|
||||||
- Support for natd.cf configuration file has been added.
|
|
||||||
|
|
||||||
- SIGHUP no longer causes problems when running without
|
|
||||||
interface name option.
|
|
||||||
|
|
||||||
- When using -interface command line option, routing socket
|
|
||||||
is optionally listened for interface address changes. This
|
|
||||||
mode is activated by -dynamic option.
|
|
||||||
|
|
||||||
- Directory tree reorganized, alias package is now a library.
|
|
||||||
|
|
||||||
- Manual page written by Brian Somers <brian@awfulhak.org> added.
|
|
||||||
- README file updated.
|
|
||||||
|
|
||||||
* Version 1.5
|
|
||||||
|
|
||||||
- Support for sending ICMP 'need fragmentation' messages
|
|
||||||
when packet size exceeds mtu size of outgoing network interface.
|
|
||||||
|
|
||||||
- ipfw rule example in manual page fixed.
|
|
||||||
|
|
||||||
* Version 1.6
|
|
||||||
|
|
||||||
- Upgrade to new packet aliasing engine (2.1)
|
|
||||||
- redirect_port and redirect_address configuration
|
|
||||||
parameters added.
|
|
||||||
- It is no longer necessary to quote complex parameter values
|
|
||||||
in command line.
|
|
||||||
- Manual page fixed (same_port -> same_ports).
|
|
||||||
|
|
||||||
* Version 1.7
|
|
||||||
|
|
||||||
- A bug in command-line parsing fixed (it appeared due
|
|
||||||
to changes made in 1.6).
|
|
||||||
|
|
||||||
* Version 1.8
|
|
||||||
|
|
||||||
- Fixed problems with -dynamic option.
|
|
||||||
- Added /var/run/natd.pid
|
|
||||||
|
|
||||||
* Version 1.9
|
|
||||||
|
|
||||||
- Changes to manual page by
|
|
||||||
Brian Somers <brian@awfulhak.org> integrated.
|
|
||||||
- Checksum for incoming packets is always recalculated
|
|
||||||
for FreeBSD 2.2 and never recalculated for newer
|
|
||||||
versions. This should fix the problem with wrong
|
|
||||||
checksum of fragmented packets.
|
|
||||||
- Buffer space problem found by Sergio Lenzi <lenzi@bsi.com.br>
|
|
||||||
fixed. Natd now waits with select(2) for buffer space
|
|
||||||
to become available if write fails.
|
|
||||||
- Packet aliasing library upgraded to 2.2.
|
|
||||||
|
|
||||||
* Version 1.10
|
|
||||||
|
|
||||||
- Ignored incoming packets are now dropped when
|
|
||||||
deny_incoming option is set to yes.
|
|
||||||
- Packet aliasing library upgraded to 2.4.
|
|
||||||
|
|
||||||
* Version 1.11
|
|
||||||
|
|
||||||
- Code cleanup work done in FreeBSD-current development merged.
|
|
||||||
- Port numbers are now unsigned as they should always have been.
|
|
||||||
|
|
||||||
* Version 1.12
|
|
||||||
|
|
||||||
- Typos in comment fixed. Copyright message added to
|
|
||||||
source & header files that were missing it.
|
|
||||||
- A small patch to libalias to make static NAT work correctly.
|
|
||||||
|
|
||||||
* Version 2.0
|
|
||||||
|
|
||||||
- Upgrade to libalias 3.0 which gives:
|
|
||||||
- Transparent proxy support.
|
|
||||||
- permanent_link is now obsolete, use redirect_port instead.
|
|
||||||
- Drop support for early FreeBSD 2.2 versions
|
|
||||||
- If separate input & output sockets are being used
|
|
||||||
use them to find out packet direction instead of
|
|
||||||
normal mechanism. This can be handy in complex environments
|
|
||||||
with multiple interfaces.
|
|
||||||
- libalias is no longer part of this distribution.
|
|
||||||
- New sample configuration file
|
|
||||||
from Ted Mittelstaedt <tedm@portsoft.com>.
|
|
||||||
- PPTP redirect support by Dru Nelson <dnelson@redwoodsoft.com> added.
|
|
||||||
- Logging enhancements from Martin Machacek <mm@i.cz> added.
|
|
@ -1,8 +0,0 @@
|
|||||||
PROG = natd
|
|
||||||
SRCS = natd.c icmp.c
|
|
||||||
CFLAGS += -Wall
|
|
||||||
LDADD = -lalias
|
|
||||||
DPADD = ${LIBALIAS}
|
|
||||||
MAN8 = natd.8
|
|
||||||
|
|
||||||
.include <bsd.prog.mk>
|
|
@ -1,53 +0,0 @@
|
|||||||
|
|
||||||
A Network Address Translation Daemon for FreeBSD
|
|
||||||
|
|
||||||
|
|
||||||
1. WHAT IS NATD ?
|
|
||||||
|
|
||||||
This is a simple daemon based on FreeBSD divert sockets
|
|
||||||
which performs network address translation (or masquerading)
|
|
||||||
for IP packets (see related RFCs 1631 and 1918).
