| -log -| -l |
| | Log various aliasing statistics and information to the file /var/log/alias.log. This file is truncated each time natd is started. |
| -deny_incoming -| -d |
| | Do not pass incoming packets that have no entry in the internal translation table. If this option is not used, then such a packet will be altered using the rules in -target_address below, and the entry will be made in the internal translation table. |
| -log_denied |
| | Log denied incoming packets via syslog(3) (see also -log_facility ). |
| -log_facility facility_name |
| | Use specified log facility when logging information via syslog(3). Argument facility_name is one of the keywords specified in syslog.conf(5). |
| -use_sockets -| -s |
| | Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection. This option uses more system resources, but guarantees successful connections when port numbers conflict. |
| -same_ports -| -m |
| | Try to keep the same port number when altering outgoing packets. With this option, protocols such as RPC will have a better chance of working. If it is not possible to maintain the port number, it will be silently changed as per normal. |
| -verbose -| -v |
| | Do not call daemon(3) on startup. Instead, stay attached to the controlling terminal and display all packet alterations to the standard output. This option should only be used for debugging purposes. |
| -unregistered_only -| -u |
| | Only alter outgoing packets with an unregistered source address. According to RFC 1918, unregistered source addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. |
| -redirect_port proto Xo |
| | targetIP: Xo targetPORT [- targetPORT Xc] [aliasIP: Xo] aliasPORT [- aliasPORT Xc] [remoteIP[: remotePORT [- remotePORT] ]] |
| | Redirect incoming connections arriving to given port(s) to another host and port(s). Argument proto is either tcp or udp, targetIP is the desired target IP address, targetPORT is the desired target port number or range, aliasPORT is the requested port number or range, and aliasIP is the aliasing address. Arguments remoteIP and remotePORT can be used to specify the connection more accurately if necessary. If remotePORT is not specified, it is assumed to be all ports. Arguments targetIP, aliasIP and remoteIP can be given as IP addresses or as hostnames. The targetPORT, aliasPORT and remotePORT ranges need not be the same numerically, but must have the same size. When targetPORT, aliasPORT or remotePORT specifies a singular value (not a range), it can be given as a service name that is searched for in the services(5) database. For example, the argument tcp inside1:telnet 6666 means that incoming TCP packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. tcp inside2:2300-2399 3300-3399 will redirect incoming connections on ports 3300-3399 to host inside2, ports 2300-2399. The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. |
| -redirect_proto proto localIP[ |
| | publicIP [remoteIP] ] Redirect incoming IP packets of protocol proto (see protocols(5)) destined for publicIP address to a localIP address and vice versa. If publicIP is not specified, then the default aliasing address is used. If remoteIP is specified, then only packets coming from/to remoteIP will match the rule. |
| -redirect_address localIP publicIP |
| | Redirect traffic for public IP address to a machine on the local network. This function is known as static NAT. Normally static NAT is useful if your ISP has allocated a small block of IP addresses to you, but it can even be used in the case of single address: redirect_address 10.0.0.8 0.0.0.0 The above command would redirect all incoming traffic to machine 10.0.0.8. If several address aliases specify the same public address as follows
redirect_address 192.168.0.2 public_addr
redirect_address 192.168.0.3 public_addr
redirect_address 192.168.0.4 public_addr
the incoming traffic will be directed to the last translated local address (192.168.0.4), but outgoing traffic from the first two addresses will still be aliased to appear from the specified public_addr. |
| -redirect_port proto Xo |
| | targetIP: Xo targetPORT[, targetIP: Xo targetPORT[, ... ]] |
| | |
| | [aliasIP: Xo] aliasPORT |
| | [remoteIP [:remotePORT] ] |
| | |
| -redirect_address -Xo |
| | localIP[, localIP[, ... ]] publicIP |
| | These forms of -redirect_port and -redirect_address are used to transparently offload network load on a single server and distribute the load across a pool of servers. This function is known as LSNAT (RFC 2391). For example, the argument tcp www1:http,www2:http,www3:http www:http means that incoming HTTP requests for host www will be transparently redirected to one of the www1, www2 or www3, where a host is selected simply on a round-robin basis, without regard to load on the net. |
| -dynamic |
| | If the -n or -interface option is used, natd will monitor the routing socket for alterations to the interface passed. If the interface’s IP address is changed, natd will dynamically alter its concept of the alias address. |
