mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-24 10:52:36 +01:00
831 lines
21 KiB
Groff
831 lines
21 KiB
Groff
.\" $FreeBSD$
|
|
.Dd June 23, 2008
|
|
.Dt NATD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm natd
|
|
.Nd Network Address Translation daemon
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Bk -words
|
|
.Op Fl unregistered_only | u
|
|
.Op Fl log | l
|
|
.Op Fl proxy_only
|
|
.Op Fl reverse
|
|
.Op Fl deny_incoming | d
|
|
.Op Fl use_sockets | s
|
|
.Op Fl same_ports | m
|
|
.Op Fl verbose | v
|
|
.Op Fl dynamic
|
|
.Op Fl in_port | i Ar port
|
|
.Op Fl out_port | o Ar port
|
|
.Op Fl port | p Ar port
|
|
.Op Fl alias_address | a Ar address
|
|
.Op Fl target_address | t Ar address
|
|
.Op Fl interface | n Ar interface
|
|
.Op Fl proxy_rule Ar proxyspec
|
|
.Op Fl redirect_port Ar linkspec
|
|
.Op Fl redirect_proto Ar linkspec
|
|
.Op Fl redirect_address Ar linkspec
|
|
.Op Fl config | f Ar configfile
|
|
.Op Fl instance Ar instancename
|
|
.Op Fl globalport Ar port
|
|
.Op Fl log_denied
|
|
.Op Fl log_facility Ar facility_name
|
|
.Op Fl punch_fw Ar firewall_range
|
|
.Op Fl skinny_port Ar port
|
|
.Op Fl log_ipfw_denied
|
|
.Op Fl pid_file | P Ar pidfile
|
|
.Op Fl exit_delay | P Ar ms
|
|
.Ek
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility provides a Network Address Translation facility for use
|
|
with
|
|
.Xr divert 4
|
|
sockets under
|
|
.Fx .
|
|
.Pp
|
|
(If you need NAT on a PPP link,
|
|
.Xr ppp 8
|
|
provides the
|
|
.Fl nat
|
|
option that gives most of the
|
|
.Nm
|
|
functionality, and uses the same
|
|
.Xr libalias 3
|
|
library.)
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility normally runs in the background as a daemon.
|
|
It is passed raw IP packets as they travel into and out of the machine,
|
|
and will possibly change these before re-injecting them back into the
|
|
IP packet stream.
|
|
.Pp
|
|
It changes all packets destined for another host so that their source
|
|
IP address is that of the current machine.
|
|
For each packet changed in this manner, an internal table entry is
|
|
created to record this fact.
|
|
The source port number is also changed to indicate the table entry
|
|
applying to the packet.
|
|
Packets that are received with a target IP of the current host are
|
|
checked against this internal table.
|
|
If an entry is found, it is used to determine the correct target IP
|
|
address and port to place in the packet.
|
|
.Pp
|
|
The following command line options are available:
|
|
.Bl -tag -width Fl
|
|
.It Fl log | l
|
|
Log various aliasing statistics and information to the file
|
|
.Pa /var/log/alias.log .
|
|
This file is truncated each time
|
|
.Nm
|
|
is started.
|
|
.It Fl deny_incoming | d
|
|
Do not pass incoming packets that have no
|
|
entry in the internal translation table.
|
|
.Pp
|
|
If this option is not used, then such a packet will be altered
|
|
using the rules in
|
|
.Fl target_address
|
|
below, and the entry will be made in the internal translation table.
|
|
.It Fl log_denied
|
|
Log denied incoming packets via
|
|
.Xr syslog 3
|
|
(see also
|
|
.Fl log_facility ) .
|
|
.It Fl log_facility Ar facility_name
|
|
Use specified log facility when logging information via
|
|
.Xr syslog 3 .
|
|
Argument
|
|
.Ar facility_name
|
|
is one of the keywords specified in
|
|
.Xr syslog.conf 5 .
|
|
.It Fl use_sockets | s
|
|
Allocate a
|
|
.Xr socket 2
|
|
in order to establish an FTP data or IRC DCC send connection.
|
|
This option uses more system resources, but guarantees successful
|
|
connections when port numbers conflict.
|
|
.It Fl same_ports | m
|
|
Try to keep the same port number when altering outgoing packets.
|
|
With this option, protocols such as RPC will have a better chance
|
|
of working.