|
|
||||||
It is based on packet aliasing package (see README.alias)
|
|
||||||
written by Charles Mott (cmott@srv.net).
|
|
||||||
|
|
||||||
This package works with any network interface (doesn't have
|
|
||||||
to be ppp). I run it on a computer having two ethernet cards,
|
|
||||||
one connected to internet and the other one to local network.
|
|
||||||
|
|
||||||
2. GETTING IT RUNNING
|
|
||||||
|
|
||||||
1) Get FreeBSD 2.2 - I think the divert sockets are
|
|
||||||
not available on earlier versions,
|
|
||||||
|
|
||||||
2) Compile this software by executing "make".
|
|
||||||
|
|
||||||
3) Install the software by executing "make install".
|
|
||||||
|
|
||||||
4) See man natd for further instructions.
|
|
||||||
|
|
||||||
3. FTP SITES FOR NATD
|
|
||||||
|
|
||||||
This package is available at ftp://ftp.suutari.iki.fi/pub/natd.
|
|
||||||
|
|
||||||
4. AUTHORS
|
|
||||||
|
|
||||||
This program is the result of the efforts of many people
|
|
||||||
at different times:
|
|
||||||
|
|
||||||
Archie Cobbs <archie@whistle.com> Divert sockets
|
|
||||||
Charles Mott <cmott@srv.net> Packet aliasing engine
|
|
||||||
Eivind Eklund <eivind@dimaga.com> Packet aliasing engine
|
|
||||||
Ari Suutari <suutari@iki.fi> Natd
|
|
||||||
Brian Somers <brian@awfulhak.org> Manual page, glue and
|
|
||||||
bunch of good ideas.
|
|
||||||
|
|
||||||
The original package written by Charles Mott
|
|
||||||
is available at http://www.srv.net/~cmott.
|
|
||||||
It is described in README.alias.
|
|
||||||
|
|
||||||
Happy Networking - comments and fixes are welcome!
|
|
||||||
|
|
||||||
Ari S. (suutari@iki.fi)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1,127 +0,0 @@
|
|||||||
/*
|
|
||||||
* natd - Network Address Translation Daemon for FreeBSD.
|
|
||||||
*
|
|
||||||
* This software is provided free of charge, with no
|
|
||||||
* warranty of any kind, either expressed or implied.
|
|
||||||
* Use at your own risk.
|
|
||||||
*
|
|
||||||
* You may copy, modify and distribute this software (icmp.c) freely.
|
|
||||||
*
|
|
||||||
* Ari Suutari <suutari@iki.fi>
|
|
||||||
*
|
|
||||||
* $Id:$
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/socket.h>
|
|
||||||
#include <sys/time.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <signal.h>
|
|
||||||
|
|
||||||
#include <netdb.h>
|
|
||||||
|
|
||||||
#include <netinet/in.h>
|
|
||||||
#include <netinet/in_systm.h>
|
|
||||||
#include <netinet/ip.h>
|
|
||||||
#include <netinet/ip_icmp.h>
|
|
||||||
#include <machine/in_cksum.h>
|
|
||||||
|
|
||||||
#include <alias.h>
|
|
||||||
|
|
||||||
#include "natd.h"
|
|
||||||
|
|
||||||
int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu)
|
|
||||||
{
|
|
||||||
char icmpBuf[IP_MAXPACKET];
|
|
||||||
struct ip* ip;
|
|
||||||
struct icmp* icmp;
|
|
||||||
int icmpLen;
|
|
||||||
int failBytes;
|
|
||||||
int failHdrLen;
|
|
||||||
struct sockaddr_in addr;
|
|
||||||
int wrote;
|
|
||||||
struct in_addr swap;
|
|
||||||
/*
|
|
||||||
* Don't send error if packet is
|
|
||||||
* not the first fragment.
|
|
||||||
*/
|
|
||||||
if (ntohs (failedDgram->ip_off) & ~(IP_MF | IP_DF))
|
|
||||||
return 0;
|
|
||||||
/*
|
|
||||||
* Dont respond if failed datagram is ICMP.
|
|
||||||
*/
|
|
||||||
if (failedDgram->ip_p == IPPROTO_ICMP)
|
|
||||||
return 0;
|
|
||||||
/*
|
|
||||||
* Start building the message.
|
|
||||||
*/
|
|
||||||
ip = (struct ip*) icmpBuf;
|
|
||||||
icmp = (struct icmp*) (icmpBuf + sizeof (struct ip));
|
|
||||||
/*
|
|
||||||
* Complete ICMP part.
