3 ## 19.13 Network Address Translation
\r
5 ***Contributed by Chern Lee. ***
\r
7 ### 19.13.1 Overview
\r
9 DragonFly's Network Address Translation daemon, commonly known as [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) is a daemon that accepts incoming raw IP packets, changes the source to the local machine and re-injects these packets back into the outgoing IP packet stream. [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=natd§ion=8) does this by changing the source IP address and port such that when data is received back, it is able to determine the original location of the data and forward it back to its original requester.
\r
11 The most common use of NAT is to perform what is commonly known as Internet Connection Sharing.
\r
15 Due to the diminishing IP space in IPv4, and the increased number of users on high-speed consumer lines such as cable or DSL, people are increasingly in need of an Internet Connection Sharing solution. The ability to connect several computers online through one connection and IP address makes [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) a reasonable choice.
\r
17 Most commonly, a user has a machine connected to a cable or DSL line with one IP address and wishes to use this one connected computer to provide Internet access to several more over a LAN.
\r
19 To do this, the DragonFly machine on the Internet must act as a gateway. This gateway machine must have two NICs--one for connecting to the Internet router, the other connecting to a LAN. All the machines on the LAN are connected through a hub or switch.
\r
21 advanced-networking/natd.png
\r
23 A setup like this is commonly used to share an Internet connection. One of the LAN machines is connected to the Internet. The rest of the machines access the Internet through that ***gateway*** machine.
\r
25 ### 19.13.3 Configuration
\r
27 The following options must be in the kernel configuration file:
\r
34 Additionally, at choice, the following may also be suitable:
\r
37 options IPFIREWALL_DEFAULT_TO_ACCEPT
\r
38 options IPFIREWALL_VERBOSE
\r
41 The following must be in `/etc/rc.conf`:
\r
44 gateway_enable="YES"
\r
45 firewall_enable="YES"
\r
46 firewall_type="OPEN"
\r
48 natd_interface="fxp0"
\r
53 | gateway_enable#"YES" | Sets up the machine to act as a gateway. Running `sysctl net.inet.ip.forwarding1` would have the same effect.
54 firewall_enable="YES" | Enables the firewall rules in `/etc/rc.firewall` at boot.
55 firewall_type="OPEN" | This specifies a predefined firewall ruleset that allows anything in. See `/etc/rc.firewall` for additional types.
56 natd_interface="fxp0" | Indicates which interface to forward packets through (the interface connected to the Internet).
57 natd_flags#"" | Any additional configuration options passed to [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?commandnatd§ion=8) on boot. |
\r
59 Having the previous options defined in `/etc/rc.conf` would run `natd -interface fxp0` at boot. This can also be run manually.
\r
61 **Note:** It is also possible to use a configuration file for [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) when there are too many options to pass. In this case, the configuration file must be defined by adding the following line to `/etc/rc.conf`:
\r
64 natd_flags="-f /etc/natd.conf"
\r
67 The `/etc/natd.conf` file will contain a list of configuration options, one per line. For example the next section case would use the following file:
\r
70 redirect_port tcp 192.168.0.2:6667 6667
\r
71 redirect_port tcp 192.168.0.3:80 80
\r
74 For more information about the configuration file, consult the [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) manual page about the `-f` option.
\r
76 Each machine and interface behind the LAN should be assigned IP address numbers in the private network space as defined by [RFC 1918](ftp://ftp.isi.edu/in-notes/rfc1918.txt) and have a default gateway of the **natd** machine's internal IP address.
\r
78 For example, client `A` and `B` behind the LAN have IP addresses of `192.168.0.2` and `192.168.0.3`, while the natd machine's LAN interface has an IP address of `192.168.0.1`. Client `A` and `B`'s default gateway must be set to that of the **natd** machine, `192.168.0.1`. The **natd** machine's external, or Internet interface does not require any special modification for [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) to work.
\r
80 ### 19.13.4 Port Redirection
\r
82 The drawback with [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) is that the LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the LAN client machines. A simple way around this is to redirect selected Internet ports on the **natd** machine to a LAN client.
\r
84 For example, an IRC server runs on client `A`, and a web server runs on client `B`. For this to work properly, connections received on ports 6667 (IRC) and 80 (web) must be redirected to the respective machines.
\r
86 The `-redirect_port` must be passed to [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) with the proper options. The syntax is as follows:
\r
89 -redirect_port proto targetIP:targetPORT[-targetPORT]
\r
90 [aliasIP:]aliasPORT[-aliasPORT]
\r
91 [remoteIP[:remotePORT[-remotePORT]]]
\r
94 In the above example, the argument should be:
\r
97 -redirect_port tcp 192.168.0.2:6667 6667
\r
98 -redirect_port tcp 192.168.0.3:80 80
\r
101 This will redirect the proper ***tcp*** ports to the LAN client machines.
\r
103 The `-redirect_port` argument can be used to indicate port ranges over individual ports. For example, `***tcp 192.168.0.2:2000-3000 2000-3000***` would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client `A`.
\r
105 These options can be used when directly running [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8), placed within the `natd_flags=""` option in `/etc/rc.conf`, or passed via a configuration file.
\r
107 For further configuration options, consult [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8)
\r
109 ### 19.13.5 Address Redirection
\r
111 Address redirection is useful if several IP addresses are available, yet they must be on one machine. With this, [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#natd§ion8) can assign each LAN client its own external IP address. [natd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=natd§ion=8) then rewrites outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client. This is also known as static NAT. For example, the IP addresses `128.1.1.1`, `128.1.1.2`, and `128.1.1.3` belong to the **natd** gateway machine. `128.1.1.1` can be used as the **natd** gateway machine's external IP address, while `128.1.1.2` and `128.1.1.3` are forwarded back to LAN clients `A` and `B`.
\r
113 The `-redirect_address` syntax is as follows:
\r
116 -redirect_address localIP publicIP
\r
120 | localIP | The internal IP address of the LAN client.
121 publicIP | The external IP address corresponding to the LAN client. |
\r
123 In the example, this argument would read:
\r
126 -redirect_address 192.168.0.2 128.1.1.2
\r
127 -redirect_address 192.168.0.3 128.1.1.3
\r
130 Like `-redirect_port`, these arguments are also placed within the `natd_flags=""` option of `/etc/rc.conf`, or passed via a configuration file. With address redirection, there is no need for port redirection since all data received on a particular IP address is redirected.
\r
132 The external IP addresses on the **natd** machine must be active and aliased to the external interface. Look at [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) to do so.
\r
137 CategoryHandbook-advancednetworking
\r
projects / ikiwiki.git / blob