NATD(8) BSD System Manager's Manual NATD(8)NAMEnatd — Network Address Translation daemon
SYNOPSISnatd [-unregistered_only | -u] [-log | -l] [-proxy_only] [-reverse]
[-deny_incoming | -d] [-use_sockets | -s] [-same_ports | -m]
[-verbose | -v] [-dynamic] [-in_port | -i port]
[-out_port | -o port] [-port | -p port]
[-alias_address | -a address] [-target_address | -t address]
[-interface | -n interface] [-proxy_rule proxyspec]
[-redirect_port linkspec] [-redirect_proto linkspec]
[-redirect_address linkspec] [-config | -f configfile] [-log_denied]
[-log_facility facility_name] [-punch_fw firewall_range]
This program provides a Network Address Translation facility for use with
divert(4) sockets under FreeBSD. It is intended for use with NICs - if
you want to do NAT on a PPP link, use the -nat switch to ppp(8).
The natd normally runs in the background as a daemon. It is passed raw
IP packets as they travel into and out of the machine, and will possibly
change these before re-injecting them back into the IP packet stream.
It changes all packets destined for another host so that their source IP
number is that of the current machine. For each packet changed in this
manner, an internal table entry is created to record this fact. The
source port number is also changed to indicate the table entry applying
to the packet. Packets that are received with a target IP of the current
host are checked against this internal table. If an entry is found, it
is used to determine the correct target IP number and port to place in
The following command line options are available:
-log | -l Log various aliasing statistics and information to the file
/var/log/alias.log. This file is truncated each time natd is
-deny_incoming | -d
Do not pass incoming packets that have no entry in the inter‐
nal translation table.
If this option is not used, then such a packet will be
altered using the rules in -target_address below, and the
entry will be made in the internal translation table.
Log denied incoming packets via syslog(3) (see also
Use specified log facility when logging information via
syslog(3). Argument facility_name is one of the keywords
specified in syslog.conf(5).
-use_sockets | -s
Allocate a socket(2) in order to establish an FTP data or IRC
DCC send connection. This option uses more system resources,
but guarantees successful connections when port numbers con‐
-same_ports | -m
Try to keep the same port number when altering outgoing pack‐
ets. With this option, protocols such as RPC will have a
better chance of working. If it is not possible to maintain
the port number, it will be silently changed as per normal.
-verbose | -v
Do not call daemon(3) on startup. Instead, stay attached to
the controlling terminal and display all packet alterations
to the standard output. This option should only be used for
-unregistered_only | -u
Only alter outgoing packets with an unregistered source
address. According to RFC 1918, unregistered source
addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
-redirect_port proto targetIP:targetPORT[-targetPORT]
Redirect incoming connections arriving to given port(s) to
another host and port(s). Argument proto is either tcp or
udp, targetIP is the desired target IP number, targetPORT is
the desired target port number or range, aliasPORT is the
requested port number or range, and aliasIP is the aliasing
address. Arguments remoteIP and remotePORT can be used to
specify the connection more accurately if necessary. The
targetPORT range and aliasPORT range need not be the same
numerically, but must have the same size. If remotePORT is
not specified, it is assumed to be all ports. If remotePORT
is specified, it must match the size of targetPORT, or be 0
(all ports). For example, the argument
tcp inside1:telnet 6666
means that incoming TCP packets destined for port 6666 on
this machine will be sent to the telnet port on the inside1
tcp inside2:2300-2399 3300-3399
will redirect incoming connections on ports 3300-3399 to host
inside2, ports 2300-2399. The mapping is 1:1 meaning port
3300 maps to 2300, 3301 maps to 2301, etc.
-redirect_proto proto localIP [publicIP [remoteIP]]
Redirect incoming IP packets of protocol proto (see
protocols(5)) destined for publicIP address to a localIP
address and vice versa.
If publicIP is not specified, then the default aliasing
address is used. If remoteIP is specified, then only packets
coming from/to remoteIP will match the rule.
-redirect_address localIP publicIP
Redirect traffic for public IP address to a machine on the
local network. This function is known as static NAT. Nor‐
mally static NAT is useful if your ISP has allocated a small
block of IP addresses to you, but it can even be used in the
case of single address:
redirect_address 10.0.0.8 0.0.0.0
The above command would redirect all incoming traffic to
If several address aliases specify the same public address as
redirect_address 192.168.0.2 public_addr
redirect_address 192.168.0.3 public_addr
redirect_address 192.168.0.4 public_addr
the incoming traffic will be directed to the last translated
local address (192.168.0.4), but outgoing traffic from the
first two addresses will still be aliased to appear from the
-redirect_port proto targetIP:targetPORT[,targetIP:targetPORT[,...]]
-redirect_address localIP[,localIP[,...]] publicIP
These forms of -redirect_port and -redirect_address are used
to transparently offload network load on a single server and
distribute the load across a pool of servers. This function
is known as LSNAT (RFC 2391). For example, the argument
tcp www1:http,www2:http,www3:http www:http
means that incoming HTTP requests for host www will be trans‐
parently redirected to one of the www1, www2 or www3, where a
host is selected simply on a round-robin basis, without
regard to load on the net.
-dynamic If the -n or -interface option is used, natd will monitor the
routing socket for alterations to the interface passed. If
the interface's IP number is changed, natd will dynamically
alter its concept of the alias address.
-in_port | -i port
Read from and write to divert(4) port port, treating all
packets as “incoming”.
-out_port | -o port
Read from and write to divert(4) port port, treating all
packets as “outgoing”.
-port | -p port
Read from and write to divert(4) port port, distinguishing
packets as “incoming” or “outgoing” using the rules specified
in divert(4). If port is not numeric, it is searched for in
the services(5) database. If this option is not specified,
the divert port named natd will be used as a default.