|
|
||||||
*/
|
|
||||||
icmp->icmp_type = ICMP_UNREACH;
|
|
||||||
icmp->icmp_code = ICMP_UNREACH_NEEDFRAG;
|
|
||||||
icmp->icmp_cksum = 0;
|
|
||||||
icmp->icmp_void = 0;
|
|
||||||
icmp->icmp_nextmtu = htons (mtu);
|
|
||||||
/*
|
|
||||||
* Copy header + 64 bits of original datagram.
|
|
||||||
*/
|
|
||||||
failHdrLen = (failedDgram->ip_hl << 2);
|
|
||||||
failBytes = failedDgram->ip_len - failHdrLen;
|
|
||||||
if (failBytes > 8)
|
|
||||||
failBytes = 8;
|
|
||||||
|
|
||||||
failBytes += failHdrLen;
|
|
||||||
icmpLen = ICMP_MINLEN + failBytes;
|
|
||||||
|
|
||||||
memcpy (&icmp->icmp_ip, failedDgram, failBytes);
|
|
||||||
/*
|
|
||||||
* Calculate checksum.
|
|
||||||
*/
|
|
||||||
icmp->icmp_cksum = PacketAliasInternetChecksum ((u_short*) icmp,
|
|
||||||
icmpLen);
|
|
||||||
/*
|
|
||||||
* Add IP header using old IP header as template.
|
|
||||||
*/
|
|
||||||
memcpy (ip, failedDgram, sizeof (struct ip));
|
|
||||||
|
|
||||||
ip->ip_v = 4;
|
|
||||||
ip->ip_hl = 5;
|
|
||||||
ip->ip_len = htons (sizeof (struct ip) + icmpLen);
|
|
||||||
ip->ip_p = IPPROTO_ICMP;
|
|
||||||
ip->ip_tos = 0;
|
|
||||||
|
|
||||||
swap = ip->ip_dst;
|
|
||||||
ip->ip_dst = ip->ip_src;
|
|
||||||
ip->ip_src = swap;
|
|
||||||
|
|
||||||
PacketAliasIn ((char*) ip, IP_MAXPACKET);
|
|
||||||
|
|
||||||
addr.sin_family = AF_INET;
|
|
||||||
addr.sin_addr = ip->ip_dst;
|
|
||||||
addr.sin_port = 0;
|
|
||||||
/*
|
|
||||||
* Put packet into processing queue.
|
|
||||||
*/
|
|
||||||
wrote = sendto (sock,
|
|
||||||
icmp,
|
|
||||||
icmpLen,
|
|
||||||
0,
|
|
||||||
(struct sockaddr*) &addr,
|
|
||||||
sizeof addr);
|
|
||||||
|
|
||||||
if (wrote != icmpLen)
|
|
||||||
Warn ("Cannot send ICMP message.");
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
@ -1,426 +0,0 @@
|
|||||||
.\" manual page [] for natd 1.4
|
|
||||||
.\" $Id:$
|
|
||||||
.Dd 15 April 1997
|
|
||||||
.Os FreeBSD
|
|
||||||
.Dt NATD 8
|
|
||||||
.Sh NAME
|
|
||||||
.Nm natd
|
|
||||||
.Nd
|
|
||||||
Network Address Translation Daemon
|
|
||||||
.Sh SYNOPSIS
|
|
||||||
.Nm
|
|
||||||
.Op Fl ldsmvu
|
|
||||||
.Op Fl dynamic
|
|
||||||
.Op Fl i Ar inport
|
|
||||||
.Op Fl o Ar outport
|
|
||||||
.Op Fl p Ar port
|
|
||||||
.Op Fl a Ar address
|
|
||||||
.Op Fl n Ar interface
|
|
||||||
.Op Fl f Ar configfile
|
|
||||||
|
|
||||||
.Nm
|
|
||||||
.Op Fl log
|
|
||||||
.Op Fl deny_incoming
|
|
||||||
.Op Fl log_denied
|
|
||||||
.Op Fl use_sockets
|
|
||||||
.Op Fl same_ports
|
|
||||||
.Op Fl verbose
|
|
||||||
.Op Fl log_facility Ar facility_name
|
|
||||||
.Op Fl unregistered_only
|
|
||||||
.Op Fl dynamic
|
|
||||||
.Op Fl inport Ar inport
|
|
||||||
.Op Fl outport Ar outport
|
|
||||||
.Op Fl port Ar port
|
|
||||||
.Op Fl alias_address Ar address
|
|
||||||
.Op Fl interface Ar interface
|
|
||||||
.Op Fl config Ar configfile
|
|
||||||
.Op Fl redirect_port Ar linkspec
|
|
||||||
.Op Fl redirect_address Ar localIP publicIP
|
|
||||||
.Op Fl reverse
|
|
||||||
.Op Fl proxy_only
|
|
||||||
.Op Fl proxy_rule Ar proxyspec
|
|
||||||
.Op Fl pptpalias Ar localIP
|
|
||||||
|
|
||||||
.Sh DESCRIPTION
|
|
||||||
This program provides a Network Address Translation facility for use
|
|
||||||
with
|
|
||||||
.Xr divert 4
|
|
||||||
sockets under FreeBSD. Most of the command line options are available
|
|
||||||
in a single character short form or in a long form. Use of the long
|
|
||||||
form is encouraged as it makes things clearer to the casual observer.