| -in_port -| -i port |
| | Read from and write to divert(4) port port, treating all packets as "incoming". |
| -out_port -| -o port |
| | Read from and write to divert(4) port port, treating all packets as "outgoing". |
| -port -| -p port |
| | Read from and write to divert(4) port port, distinguishing packets as "incoming" or "outgoing" using the rules specified in divert(4). If port is not numeric, it is searched for in the services(5) database. If this option is not specified, the divert port named natd will be used as a default. |
| -alias_address -| -a address |
| | Use address as the aliasing address. Either this or the -interface option must be used (but not both), if the -proxy_only option is not specified. The specified address is usually the address assigned to the "public" network interface. All data passing out will be rewritten with a source address equal to address. All data coming in will be checked to see if it matches any already-aliased outgoing connection. If it does, the packet is altered accordingly. If not, all -redirect_port , -redirect_proto and -redirect_address assignments are checked and actioned. If no other action can be made and if -deny_incoming is not specified, the packet is delivered to the local machine using the rules specified in -target_address option below. |
| -t -| -target_address address |
| | Set the target address. When an incoming packet not associated with any pre-existing link arrives at the host machine, it will be sent to the specified address. The target address may be set to 255.255.255.255, in which case all new incoming packets go to the alias address set by -alias_address or -interface . If this option is not used, or called with the argument 0.0.0.0, then all new incoming packets go to the address specified in the packet. This allows external machines to talk directly to internal machines if they can route packets to the machine in question. |
| -interface -| -n interface |
| | Use interface to determine the aliasing address. If there is a possibility that the IP address associated with interface may change, the -dynamic option should also be used. If this option is not specified, the -alias_address option must be used. The specified interface is usually the "public" (or "external") network interface. |
| -config -| -f file |
| | Read configuration from file. A file should contain a list of options, one per line, in the same form as the long form of the above command line options. For example, the line alias_address 158.152.17.1 would specify an alias address of 158.152.17.1. Options that do not take an argument are specified with an argument of yes or no in the configuration file. For example, the line log yes is synonymous with -log . Trailing spaces and empty lines are ignored. A ‘#’ sign will mark the rest of the line as a comment. |
| -reverse |
| | This option makes natd reverse the way it handles "incoming" and "outgoing" packets, allowing it to operate on the "internal" network interface rather than the "external" one. This can be useful in some transparent proxying situations when outgoing traffic is redirected to the local machine and natd is running on the internal interface (it usually runs on the external interface). |
| -proxy_only |
| | Force natd to perform transparent proxying only. Normal address translation is not performed. |
| -proxy_rule -Xo |
| | [type encode_ip_hdr | encode_tcp_stream] port xxxx server a.b.c.d:yyyy |
| | Enable transparent proxying. Outgoing TCP packets with the given port going through this host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use encode_ip_hdr to put this information into the IP option field or encode_tcp_stream to inject the data into the beginning of the TCP stream. |
| -punch_fw -Xo |
| | basenumber: count |
| | This option directs natd to "punch holes" in an ipfirewall(4) based firewall for FTP/IRC DCC connections. This is done dynamically by installing temporary firewall rules which allow a particular connection (and only that connection) to go through the firewall. The rules are removed once the corresponding connection terminates. A maximum of count rules starting from the rule number basenumber will be used for punching firewall holes. The range will be cleared for all rules on startup. |
| -skinny_port port |
| | This option allows you to specify the TCP port used for the Skinny Station protocol. Skinny is used by Cisco IP phones to communicate with Cisco Call Managers to set up voice over IP calls. By default, Skinny aliasing is not performed. The typical port value for Skinny is 2000. |
| -log_ipfw_denied |
| | Log when a packet cannot be re-injected because an ipfw(8) rule blocks it. This is the default with -verbose . |
| -pid_file -| -P file |
| | Specify an alternate file in which to store the process ID. The default is /var/run/natd.pid. |
|