-alias_address | -a address
Use address as the aliasing address. If this option is not
specified, the -interface option must be used. The specified
address is usually the address assigned to the “public” net‐
All data passing out will be rewritten with a source address
equal to address. All data coming in will be checked to see
if it matches any already-aliased outgoing connection. If it
does, the packet is altered accordingly. If not, all
-redirect_port, -redirect_proto and -redirect_address assign‐
ments are checked and actioned. If no other action can be
made and if -deny_incoming is not specified, the packet is
delivered to the local machine using the rules specified in
-target_address option below.
-t | -target_address address
Set the target address. When an incoming packet not associ‐
ated with any pre-existing link arrives at the host machine,
it will be sent to the specified address.
The target address may be set to 255.255.255.255, in which
case all new incoming packets go to the alias address set by
-alias_address or -interface.
If this option is not used, or called with the argument
0.0.0.0, then all new incoming packets go to the address
specified in the packet. This allows external machines to
talk directly to internal machines if they can route packets
to the machine in question.
-interface | -n interface
Use interface to determine the aliasing address. If there is
a possibility that the IP number associated with interface
may change, the -dynamic option should also be used. If this
option is not specified, the -alias_address option must be
The specified interface is usually the “public” (or
“external”) network interface.
-config | -f file
Read configuration from file. A file should contain a list
of options, one per line, in the same form as the long form
of the above command line options. For example, the line
would specify an alias address of 126.96.36.199. Options that
do not take an argument are specified with an argument of yes
or no in the configuration file. For example, the line
log yes is synonymous with -log.
Trailing spaces and empty lines are ignored. A ‘#’ sign will
mark the rest of the line as a comment.
-reverse This option makes natd reverse the way it handles “incoming”
and “outgoing” packets, allowing it to operate on the
“internal” network interface rather than the “external” one.
This can be useful in some transparent proxying situations
when outgoing traffic is redirected to the local machine and
natd is running on the internal interface (it usually runs on
the external interface).
Force natd to perform transparent proxying only. Normal
address translation is not performed.
-proxy_rule [type encode_ip_hdr | encode_tcp_stream] port xxxx server
Enable transparent proxying. Outgoing TCP packets with the
given port going through this host to any other host are
redirected to the given server and port. Optionally, the
original target address can be encoded into the packet. Use
encode_ip_hdr to put this information into the IP option
field or encode_tcp_stream to inject the data into the begin‐
ning of the TCP stream.
This option directs natd to “punch holes” in an ipfirewall(4)
based firewall for FTP/IRC DCC connections. This is done
dynamically by installing temporary firewall rules which
allow a particular connection (and only that connection) to
go through the firewall. The rules are removed once the cor‐
responding connection terminates.
A maximum of count rules starting from the rule number
basenumber will be used for punching firewall holes. The
range will be cleared for all rules on startup.
This option enables MSS clamping. The MSS value is derived
from the MTU of the interface specified in the -interface
The following steps are necessary before attempting to run natd:
1. Build a custom kernel with the following options:
Refer to the handbook for detailed instructions on building a custom
2. Ensure that your machine is acting as a gateway. This can be done
by specifying the line
in the /etc/rc.conf file or using the command
sysctl -w net.inet.ip.forwarding=1
3. If you use the -interface option, make sure that your interface is
already configured. If, for example, you wish to specify ‘tun0’ as
your interface, and you are using ppp(8) on that interface, you must
make sure that you start ppp prior to starting natd.
Running natd is fairly straight forward. The line
should suffice in most cases (substituting the correct interface name).
Please check rc.conf(5) on how to configure it to be started automati‐
cally during boot. Once natd is running, you must ensure that traffic is
diverted to natd:
1. You will need to adjust the /etc/rc.firewall script to taste. If
you are not interested in having a firewall, the following lines
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
The second line depends on your interface (change ‘en0’ as appropri‐
You should be aware of the fact that, with these firewall settings,
everyone on your local network can fake his source-address using
your host as gateway. If there are other hosts on your local net‐
work, you are strongly encouraged to create firewall rules that only
allow traffic to and from trusted hosts.
If you specify real firewall rules, it is best to specify line 2 at
the start of the script so that natd sees all packets before they
are dropped by the firewall.
After translation by natd, packets re-enter the firewall at the rule
number following the rule number that caused the diversion (not the
next rule if there are several at the same number).
2. Enable your firewall by setting
in /etc/rc.conf. This tells the system startup scripts to run the
/etc/rc.firewall script. If you do not wish to reboot now, just run
this by hand from the console. NEVER run this from a remote session
unless you put it into the background. If you do, you will lock
yourself out after the flush takes place, and execution of
/etc/rc.firewall will stop at this point - blocking all accesses
permanently. Running the script in the background should be enough
to prevent this disaster.
SEE ALSOdivert(4), protocols(5), rc.conf(5), services(5), syslog.conf(5),
This program is the result of the efforts of many people at different
Archie Cobbs ⟨email@example.com⟩ (divert sockets)
Charles Mott ⟨firstname.lastname@example.org⟩ (packet aliasing)
Eivind Eklund ⟨email@example.com⟩ (IRC support & misc additions)
Ari Suutari ⟨firstname.lastname@example.org⟩ (natd)
Dru Nelson ⟨email@example.com⟩ (early PPTP support)
Brian Somers ⟨firstname.lastname@example.org⟩ (glue)
Ruslan Ermilov ⟨ru@FreeBSD.org⟩ (natd, packet aliasing, glue)
Darwin June 27, 2000 Darwin