|
|
||||||
|
|
||||||
.Pp
|
|
||||||
.Nm Natd
|
|
||||||
normally runs in the background as a daemon. It is passed raw IP packets
|
|
||||||
as they travel into and out of the machine, and will possibly change these
|
|
||||||
before re-injecting them back into the IP packet stream.
|
|
||||||
|
|
||||||
.Pp
|
|
||||||
.Nm Natd
|
|
||||||
changes all packets destined for another host so that their source
|
|
||||||
IP number is that of the current machine. For each packet changed
|
|
||||||
in this manner, an internal table entry is created to record this
|
|
||||||
fact. The source port number is also changed to indicate the
|
|
||||||
table entry applying to the packet. Packets that are received with
|
|
||||||
a target IP of the current host are checked against this internal
|
|
||||||
table. If an entry is found, it is used to determine the correct
|
|
||||||
target IP number and port to place in the packet.
|
|
||||||
|
|
||||||
.Pp
|
|
||||||
The following command line options are available.
|
|
||||||
.Bl -tag -width Fl
|
|
||||||
|
|
||||||
.It Fl log | l
|
|
||||||
Log various aliasing statistics and information to the file
|
|
||||||
.Pa /var/log/alias.log .
|
|
||||||
This file is truncated each time natd is started.
|
|
||||||
|
|
||||||
.It Fl deny_incoming | d
|
|
||||||
Reject packets destined for the current IP number that have no entry
|
|
||||||
in the internal translation table.
|
|
||||||
|
|
||||||
.It Fl log_denied
|
|
||||||
Log denied incoming packets via syslog (see also log_facility)
|
|
||||||
|
|
||||||
.It Fl log_facility Ar facility_name
|
|
||||||
Use specified log facility when logging information via syslog.
|
|
||||||
Facility names are as in
|
|
||||||
.Xr syslog.conf 5
|
|
||||||
|
|
||||||
.It Fl use_sockets | s
|
|
||||||
Allocate a
|
|
||||||
.Xr socket 2
|
|
||||||
in order to establish an FTP data or IRC DCC send connection. This
|
|
||||||
option uses more system resources, but guarantees successful connections
|
|
||||||
when port numbers conflict.
|
|
||||||
|
|
||||||
.It Fl same_ports | m
|
|
||||||
Try to keep the same port number when altering outgoing packets.
|
|
||||||
With this option, protocols such as RPC will have a better chance
|
|
||||||
of working. If it is not possible to maintain the port number, it
|
|
||||||
will be silently changed as per normal.
|
|
||||||
|
|
||||||
.It Fl verbose | v
|
|
||||||
Don't call
|
|
||||||
.Xr fork 2
|
|
||||||
or
|
|
||||||
.Xr daemon 3
|
|
||||||
on startup. Instead, stay attached to the controling terminal and
|
|
||||||
display all packet alterations to the standard output. This option
|
|
||||||
should only be used for debugging purposes.
|
|
||||||
|
|
||||||
.It Fl unregistered_only | u
|
|
||||||
Only alter outgoing packets with an unregistered source address.
|
|
||||||
According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
|
|
||||||
172.16.0.0/12 and 192.168.0.0/16.
|
|
||||||
|
|
||||||
.It Fl redirect_port Ar proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
|
|
||||||
Redirect incoming connections arriving to given port to another host and port.
|
|
||||||
Proto is either tcp or udp, targetIP is the desired target IP
|
|
||||||
number, targetPORT is the desired target PORT number, aliasPORT
|
|
||||||
is the requested PORT number and aliasIP is the aliasing address.
|
|
||||||
RemoteIP and remotePORT can be used to specify the connection
|
|
||||||
more accurately if necessary.
|
|
||||||
For example, the argument
|
|
||||||
|
|
||||||
.Ar tcp inside1:telnet 6666
|
|
||||||
|
|
||||||
means that tcp packets destined for port 6666 on this machine will
|
|
||||||
be sent to the telnet port on the inside1 machine.
