Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
NATD(8)			  BSD System Manager's Manual		       NATD(8)

     natd -- Network Address Translation Daemon

     natd [-ldsmvu] [-permanent_link] [-dynamic] [-i inport] [-o outport]
	  [-p port] [-a	address] [-n interface]	[-f configfile]

     natd [-log] [-deny_incoming] [-use_sockets] [-same_ports] [-verbose]
	  [-unregistered_only] [-permanent_link] [-dynamic] [-inport inport]
	  [-outport outport] [-port port] [-alias_address address]
	  [-interface interface] [-config configfile]
	  [-redirect_port linkspec] [-redirect_address localIP publicIP]

     This program provides a Network Address Translation facility for use with
     divert(4) sockets under FreeBSD.  Most of the command line	options	are
     available in a single character short form	or in a	long form.  Use	of the
     long form is encouraged as	it makes things	clearer	to the casual ob-

     Natd normally runs	in the background as a daemon.	It is passed raw IP
     packets as	they travel into and out of the	machine, and will possibly
     change these before re-injecting them back	into the IP packet stream.

     Natd changes all packets destined for another host	so that	their source
     IP	number is that of the current machine.	For each packet	changed	in
     this manner, an internal table entry is created to	record this fact.  The
     source port number	is also	changed	to indicate the	table entry applying
     to	the packet.  Packets that are received with a target IP	of the current
     host are checked against this internal table.  If an entry	is found, it
     is	used to	determine the correct target IP	number and port	to place in
     the packet.

     The following command line	options	are available.

     -log | -l	 Log various aliasing statistics and information to the	file
		 /var/log/alias.log.  This file	is truncated each time natd is

     -deny_incoming | -d
		 Reject	packets	destined for the current IP number that	have
		 no entry in the internal translation table.

     -use_sockets | -s
		 Allocate a socket(2) in order to establish an FTP data	or IRC
		 DCC send connection.  This option uses	more system resources,
		 but guarantees	successful connections when port numbers con-

     -same_ports | -m
		 Try to	keep the same port number when altering	outgoing pack-
		 ets.  With this option, protocols such	as RPC will have a
		 better	chance of working.  If it is not possible to maintain
		 the port number, it will be silently changed as per normal.

     -verbose |	-v
		 Don't call fork(2) or daemon(3) on startup.  Instead, stay
		 attached to the controling terminal and display all packet
		 alterations to	the standard output.  This option should only
		 be used for debugging purposes.

     -unregistered_only	| -u
		 Only alter outgoing packets with an unregistered source ad-
		 dress.	 According to rfc 1918,	unregistered source addresses
		 are, and

     -redirect_port linkspec
		 Redirect incoming connections arriving	to given port to an-
		 other host and	port.  Linkspec	is of the form

		   proto targetIP:targetPORT [aliasIP:]aliasPORT [re-

		 where proto is	either tcp or udp, targetIP is the desired
		 target	IP number, targetPORT is the desired target PORT num-
		 ber, aliasPORT	is the requested PORT number and aliasIP is
		 the aliasing address.	RemoteIP and remotePORT	can be used to
		 specify the connection	more accurately	if necessary.  For ex-
		 ample,	the argument

		 tcp inside1:telnet 6666

		 means that tcp	packets	destined for port 6666 on this machine
		 will be sent to the telnet port on the	inside1	machine.

     -redirect_address localIP publicIP
		 Redirect traffic for public IP	address	to a machine on	the
		 local network.	This function is known as "static NAT".	Nor-
		 mally static NAT is useful if your ISP	has allocated a	small
		 block of IP addresses to you, but it can even be used in the
		 case of single	address:


		 The above command would redirect all incoming traffic to ma-

		 If several address aliases specify the	same public address as

		   redirect_address	public_addr
		   redirect_address	public_addr
		   redirect_address	public_addr

		 the incoming traffic will be directed to the last translated
		 local address (, but outgoing traffic to the
		 first two addresses will still	be aliased to specified	public

     -permanent_link linkspec
		 Create	a permanent entry in the internal alias	table.
		 Linkspec is of	the form

		   proto targetIP:targetPORT sourceIP:sourcePORT aliasPORT

		 where proto is	either tcp or udp, targetIP is the desired
		 target	IP number, targetPORT is the desired target PORT num-
		 ber, sourceIP and sourcePORT match the	incoming packet, and
		 aliasPORT is the requested PORT number.  Values of zero are
		 considered as wildcards.  For example,	the argument

		 tcp inside1:telnet outside1:0 6666

		 means that tcp	packets	destined for port 6666 on this machine
		 from the outside1 machine (any	port) will be sent to the tel-
		 net port on the inside1 machine.

		 New installations are encouraged to use redirect_port in-

     -dynamic	 If the	-n or -interface option	is used, natd will monitor the
		 routing socket	for alterations	to the interface passed.  If
		 the interfaces	IP number is changed, natd will	dynamically
		 alter its concept of the alias	address.