|
|
If it is not possible to maintain the port number, it will be silently
|
|
changed as per normal.
|
|
.It Fl verbose | v
|
|
Do not call
|
|
.Xr daemon 3
|
|
on startup.
|
|
Instead, stay attached to the controlling terminal and display all packet
|
|
alterations to the standard output.
|
|
This option should only be used for debugging purposes.
|
|
.It Fl unregistered_only | u
|
|
Only alter outgoing packets with an
|
|
.Em unregistered
|
|
source address.
|
|
According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
|
|
172.16.0.0/12 and 192.168.0.0/16.
|
|
.It Fl redirect_port Ar proto Xo
|
|
.Ar targetIP Ns : Ns Xo
|
|
.Ar targetPORT Ns Oo - Ns Ar targetPORT Oc Xc
|
|
.Oo Ar aliasIP Ns : Oc Ns Xo
|
|
.Ar aliasPORT Ns Oo - Ns Ar aliasPORT Oc Xc
|
|
.Oo Ar remoteIP Ns Oo : Ns
|
|
.Ar remotePORT Ns Op - Ns Ar remotePORT
|
|
.Oc Oc
|
|
.Xc
|
|
Redirect incoming connections arriving to given port(s) to another host
|
|
and port(s).
|
|
Argument
|
|
.Ar proto
|
|
is either
|
|
.Ar tcp
|
|
or
|
|
.Ar udp ,
|
|
.Ar targetIP
|
|
is the desired target IP address,
|
|
.Ar targetPORT
|
|
is the desired target port number or range,
|
|
.Ar aliasPORT
|
|
is the requested port number or range, and
|
|
.Ar aliasIP
|
|
is the aliasing address.
|
|
Arguments
|
|
.Ar remoteIP
|
|
and
|
|
.Ar remotePORT
|
|
can be used to specify the connection more accurately if necessary.
|
|
If
|
|
.Ar remotePORT
|
|
is not specified, it is assumed to be all ports.
|
|
.Pp
|
|
Arguments
|
|
.Ar targetIP , aliasIP
|
|
and
|
|
.Ar remoteIP
|
|
can be given as IP addresses or as hostnames.
|
|
The
|
|
.Ar targetPORT , aliasPORT
|
|
and
|
|
.Ar remotePORT
|
|
ranges need not be the same numerically, but must have the same size.
|
|
When
|
|
.Ar targetPORT , aliasPORT
|
|
or
|
|
.Ar remotePORT
|
|
specifies a singular value (not a range), it can be given as a service
|
|
name that is searched for in the
|
|
.Xr services 5
|
|
database.
|
|
.Pp
|
|
For example, the argument
|
|
.Pp
|
|
.Dl Ar tcp inside1:telnet 6666
|
|
.Pp
|
|
means that incoming TCP packets destined for port 6666 on this machine
|
|
will be sent to the telnet port on the inside1 machine.
|
|
.Pp
|
|
.Dl Ar tcp inside2:2300-2399 3300-3399
|
|
.Pp
|
|
will redirect incoming connections on ports 3300-3399 to host
|
|
inside2, ports 2300-2399.
|
|
The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
|
|
.It Fl redirect_proto Ar proto localIP Oo
|
|
.Ar publicIP Op Ar remoteIP
|
|
.Oc
|
|
Redirect incoming IP packets of protocol
|
|
.Ar proto
|
|
(see
|
|
.Xr protocols 5 )
|
|
destined for
|
|
.Ar publicIP
|
|
address to a
|
|
.Ar localIP
|
|
address and vice versa.
|
|
.Pp
|
|
If
|
|
.Ar publicIP
|
|
is not specified, then the default aliasing address is used.
|
|
If
|
|
.Ar remoteIP
|
|
is specified, then only packets coming from/to
|
|
.Ar remoteIP
|
|
will match the rule.
|
|
.It Fl redirect_address Ar localIP publicIP
|
|
Redirect traffic for public IP address to a machine on the local
|
|
network.
|
|
This function is known as
|
|
.Em static NAT .
|
|
Normally static NAT is useful if your ISP has allocated a small block
|
|
of IP addresses to you, but it can even be used in the case of single
|
|
address:
|
|
.Pp
|
|
.Dl Ar redirect_address 10.0.0.8 0.0.0.0
|
|
.Pp
|
|
The above command would redirect all incoming traffic
|
|
to machine 10.0.0.8.