|
|
||||||
|
|
||||||
.It Fl redirect_address Ar localIP publicIP
|
|
||||||
Redirect traffic for public IP address to a machine on the local
|
|
||||||
network. This function is known as "static NAT". Normally static NAT
|
|
||||||
is useful if your ISP has allocated a small block of IP addresses to you,
|
|
||||||
but it can even be used in the case of single address:
|
|
||||||
|
|
||||||
redirect_address 10.0.0.8 0.0.0.0
|
|
||||||
|
|
||||||
The above command would redirect all incoming traffic
|
|
||||||
to machine 10.0.0.8.
|
|
||||||
|
|
||||||
If several address aliases specify the same public address
|
|
||||||
as follows
|
|
||||||
|
|
||||||
redirect_address 192.168.0.2 public_addr
|
|
||||||
redirect_address 192.168.0.3 public_addr
|
|
||||||
redirect_address 192.168.0.4 public_addr
|
|
||||||
|
|
||||||
the incoming traffic will be directed to the last
|
|
||||||
translated local address (192.168.0.4), but outgoing
|
|
||||||
traffic to the first two addresses will still be aliased
|
|
||||||
to specified public address.
|
|
||||||
|
|
||||||
.It Fl dynamic
|
|
||||||
If the
|
|
||||||
.Fl n
|
|
||||||
or
|
|
||||||
.Fl interface
|
|
||||||
option is used,
|
|
||||||
.Nm
|
|
||||||
will monitor the routing socket for alterations to the
|
|
||||||
.Ar interface
|
|
||||||
passed. If the interfaces IP number is changed,
|
|
||||||
.Nm
|
|
||||||
will dynamically alter its concept of the alias address.
|
|
||||||
|
|
||||||
.It Fl i | inport Ar inport
|
|
||||||
Read from and write to
|
|
||||||
.Ar inport ,
|
|
||||||
treating all packets as packets coming into the machine.
|
|
||||||
|
|
||||||
.It Fl o | outport Ar outport
|
|
||||||
Read from and write to
|
|
||||||
.Ar outport ,
|
|
||||||
treating all packets as packets going out of the machine.
|
|
||||||
|
|
||||||
.It Fl p | port Ar port
|
|
||||||
Read from and write to
|
|
||||||
.Ar port ,
|
|
||||||
distinguishing packets as incoming our outgoing using the rules specified in
|
|
||||||
.Xr divert 4 .
|
|
||||||
If
|
|
||||||
.Ar port
|
|
||||||
is not numeric, it is searched for in the
|
|
||||||
.Pa /etc/services
|
|
||||||
database using the
|
|
||||||
.Xr getservbyname 3
|
|
||||||
function. If this flag is not specified, the divert port named natd will
|
|
||||||
be used as a default. An example entry in the
|
|
||||||
.Pa /etc/services
|
|
||||||
database would be:
|
|
||||||
|
|
||||||
natd 8668/divert # Network Address Translation socket
|
|
||||||
|
|
||||||
Refer to
|
|
||||||
.Xr services 5
|
|
||||||
for further details.
|
|
||||||
|
|
||||||
.It Fl a | alias_address Ar address
|
|
||||||
Use
|
|
||||||
.Ar address
|
|
||||||
as the alias address. If this option is not specified, the
|
|
||||||
.Fl n
|
|
||||||
or
|
|
||||||
.Fl interface
|
|
||||||
option must be used. The specified address should be the address assigned
|
|
||||||
to the public network interface.
|
|
||||||
.Pp
|
|
||||||
All data passing out through this addresses interface will be rewritten
|
|
||||||
with a source address equal to
|
|
||||||
.Ar address .
|
|
||||||
All data arriving at the interface from outside will be checked to
|
|
||||||
see if it matches any already-aliased outgoing connection. If it does,
|
|
||||||
the packet is altered accordingly. If not, all
|
|
||||||
.Fl redirect_port
|
|
||||||
and
|
|
||||||
.Fl redirect_address
|
|
||||||
assignments are checked and actioned. If no other action can be made,
|
|
||||||
and if
|
|
||||||
.Fl deny_incoming
|
|
||||||
is not specified, the packet is delivered to the local machine and port
|
|
||||||
as specified in the packet.
|
|
||||||
|
|
||||||
.It Fl n | interface Ar interface
|
|
||||||
Use
|
|
||||||
.Ar interface
|
|
||||||
to determine the alias address. If there is a possibility that the
|
|
||||||
IP number associated with
|
|
||||||
.Ar interface
|
|
||||||
may change, the
|
|
||||||
.Fl dynamic
|
|
||||||
flag should also be used. If this option is not specified, the
|
|
||||||
.Fl a
|
|
||||||
or
|
|
||||||
.Fl alias_address
|
|
||||||
flag must be used.
|
|
||||||
.Pp
|
|
||||||
The specified
|
|
||||||
.Ar interface
|
|
||||||
must be the public network interface.
