| 2.2.6 natd: Network Address Translation Daemon The manual pages provided with natd were great. We hope
you will get what you want from the manual pages at a first glance whereas manual pages
tends to be too detailed thus requiring few thorough scanning with your eyes and thinking
of combinations of different options together. Anyhow, let's start with the manual pages
of natd(8):
NATD(8) FreeBSD System Manager's Manual NATD(8)
NAME
natd - Network Address Translation Daemon
------------ omitted here ------
RUNNING NATD
The following steps are necessary before attempting to run natd:
1. Get FreeBSD version 2.2 or higher. Versions before this do not
support divert(4) sockets.
2. Build a custom kernel with the following options:
options IPFIREWALL
options IPDIVERT
Refer to the handbook for detailed instructions on building a custom kernel.
3. Ensure that your machine is acting as a gateway. This can be done by
specifying the line
gateway_enable=YES
in /etc/rc.conf, or using the command
sysctl -w net.inet.ip.forwarding=1
4. If you wish to use the -n or -interface flags, make sure that your
interface is already configured. If, for example, you wish to specify
tun0 as your interface, and you're using ppp(8) on that interface, you
must make sure that you start ppp prior to starting natd.
--------- Comment from us ----------------
maple# ifconfig -a
From the avobe output you will be able to
judge which one is working for you and which
one is not working. So, make the required
interface work before running natd
--------- End of comment ----------------
5. Create an entry in /etc/services:
natd 8668/divert # Network Address Translation socket
This gives a default for the -p or -port flag.
Running natd is fairly straight forward. The line
natd -interface ed0
should suffice in most cases (substituting the correct interface name). Once natd is
running, you must ensure that traffic is diverted to natd:
1. You will need to adjust the /etc/rc.firewall script to taste. If
you're not interested in having a firewall, the following lines will
do:
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
The second line depends on your interface (change ed0 as appropr ate)
and assumes that you've updated /etc/services with the natd entry as above. If you specify
real firewall rules, it's best to specify line 2 at the start of the script so that natd
sees all packets before they
are dropped by the firewall. The firewall rules will be run again on each packet after
translation by natd, minus any divert rules.
2. Enable your firewall by setting
firewall_enable=YES
in /etc/rc.conf. This tells the system startup scripts to run the /etc/rc.firewall script.
If you don't wish to reboot now, just run this by hand from the console. NEVER run this
from a virtual session unless you put it into the background. If you do, you'll lock
yourself out
after the flush takes place, and execution of /etc/rc.firewall will stop at this point -
blocking all accesses permanently. Running the script in the background should be enough
to prevent this disaster. Now your natd should have been running, atleast mine was running
on maple. May be you want to check what happens when you try to access other hosts, using
login or telnet after running natd but before cofiguring rc.firewall(I mean, not building
the firewall). It should reject your access request as you might thought - obviously by
default a kernel built with an
option IPFIREWAL
# option IPFIREWALL_DEFAULT_TO_ACCEPT
will deny everything.
Now here are few options that you might find very cute for your purpose:
natd -interface ed0 -redirect_port tcp 192.168.0.16:23 6023
This will redirect all the tcp packets destined for port 6023(of the
hosts that is running natd) to the local machine 192.168.0.16, port 23, default telnet
post. So, outside users trying to telnet to the inside machine(192.168.0.16) can simply
telnet to the server(maple, in this case) on port 6023 and their connection will be
redirected to inside machine 192.168.0.16, that's real nice!
natd -interface ed0 -permanent_link tcp 192.168.0.16:23 202.251.34.161:0
6000
This is more or less same as above but it will create a permanent entry
in the internal alias table. It means all the tcp packets from any port of the host
202.251.34.161 will be destined to the inner machine 192.168.0.16 port 23, that's the
telnet port. Now let's try with the new cute tool we got:
mapletown# ftp ftp.freebsd.org
mapletown@junan:/home/junan{612}% ftp ftp.freebsd.org
Connected to wcarchive.cdrom.com.
220 wcarchive.cdrom.com FTP server (Version DG-3.1.27 Wed Dec 2 01:29:08 PST 199
8) ready.
Name (ftp.freebsd.org:junan): anonymous
331 Guest login ok, send your email address as password.
Password: # put your e-mail add here(or an e-mail like line)
230-This machine is a P6/200 with 1GB of memory & 1/2 terabyte of RAID 5.
230-The operating system is FreeBSD. Should you wish to get your own copy of
230-FreeBSD, see the pub/FreeBSD directory or visit http://www.freebsd.org
230-for more information. FreeBSD on CDROM can be ordered using the WEB at
230-http://www.cdrom.com/titles/os/freebsd.htm or by sending email to
230-orders@cdrom.com.
230-
230-Slow downloads? Please see ftp://ftp.cdrom.com/archive-info/slow.txt
230-for more information.
230-
230-100Mbps colocation services provided by CRL Network Services. For more
230-information, please visit http://www.crl.com.
230-
230-Please send mail to ftp-bugs@ftp.cdrom.com if you experience any problems.
230-Please also let us know if there is something we don't have that you think
230-we should!
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
So, you will be connecting directly(forwarded by natd) to ftp.freebsd.org.
momo@junan:/home/junan{61}% telnet mercury-gw.st.yatsushiro-nct.ac.jp
Trying 202.251.34.161...
Connected to mercury-gw.st.yatsushiro-nct.ac.jp.
Escape character is '^]'.
SunOS UNIX (mercury-gw)
login: s96281
Password: # your password
And you will be logging inside. If you get host lookup failure try to
use the real address instead of domain name, like: telnet 202.251.39.129 or else. |