|
|
.Pp
|
|
If several address aliases specify the same public address
|
|
as follows
|
|
.Bd -literal -offset indent
|
|
redirect_address 192.168.0.2 public_addr
|
|
redirect_address 192.168.0.3 public_addr
|
|
redirect_address 192.168.0.4 public_addr
|
|
.Ed
|
|
.Pp
|
|
the incoming traffic will be directed to the last
|
|
translated local address (192.168.0.4), but outgoing
|
|
traffic from the first two addresses will still be aliased
|
|
to appear from the specified
|
|
.Ar public_addr .
|
|
.It Fl redirect_port Ar proto Xo
|
|
.Ar targetIP Ns : Ns Xo
|
|
.Ar targetPORT Ns Oo , Ns
|
|
.Ar targetIP Ns : Ns Xo
|
|
.Ar targetPORT Ns Oo , Ns
|
|
.Ar ...\&
|
|
.Oc Xc Oc Xc
|
|
.Oo Ar aliasIP Ns : Oc Ns Xo
|
|
.Ar aliasPORT
|
|
.Xc
|
|
.Oo Ar remoteIP Ns
|
|
.Op : Ns Ar remotePORT
|
|
.Oc
|
|
.Xc
|
|
.It Fl redirect_address Xo
|
|
.Ar localIP Ns Oo , Ns
|
|
.Ar localIP Ns Oo , Ns
|
|
.Ar ...\&
|
|
.Oc Oc
|
|
.Ar publicIP
|
|
.Xc
|
|
These forms of
|
|
.Fl redirect_port
|
|
and
|
|
.Fl redirect_address
|
|
are used to transparently offload network load on a single server and
|
|
distribute the load across a pool of servers.
|
|
This function is known as
|
|
.Em LSNAT
|
|
(RFC 2391).
|
|
For example, the argument
|
|
.Pp
|
|
.Dl Ar tcp www1:http,www2:http,www3:http www:http
|
|
.Pp
|
|
means that incoming HTTP requests for host www will be transparently
|
|
redirected to one of the www1, www2 or www3, where a host is selected
|
|
simply on a round-robin basis, without regard to load on the net.
|
|
.It Fl dynamic
|
|
If the
|
|
.Fl n
|
|
or
|
|
.Fl interface
|
|
option is used,
|
|
.Nm
|
|
will monitor the routing socket for alterations to the
|
|
.Ar interface
|
|
passed.
|
|
If the interface's IP address is changed,
|
|
.Nm
|
|
will dynamically alter its concept of the alias address.
|
|
.It Fl in_port | i Ar port
|
|
Read from and write to
|
|
.Xr divert 4
|
|
port
|
|
.Ar port ,
|
|
treating all packets as
|
|
.Dq incoming .
|
|
.It Fl out_port | o Ar port
|
|
Read from and write to
|
|
.Xr divert 4
|
|
port
|
|
.Ar port ,
|
|
treating all packets as
|
|
.Dq outgoing .
|
|
.It Fl port | p Ar port
|
|
Read from and write to
|
|
.Xr divert 4
|
|
port
|
|
.Ar port ,
|
|
distinguishing packets as
|
|
.Dq incoming
|
|
or
|
|
.Dq outgoing
|
|
using the rules specified in
|
|
.Xr divert 4 .
|
|
If
|
|
.Ar port
|
|
is not numeric, it is searched for in the
|
|
.Xr services 5
|
|
database.
|
|
If this option is not specified, the divert port named
|
|
.Ar natd
|
|
will be used as a default.
|
|
.It Fl alias_address | a Ar address
|
|
Use
|
|
.Ar address
|
|
as the aliasing address.
|
|
Either this or the
|
|
.Fl interface
|
|
option must be used (but not both),
|
|
if the
|
|
.Fl proxy_only
|
|
option is not specified.
|
|
The specified address is usually the address assigned to the
|
|
.Dq public
|
|
network interface.
|
|
.Pp
|
|
All data passing
|
|
.Em out
|
|
will be rewritten with a source address equal to
|
|
.Ar address .
|
|
All data coming
|
|
.Em in
|
|
will be checked to see if it matches any already-aliased outgoing
|
|
connection.
|
|
If it does, the packet is altered accordingly.
|
|
If not, all
|
|
.Fl redirect_port ,
|
|
.Fl redirect_proto
|
|
and
|
|
.Fl redirect_address
|
|
assignments are checked and actioned.