|
|
||||||
.It Fl f | config Ar configfile
|
|
||||||
Read configuration from
|
|
||||||
.Ar configfile .
|
|
||||||
.Ar Configfile
|
|
||||||
contains a list of options, one per line in the same form as the
|
|
||||||
long form of the above command line flags. For example, the line
|
|
||||||
|
|
||||||
alias_address 158.152.17.1
|
|
||||||
|
|
||||||
would specify an alias address of 158.152.17.1. Options that don't
|
|
||||||
take an argument are specified with an option of
|
|
||||||
.Ar yes
|
|
||||||
or
|
|
||||||
.Ar no
|
|
||||||
in the configuration file. For example, the line
|
|
||||||
|
|
||||||
log yes
|
|
||||||
|
|
||||||
is synonomous with
|
|
||||||
.Fl log .
|
|
||||||
Empty lines and lines beginning with '#' are ignored.
|
|
||||||
|
|
||||||
.It Fl reverse
|
|
||||||
Reverse operation of natd. This can be useful in some
|
|
||||||
transparent proxying situations when outgoing traffic
|
|
||||||
is redirected to the local machine and natd is running on the
|
|
||||||
incoming interface (it usually runs on the outgoing interface).
|
|
||||||
|
|
||||||
.It Fl proxy_only
|
|
||||||
Force natd to perform transparent proxying
|
|
||||||
only. Normal address translation is not performed.
|
|
||||||
|
|
||||||
.It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy
|
|
||||||
Enable transparent proxying. Packets with the given port going through this
|
|
||||||
host to any other host are redirected to the given server and port.
|
|
||||||
Optionally, the original target address can be encoded into the packet. Use
|
|
||||||
.Dq encode_ip_hdr
|
|
||||||
to put this information into the IP option field or
|
|
||||||
.Dq encode_tcp_stream
|
|
||||||
to inject the data into the beginning of the TCP stream.
|
|
||||||
|
|
||||||
.It Fl pptpalias Ar localIP
|
|
||||||
Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure
|
|
||||||
IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic,
|
|
||||||
it uses an old IP encapsulation protocol called GRE (47). This
|
|
||||||
natd option will translate any traffic of this protocol to a
|
|
||||||
single, specified IP address. This would allow either one client or one server
|
|
||||||
to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic
|
|
||||||
for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active.
|
|
||||||
|
|
||||||
.El
|
|
||||||
|
|
||||||
.Sh RUNNING NATD
|
|
||||||
The following steps are necessary before attempting to run
|
|
||||||
.Nm natd :
|
|
||||||
|
|
||||||
.Bl -enum
|
|
||||||
.It
|
|
||||||
Get FreeBSD version 2.2 or higher. Versions before this do not support
|
|
||||||
.Xr divert 4
|
|
||||||
sockets.
|
|
||||||
|
|
||||||
.It
|
|
||||||
Build a custom kernel with the following options:
|
|
||||||
|
|
||||||
options IPFIREWALL
|
|
||||||
options IPDIVERT
|
|
||||||
|
|
||||||
Refer to the handbook for detailed instructions on building a custom
|
|
||||||
kernel.
|
|
||||||
|
|
||||||
.It
|
|
||||||
Ensure that your machine is acting as a gateway. This can be done by
|
|
||||||
specifying the line
|
|
||||||
|
|
||||||
gateway_enable=YES
|
|
||||||
|
|
||||||
in
|
|
||||||
.Pa /etc/rc.conf ,
|
|
||||||
or using the command
|
|
||||||
|
|
||||||
sysctl -w net.inet.ip.forwarding=1
|
|
||||||
|
|
||||||
.It
|
|
||||||
If you wish to use the
|
|
||||||
.Fl n
|
|
||||||
or
|
|
||||||
.Fl interface
|
|
||||||
flags, make sure that your interface is already configured. If, for
|
|
||||||
example, you wish to specify tun0 as your
|
|
||||||
.Ar interface ,
|
|
||||||
and you're using
|
|
||||||
.Xr ppp 8
|
|
||||||
on that interface, you must make sure that you start
|
|
||||||
.Nm ppp
|
|
||||||
prior to starting
|
|
||||||
.Nm natd .
|
|
||||||
|
|
||||||
.It
|
|
||||||
Create an entry in
|
|
||||||
.Pa /etc/services :
|
|
||||||
|
|
||||||
natd 8668/divert # Network Address Translation socket
|
|
||||||
|
|
||||||
This gives a default for the
|
|
||||||
.Fl p
|
|
||||||
or
|
|
||||||
.Fl port
|
|
||||||
flag.