     -i	| -inport inport
		 Read from and write to	inport,	treating all packets as	pack-
		 ets coming into the machine.

     -o	| -outport outport
		 Read from and write to	outport, treating all packets as pack-
		 ets going out of the machine.

     -p	| -port	port
		 Read from and write to	port, distinguishing packets as	incom-
		 ing our outgoing using	the rules specified in divert(4).  If
		 port is not numeric, it is searched for in the	/etc/services
		 database using	the getservbyname(3) function.	If this	flag
		 is not	specified, the divert port named natd will be used as
		 a default.  An	example	entry in the /etc/services database
		 would be:

		   natd	  8668/divert  # Network Address Translation socket

		 Refer to services(5) for further details.

     -a	| -alias_address address
		 Use address as	the alias address.  If this option is not
		 specified, the	-n or -interface option	must be	used.  The
		 specified address should be the address assigned to the pub-
		 lic network interface.

		 All data passing out through this addresses interface will be
		 rewritten with	a source address equal to address.  All	data
		 arriving at the interface from	outside	will be	checked	to see
		 if it matches any already-aliased outgoing connection.	 If it
		 does, the packet is altered accordingly.  If not, all
		 -redirect_port	and -redirect_address assignments are checked
		 and actioned.	If no other action can be made,	and if
		 -deny_incoming	is not specified, the packet is	delivered to
		 the local machine and port as specified in the	packet.

     -n	| -interface interface
		 Use interface to determine the	alias address.	If there is a
		 possibility that the IP number	associated with	interface may
		 change, the -dynamic flag should also be used.	 If this op-
		 tion is not specified,	the -a or -alias_address flag must be

		 The specified interface must be the public network interface.

     -f	| -config configfile
		 Read configuration from configfile.  Configfile contains a
		 list of options, one per line in the same form	as the long
		 form of the above command line	flags.	For example, the line


		 would specify an alias	address	of  Options that
		 don't take an argument	are specified with an option of	yes or
		 no in the configuration file.	For example, the line

		   log yes

		 is synonomous with -log.  Empty lines and lines beginning
		 with '#' are ignored.

     The following steps are necessary before attempting to run	natd:

     1.	  Get FreeBSD version 2.2 or higher.  Versions before this do not sup-
	  port divert(4) sockets.

     2.	  Build	a custom kernel	with the following options:

	    options IPFIREWALL
	    options IPDIVERT

	  Refer	to the handbook	for detailed instructions on building a	custom

     3.	  Ensure that your machine is acting as	a gateway.  This can be	done
	  by specifying	the line


	  in /etc/rc.conf, or using the	command

	    sysctl -w net.inet.ip.forwarding=1

     4.	  If you wish to use the -n or -interface flags, make sure that	your
	  interface is already configured.  If,	for example, you wish to spec-
	  ify tun0 as your interface, and you're using ppp(8) on that inter-
	  face,	you must make sure that	you start ppp prior to starting	natd.

     5.	  Create an entry in /etc/services:

	    natd	  8668/divert  # Network Address Translation socket

	  This gives a default for the -p or -port flag.

     Running natd is fairly straight forward.  The line

       natd -interface ed0

     should suffice in most cases (substituting	the correct interface name).
     Once natd is running, you must ensure that	traffic	is diverted to natd:

     1.	  You will need	to adjust the /etc/rc.firewall script to taste.	 If
	  you're not interested	in having a firewall, the following lines will

	    /sbin/ipfw -f flush
	    /sbin/ipfw add divert natd all from	any to any via ed0
	    /sbin/ipfw add pass	all from any to	any

	  The second line depends on your interface (change ed0	as appropri-
	  ate) and assumes that	you've updated /etc/services with the natd en-
	  try as above.	 If you	specify	real firewall rules, it's best to
	  specify line 2 at the	start of the script so that natd sees all
	  packets before they are dropped by the firewall.  The	firewall rules
	  will be run again on each packet after translation by	natd, minus
	  any divert rules.

     2.	  Enable your firewall by setting


	  in /etc/rc.conf.  This tells the system startup scripts to run the
	  /etc/rc.firewall script.  If you don't wish to reboot	now, just run
	  this by hand from the	console.  NEVER	run this from a	virtual	ses-
	  sion unless you put it into the background.  If you do, you'll lock
	  yourself out after the flush takes place, and	execution of
	  /etc/rc.firewall will	stop at	this point - blocking all accesses
	  permanently.	Running	the script in the background should be enough
	  to prevent this disaster.

     getservbyname(2), socket(2), divert(4), services(5), ipfw(8)

     This program is the result	of the efforts of many people at different

     Archie Cobbs <> (divert sockets)
     Charles Mott <> (packet aliasing)
     Eivind Eklund <> (IRC support & misc	additions)
     Ari Suutari <> (natd)
     Brian Somers <> (glue)

FreeBSD				 15 April 1997			       FreeBSD


Want to link to this manual page? Use this URL:

home | help