|
|
If no other action can be made and if
|
|
.Fl deny_incoming
|
|
is not specified, the packet is delivered to the local machine
|
|
using the rules specified in
|
|
.Fl target_address
|
|
option below.
|
|
.It Fl t | target_address Ar address
|
|
Set the target address.
|
|
When an incoming packet not associated with any pre-existing link
|
|
arrives at the host machine, it will be sent to the specified
|
|
.Ar address .
|
|
.Pp
|
|
The target address may be set to
|
|
.Ar 255.255.255.255 ,
|
|
in which case all new incoming packets go to the alias address set by
|
|
.Fl alias_address
|
|
or
|
|
.Fl interface .
|
|
.Pp
|
|
If this option is not used, or called with the argument
|
|
.Ar 0.0.0.0 ,
|
|
then all new incoming packets go to the address specified in
|
|
the packet.
|
|
This allows external machines to talk directly to internal machines if
|
|
they can route packets to the machine in question.
|
|
.It Fl interface | n Ar interface
|
|
Use
|
|
.Ar interface
|
|
to determine the aliasing address.
|
|
If there is a possibility that the IP address associated with
|
|
.Ar interface
|
|
may change, the
|
|
.Fl dynamic
|
|
option should also be used.
|
|
If this option is not specified, the
|
|
.Fl alias_address
|
|
option must be used.
|
|
.Pp
|
|
The specified
|
|
.Ar interface
|
|
is usually the
|
|
.Dq public
|
|
(or
|
|
.Dq external )
|
|
network interface.
|
|
.It Fl config | f Ar file
|
|
Read configuration from
|
|
.Ar file .
|
|
A
|
|
.Ar file
|
|
should contain a list of options, one per line, in the same form
|
|
as the long form of the above command line options.
|
|
For example, the line
|
|
.Pp
|
|
.Dl alias_address 158.152.17.1
|
|
.Pp
|
|
would specify an alias address of 158.152.17.1.
|
|
Options that do not take an argument are specified with an argument of
|
|
.Ar yes
|
|
or
|
|
.Ar no
|
|
in the configuration file.
|
|
For example, the line
|
|
.Pp
|
|
.Dl log yes
|
|
.Pp
|
|
is synonymous with
|
|
.Fl log .
|
|
.Pp
|
|
Options can be divided to several sections.
|
|
Each section applies to own
|
|
.Nm
|
|
instance.
|
|
This ability allows to configure one
|
|
.Nm
|
|
process for several NAT instances.
|
|
The first instance that always exists is a "default" instance.
|
|
Each another instance should begin with
|
|
.Pp
|
|
.Dl instance Ar instance_name
|
|
.Pp
|
|
At the next should be placed a configuration option.
|
|
Example:
|
|
.Pp
|
|
.Dl \&# default instance
|
|
.Dl port 8668
|
|
.Dl alias_address 158.152.17.1
|
|
.Pp
|
|
.Dl \&# second instance
|
|
.Dl instance dsl1
|
|
.Dl port 8888
|
|
.Dl alias_address 192.168.0.1
|
|
.Pp
|
|
Trailing spaces and empty lines are ignored.
|
|
A
|
|
.Ql \&#
|
|
sign will mark the rest of the line as a comment.
|
|
.It Fl instance Ar instancename
|
|
This option switches command line options processing to configure instance
|
|
.Ar instancename
|
|
(creating it if necessary) till the next
|
|
.Fl instance
|
|
option or end of command line.
|
|
It is easier to set up multiple instances in the configuration file
|
|
specified with the
|
|
.Fl config
|
|
option rather than on a command line.
|
|
.It Fl globalport Ar port
|
|
Read from and write to
|
|
.Xr divert 4
|
|
port
|
|
.Ar port ,
|
|
treating all packets as
|
|
.Dq outgoing .
|
|
This option is intended to be used with multiple instances:
|
|
packets received on this port are checked against
|
|
internal translation tables of every configured instance.
|
|
If an entry is found, packet is aliased according to that entry.
|
|
If no entry was found in any of the instances, packet is passed
|
|
unchanged, and no new entry will be created.
|
|
See the section
|
|
.Sx MULTIPLE INSTANCES
|
|
for more details.
|
|
.It Fl reverse
|
|
This option makes
|
|
.Nm
|
|
reverse the way it handles
|
|
.Dq incoming
|
|
and
|
|
.Dq outgoing
|
|
packets, allowing it to operate on the
|
|
.Dq internal
|
|
network interface rather than the
|
|
.Dq external
|
|
one.