|
|
||||||
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
Running
|
|
||||||
.Nm
|
|
||||||
is fairly straight forward. The line
|
|
||||||
|
|
||||||
natd -interface ed0
|
|
||||||
|
|
||||||
should suffice in most cases (substituting the correct interface name). Once
|
|
||||||
.Nm
|
|
||||||
is running, you must ensure that traffic is diverted to natd:
|
|
||||||
|
|
||||||
.Bl -enum
|
|
||||||
.It
|
|
||||||
You will need to adjust the
|
|
||||||
.Pa /etc/rc.firewall
|
|
||||||
script to taste. If you're not interested in having a firewall, the
|
|
||||||
following lines will do:
|
|
||||||
|
|
||||||
/sbin/ipfw -f flush
|
|
||||||
/sbin/ipfw add divert natd all from any to any via ed0
|
|
||||||
/sbin/ipfw add pass all from any to any
|
|
||||||
|
|
||||||
The second line depends on your interface (change ed0 as appropriate)
|
|
||||||
and assumes that you've updated
|
|
||||||
.Pa /etc/services
|
|
||||||
with the natd entry as above. If you specify real firewall rules, it's
|
|
||||||
best to specify line 2 at the start of the script so that
|
|
||||||
.Nm
|
|
||||||
sees all packets before they are dropped by the firewall. The firewall
|
|
||||||
rules will be run again on each packet after translation by
|
|
||||||
.Nm natd ,
|
|
||||||
minus any divert rules.
|
|
||||||
|
|
||||||
.It
|
|
||||||
Enable your firewall by setting
|
|
||||||
|
|
||||||
firewall_enable=YES
|
|
||||||
|
|
||||||
in
|
|
||||||
.Pa /etc/rc.conf .
|
|
||||||
This tells the system startup scripts to run the
|
|
||||||
.Pa /etc/rc.firewall
|
|
||||||
script. If you don't wish to reboot now, just run this by hand from the
|
|
||||||
console. NEVER run this from a virtual session unless you put it into
|
|
||||||
the background. If you do, you'll lock yourself out after the flush
|
|
||||||
takes place, and execution of
|
|
||||||
.Pa /etc/rc.firewall
|
|
||||||
will stop at this point - blocking all accesses permanently. Running
|
|
||||||
the script in the background should be enough to prevent this disaster.
|
|
||||||
|
|
||||||
.El
|
|
||||||
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr getservbyname 2 ,
|
|
||||||
.Xr socket 2 ,
|
|
||||||
.Xr divert 4 ,
|
|
||||||
.Xr services 5 ,
|
|
||||||
.Xr ipfw 8
|
|
||||||
|
|
||||||
.Sh AUTHORS
|
|
||||||
This program is the result of the efforts of many people at different
|
|
||||||
times:
|
|
||||||
|
|
||||||
.An Archie Cobbs Aq archie@whistle.com
|
|
||||||
(divert sockets)
|
|
||||||
.An Charles Mott Aq cmott@srv.net
|
|
||||||
(packet aliasing)
|
|
||||||
.An Eivind Eklund Aq perhaps@yes.no
|
|
||||||
(IRC support & misc additions)
|
|
||||||
.An Ari Suutari Aq suutari@iki.fi
|
|
||||||
(natd)
|
|
||||||
.An Dru Nelson Aq dnelson@redwoodsoft.com
|
|
||||||
(PPTP support)
|
|
||||||
.An Brian Somers Aq brian@awfulhak.org
|
|
||||||
(glue)
|
|
1477
usr.sbin/natd/natd.c
1477
usr.sbin/natd/natd.c
File diff suppressed because it is too large
Load Diff
@ -1,24 +0,0 @@
|
|||||||
/*
|
|
||||||
* natd - Network Address Translation Daemon for FreeBSD.
|
|
||||||
*
|
|
||||||
* This software is provided free of charge, with no
|
|
||||||
* warranty of any kind, either expressed or implied.
|
|
||||||
* Use at your own risk.
|
|
||||||
*
|
|
||||||
* You may copy, modify and distribute this software (natd.h) freely.
|
|
||||||
*
|
|
||||||
* Ari Suutari <suutari@iki.fi>
|
|
||||||
*
|
|
||||||
* $Id:$
|
|
||||||
*/
|
|
||||||
|
|
||||||
#define PIDFILE "/var/run/natd.pid"
|
|
||||||
#define INPUT 1
|
|
||||||
#define OUTPUT 2
|
|
||||||
#define DONT_KNOW 3
|
|
||||||
|
|
||||||
extern void Quit (char* msg);
|
|
||||||
extern void Warn (char* msg);
|
|
||||||
extern int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu);
|
|
||||||
|
|
||||||
|
|
@ -1,94 +0,0 @@
|
|||||||
#
|
|
||||||
# $Id:$
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# Configuration file for natd.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# Enable logging to file /var/log/alias.log