|
|
.Pp
|
|
This can be useful in some transparent proxying situations
|
|
when outgoing traffic is redirected to the local machine
|
|
and
|
|
.Nm
|
|
is running on the internal interface (it usually runs on the
|
|
external interface).
|
|
.It Fl proxy_only
|
|
Force
|
|
.Nm
|
|
to perform transparent proxying only.
|
|
Normal address translation is not performed.
|
|
.It Fl proxy_rule Xo
|
|
.Op Ar type encode_ip_hdr | encode_tcp_stream
|
|
.Ar port xxxx
|
|
.Ar server a.b.c.d:yyyy
|
|
.Xc
|
|
Enable transparent proxying.
|
|
Outgoing TCP packets with the given port going through this
|
|
host to any other host are redirected to the given server and port.
|
|
Optionally, the original target address can be encoded into the packet.
|
|
Use
|
|
.Ar encode_ip_hdr
|
|
to put this information into the IP option field or
|
|
.Ar encode_tcp_stream
|
|
to inject the data into the beginning of the TCP stream.
|
|
.It Fl punch_fw Xo
|
|
.Ar basenumber Ns : Ns Ar count
|
|
.Xc
|
|
This option directs
|
|
.Nm
|
|
to
|
|
.Dq punch holes
|
|
in an
|
|
.Xr ipfirewall 4
|
|
based firewall for FTP/IRC DCC connections.
|
|
This is done dynamically by installing temporary firewall rules which
|
|
allow a particular connection (and only that connection) to go through
|
|
the firewall.
|
|
The rules are removed once the corresponding connection terminates.
|
|
.Pp
|
|
A maximum of
|
|
.Ar count
|
|
rules starting from the rule number
|
|
.Ar basenumber
|
|
will be used for punching firewall holes.
|
|
The range will be cleared for all rules on startup.
|
|
This option has no effect when the kernel is in security
|
|
level 3, see
|
|
.Xr init 8
|
|
for more information.
|
|
.It Fl skinny_port Ar port
|
|
This option allows you to specify the TCP port used for
|
|
the Skinny Station protocol.
|
|
Skinny is used by Cisco IP phones to communicate with
|
|
Cisco Call Managers to set up voice over IP calls.
|
|
By default, Skinny aliasing is not performed.
|
|
The typical port value for Skinny is 2000.
|
|
.It Fl log_ipfw_denied
|
|
Log when a packet cannot be re-injected because an
|
|
.Xr ipfw 8
|
|
rule blocks it.
|
|
This is the default with
|
|
.Fl verbose .
|
|
.It Fl pid_file | P Ar file
|
|
Specify an alternate file in which to store the process ID.
|
|
The default is
|
|
.Pa /var/run/natd.pid .
|
|
.It Fl exit_delay Ar ms
|
|
Specify delay in ms before daemon exit after signal.
|
|
The default is
|
|
.Pa 10000 .
|
|
.El
|
|
.Sh RUNNING NATD
|
|
The following steps are necessary before attempting to run
|
|
.Nm :
|
|
.Bl -enum
|
|
.It
|
|
Build a custom kernel with the following options:
|
|
.Bd -literal -offset indent
|
|
options IPFIREWALL
|
|
options IPDIVERT
|
|
.Ed
|
|
.Pp
|
|
Refer to the handbook for detailed instructions on building a custom
|
|
kernel.
|
|
.It
|
|
Ensure that your machine is acting as a gateway.
|
|
This can be done by specifying the line
|
|
.Pp
|
|
.Dl gateway_enable=YES
|
|
.Pp
|
|
in the
|
|
.Pa /etc/rc.conf
|
|
file or using the command
|
|
.Pp
|
|
.Dl "sysctl net.inet.ip.forwarding=1"
|
|
.It
|
|
If you use the
|
|
.Fl interface
|
|
option, make sure that your interface is already configured.
|
|
If, for example, you wish to specify
|
|
.Ql tun0
|
|
as your
|
|
.Ar interface ,
|
|
and you are using
|
|
.Xr ppp 8
|
|
on that interface, you must make sure that you start
|
|
.Nm ppp
|
|
prior to starting
|
|
.Nm .
|
|
.El
|
|
.Pp
|
|
Running
|
|
.Nm
|
|
is fairly straight forward.