|
|
||||||
#
|
|
||||||
log no
|
|
||||||
#
|
|
||||||
# Incoming connections. Should NEVER be set to "yes" if redirect_port,
|
|
||||||
# redirect_address, or permanent_link statements are activated in this file!
|
|
||||||
#
|
|
||||||
# Setting to yes provides additional anti-crack protection
|
|
||||||
#
|
|
||||||
deny_incoming no
|
|
||||||
#
|
|
||||||
# Use sockets to avoid port clashes. Uses additional system resources, but
|
|
||||||
# guarantees successful connections when port numbers conflict
|
|
||||||
#
|
|
||||||
use_sockets no
|
|
||||||
#
|
|
||||||
# Avoid port changes if possible when altering outbound packets. Makes rlogin
|
|
||||||
# work in most cases.
|
|
||||||
#
|
|
||||||
same_port yes
|
|
||||||
#
|
|
||||||
# Verbose mode. Enables dumping of packets and disables
|
|
||||||
# forking to background. Only set to yes for debugging.
|
|
||||||
#
|
|
||||||
verbose no
|
|
||||||
#
|
|
||||||
# Divert port. Can be a name in /etc/services or numeric value.
|
|
||||||
#
|
|
||||||
port 32000
|
|
||||||
#
|
|
||||||
# Interface name or address being aliased. Either one,
|
|
||||||
# not both is required.
|
|
||||||
#
|
|
||||||
# Obtain interface name from the command output of "ifconfig -a"
|
|
||||||
#
|
|
||||||
# alias_address 192.168.0.1
|
|
||||||
interface ep0
|
|
||||||
#
|
|
||||||
# Alias unregistered addresses or all addresses. Set this to yes if
|
|
||||||
# the inside network is all RFC1918 addresses.
|
|
||||||
#
|
|
||||||
unregistered_only no
|
|
||||||
#
|
|
||||||
# Configure permanent links. If you use host names instead
|
|
||||||
# of addresses here, be sure that name server works BEFORE
|
|
||||||
# natd is up - this is usually not the case. So either use
|
|
||||||
# numeric addresses or hosts that are in /etc/hosts.
|
|
||||||
#
|
|
||||||
# Note: Current versions of FreeBSD all call /etc/rc.firewall
|
|
||||||
# BEFORE running named, so if the DNS server and NAT are on the same
|
|
||||||
# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
|
|
||||||
#
|
|
||||||
# Map connections coming to port 30000 to telnet in my_private_host.
|
|
||||||
# Remember to allow the connection /etc/rc.firewall also.
|
|
||||||
#
|
|
||||||
# The following permanent_link and redirect_port statements are equivalent
|
|
||||||
#permanent_link tcp my_private_host:telnet 0.0.0.0:0 30000
|
|
||||||
#redirect_port tcp my_private_host:telnet 30000
|
|
||||||
#
|
|
||||||
# Map connections coming from host.xyz.com to port 30001 to
|
|
||||||
# telnet in another_host.
|
|
||||||
#permanent_link tcp another_host:telnet host.xyz.com:0 30001
|
|
||||||
#
|
|
||||||
# Static NAT address mapping:
|
|
||||||
#
|
|
||||||
# ipconfig must apply any legal IP numbers that inside hosts
|
|
||||||
# will be known by to the outside interface. These are sometimes known as
|
|
||||||
# virtual IP numbers. It's suggested to use the "interface" directive
|
|
||||||
# instead of the "alias_address" directive to make it more clear what is
|
|
||||||
# going on. (although both will work)
|
|
||||||
#
|
|
||||||
# DNS in this situation can get hairy. For example, an inside host
|
|
||||||
# named aweb.company.com is located at 192.168.1.56, and needs to be
|
|
||||||
# accessible through a legal IP number like 198.105.232.1. If both
|
|
||||||
# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
|
|
||||||
# for aweb.company.com, then external hosts attempting to access
|
|
||||||
# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
|
|
||||||
#
|
|
||||||
# The obvious solution is to use only a single address for the name, the
|
|
||||||
# outside address. However, this creates needless traffic through the
|
|
||||||
# NAT, because inside hosts will go through the NAT to get to the legal
|
|
||||||
# number, even when the inside number is on the same subnet as they are!
|
|
||||||
#
|
|
||||||
# It's probably not a good idea to use DNS names in redirect_address statements
|
|
||||||
#
|
|
||||||
#The following mapping points outside address 198.105.232.1 to 192.168.1.56
|
|
||||||
#redirect_address 192.168.1.56 198.105.232.1
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
if [ $# != 1 ]
|
|
||||||
then
|
|
||||||
echo "usage: natd.test ifname"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
ipfw flush
|
|
||||||
ipfw add divert 32000 ip from any to any via $1
|
|
||||||
ipfw add pass ip from any to any
|
|
||||||
|
|
||||||
./natd -port 32000 -interface $1 -verbose
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user