|
|
The line
|
|
.Pp
|
|
.Dl natd -interface ed0
|
|
.Pp
|
|
should suffice in most cases (substituting the correct interface name).
|
|
Please check
|
|
.Xr rc.conf 5
|
|
on how to configure it to be started automatically during boot.
|
|
Once
|
|
.Nm
|
|
is running, you must ensure that traffic is diverted to
|
|
.Nm :
|
|
.Bl -enum
|
|
.It
|
|
You will need to adjust the
|
|
.Pa /etc/rc.firewall
|
|
script to taste.
|
|
If you are not interested in having a firewall, the
|
|
following lines will do:
|
|
.Bd -literal -offset indent
|
|
/sbin/ipfw -f flush
|
|
/sbin/ipfw add divert natd all from any to any via ed0
|
|
/sbin/ipfw add pass all from any to any
|
|
.Ed
|
|
.Pp
|
|
The second line depends on your interface (change
|
|
.Ql ed0
|
|
as appropriate).
|
|
.Pp
|
|
You should be aware of the fact that, with these firewall settings,
|
|
everyone on your local network can fake his source-address using your
|
|
host as gateway.
|
|
If there are other hosts on your local network, you are strongly
|
|
encouraged to create firewall rules that only allow traffic to and
|
|
from trusted hosts.
|
|
.Pp
|
|
If you specify real firewall rules, it is best to specify line 2 at
|
|
the start of the script so that
|
|
.Nm
|
|
sees all packets before they are dropped by the firewall.
|
|
.Pp
|
|
After translation by
|
|
.Nm ,
|
|
packets re-enter the firewall at the rule number following the rule number
|
|
that caused the diversion (not the next rule if there are several at the
|
|
same number).
|
|
.It
|
|
Enable your firewall by setting
|
|
.Pp
|
|
.Dl firewall_enable=YES
|
|
.Pp
|
|
in
|
|
.Pa /etc/rc.conf .
|
|
This tells the system startup scripts to run the
|
|
.Pa /etc/rc.firewall
|
|
script.
|
|
If you do not wish to reboot now, just run this by hand from the console.
|
|
NEVER run this from a remote session unless you put it into the background.
|
|
If you do, you will lock yourself out after the flush takes place, and
|
|
execution of
|
|
.Pa /etc/rc.firewall
|
|
will stop at this point - blocking all accesses permanently.
|
|
Running the script in the background should be enough to prevent this
|
|
disaster.
|
|
.El
|
|
.Sh MULTIPLE INSTANCES
|
|
It is not so uncommon to have a need of aliasing to several external IP
|
|
addresses.
|
|
While this traditionally was achieved by running several
|
|
.Nm
|
|
processes with independent configurations,
|
|
.Nm
|
|
can have multiple aliasing instances in a single process,
|
|
also allowing them to be not so independent of each other.
|
|
For example, let us see a common task of load balancing two
|
|
channels to different providers on a machine with two external
|
|
interfaces
|
|
.Ql sis0
|
|
(with IP 1.2.3.4) and
|
|
.Ql sis2
|
|
(with IP 2.3.4.5):
|
|
.Bd -literal -offset indent
|
|
net 1.2.3.0/24
|
|
1.2.3.1 ------------------ sis0
|
|
(router) (1.2.3.4)
|
|
net 10.0.0.0/24
|
|
sis1 ------------------- 10.0.0.2
|
|
(10.0.0.1)
|
|
net 2.3.4.0/24
|
|
2.3.4.1 ------------------ sis2
|
|
(router) (2.3.4.5)
|
|
.Ed
|
|
.Pp
|
|
Default route is out via
|
|
.Ql sis0 .
|
|
.Pp
|
|
Interior machine (10.0.0.2) is accessible on TCP port 122 through
|
|
both exterior IPs, and outgoing connections choose a path randomly
|
|
between
|
|
.Ql sis0
|
|
and
|
|
.Ql sis2 .
|
|
.Pp
|
|
The way this works is that
|
|
.Pa natd.conf
|
|
builds two instances of the aliasing engine.
|
|
.Pp
|
|
In addition to these instances' private
|
|
.Xr divert 4
|
|
sockets, a third socket called the
|
|
.Dq globalport
|
|
is created; packets sent to
|
|
.Nm
|
|
via this one will be matched against all instances and translated
|
|
if an existing entry is found, and unchanged if no entry is found.
|
|
The following lines are placed into
|
|
.Pa /etc/natd.conf :
|
|
.Bd -literal -offset indent
|
|
log
|
|
deny_incoming
|
|
verbose
|
|
|
|
instance default
|
|
interface sis0
|
|
port 1000
|
|
redirect_port tcp 10.0.0.2:122 122
|
|
|
|
instance sis2
|
|
interface sis2
|
|
port 2000
|
|
redirect_port tcp 10.0.0.2:122 122
|
|
|
|
globalport 3000
|
|
.Ed
|
|
.Pp
|
|
And the following
|
|
.Xr ipfw 8
|
|
rules are used:
|
|
.Bd -literal -offset indent
|
|
ipfw -f flush
|
|
|
|
ipfw add allow ip from any to any via sis1
|
|
|
|
ipfw add skipto 1000 ip from any to any in via sis0
|
|
ipfw add skipto 2000 ip from any to any out via sis0
|
|
ipfw add skipto 3000 ip from any to any in via sis2
|
|
ipfw add skipto 4000 ip from any to any out via sis2
|
|
|
|
ipfw add 1000 count ip from any to any
|
|
|
|
ipfw add divert 1000 ip from any to any
|
|
ipfw add allow ip from any to any
|
|
|
|
ipfw add 2000 count ip from any to any
|
|
|
|
ipfw add divert 3000 ip from any to any
|
|
|
|
ipfw add allow ip from 1.2.3.4 to any
|
|
ipfw add skipto 5000 ip from 2.3.4.5 to any
|
|
|
|
ipfw add prob .5 skipto 4000 ip from any to any
|
|
|
|
ipfw add divert 1000 ip from any to any
|
|
ipfw add allow ip from any to any
|
|
|
|
ipfw add 3000 count ip from any to any
|
|
|
|
ipfw add divert 2000 ip from any to any
|
|
ipfw add allow ip from any to any
|
|
|
|
ipfw add 4000 count ip from any to any
|
|
|
|
ipfw add divert 2000 ip from any to any
|
|
|
|
ipfw add 5000 fwd 2.3.4.1 ip from 2.3.4.5 to not 2.3.4.0/24
|
|
ipfw add allow ip from any to any
|
|
.Ed
|
|
.Pp
|
|
Here the packet from internal network to Internet goes out via
|
|
.Ql sis0
|
|
(rule number 2000) and gets caught by the
|
|
.Ic globalport
|
|
socket (3000).
|
|
After that, either a match is found in a translation table
|
|
of one of the two instances, or the packet is passed to one
|
|
of the two other
|
|
.Xr divert 4
|
|
ports (1000 or 2000), with equal probability.
|
|
This ensures that load balancing is done on a per-flow basis
|
|
(i.e., packets from a single TCP connection always flow through the
|
|
same interface).
|
|
Translated packets with source IP of a non-default interface
|
|
.Pq Ql sis2
|
|
are forwarded to the appropriate router on that interface.
|
|
.Sh SEE ALSO
|
|
.Xr libalias 3 ,
|
|
.Xr divert 4 ,
|
|
.Xr protocols 5 ,
|
|
.Xr rc.conf 5 ,
|
|
.Xr services 5 ,
|
|
.Xr syslog.conf 5 ,
|
|
.Xr init 8 ,
|
|
.Xr ipfw 8 ,
|
|
.Xr ppp 8
|
|
.Sh AUTHORS
|
|
This program is the result of the efforts of many people at different
|
|
times:
|
|
.Pp
|
|
.An Archie Cobbs Aq Mt archie@FreeBSD.org
|
|
(divert sockets)
|
|
.An Charles Mott Aq Mt cm@linktel.net
|
|
(packet aliasing)
|
|
.An Eivind Eklund Aq Mt perhaps@yes.no
|
|
(IRC support & misc additions)
|
|
.An Ari Suutari Aq Mt suutari@iki.fi
|
|
(natd)
|
|
.An Dru Nelson Aq Mt dnelson@redwoodsoft.com
|
|
(early PPTP support)
|
|
.An Brian Somers Aq Mt brian@awfulhak.org
|
|
(glue)
|
|
.An Ruslan Ermilov Aq Mt ru@FreeBSD.org
|
|
(natd, packet aliasing, glue)
|
|
.An Poul-Henning Kamp Aq Mt phk@FreeBSD.org
|
|
(multiple instances)
|