network-natd.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Network Address Translation</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Advanced Networking" href="advanced-networking.html" />
<link rel="PREVIOUS" title="ISDN" href="network-isdn.html" />
<link rel="NEXT" title="Parallel Line IP (PLIP)" href="network-plip.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="network-isdn.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 24 Advanced Networking</td>
<td width="10%" align="right" valign="bottom"><a href="network-plip.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="NETWORK-NATD" name="NETWORK-NATD">24.8 Network Address
Translation</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Chern Lee.</i> 

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-NATOVERVIEW" name="NETWORK-NATOVERVIEW">24.8.1
Overview</a></h2>

<p>FreeBSD's Network Address Translation daemon, commonly known as <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> is a daemon
that accepts incoming raw IP packets, changes the source to the local machine and
re-injects these packets back into the outgoing IP packet stream. <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> does this by
changing the source IP address and port such that when data is received back, it is able
to determine the original location of the data and forward it back to its original
requester.</p>

<p>The most common use of NAT is to perform what is commonly known as Internet Connection
Sharing.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-NATSETUP" name="NETWORK-NATSETUP">24.8.2 Setup</a></h2>

<p>Due to the diminishing IP space in IPv4, and the increased number of users on
high-speed consumer lines such as cable or DSL, people are increasingly in need of an
Internet Connection Sharing solution. The ability to connect several computers online
through one connection and IP address makes <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> a reasonable
choice.</p>

<p>Most commonly, a user has a machine connected to a cable or DSL line with one IP
address and wishes to use this one connected computer to provide Internet access to
several more over a LAN.</p>

<p>To do this, the FreeBSD machine on the Internet must act as a gateway. This gateway
machine must have two NICs--one for connecting to the Internet router, the other
connecting to a LAN. All the machines on the LAN are connected through a hub or
switch.</p>

<p><img src="advanced-networking/natd.png" /></p>

<p>A setup like this is commonly used to share an Internet connection. One of the
<acronym class="ACRONYM">LAN</acronym> machines is connected to the Internet. The rest of
the machines access the Internet through that ``gateway'' machine.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-NATDKERNCONFIGURATION"
name="NETWORK-NATDKERNCONFIGURATION">24.8.3 Configuration</a></h2>

<p>The following options must be in the kernel configuration file:</p>

<pre class="PROGRAMLISTING">
options IPFIREWALL
options IPDIVERT
</pre>

<p>Additionally, at choice, the following may also be suitable:</p>

<pre class="PROGRAMLISTING">
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
</pre>

<p>The following must be in <tt class="FILENAME">/etc/rc.conf</tt>:</p>

<pre class="PROGRAMLISTING">
gateway_enable="YES" <a id="CO-NATD-GATEWAY-ENABLE" name="CO-NATD-GATEWAY-ENABLE"><img
src="./imagelib/callouts/1.png" hspace="0" vspace="0" border="0" alt="(1)" /></a>
firewall_enable="YES" <a id="CO-NATD-FIREWALL-ENABLE" name="CO-NATD-FIREWALL-ENABLE"><img
src="./imagelib/callouts/2.png" hspace="0" vspace="0" border="0" alt="(2)" /></a>
firewall_type="OPEN" <a id="CO-NATD-FIREWALL-TYPE" name="CO-NATD-FIREWALL-TYPE"><img
src="./imagelib/callouts/3.png" hspace="0" vspace="0" border="0" alt="(3)" /></a>
natd_enable="YES"
natd_interface="<var class="REPLACEABLE">fxp0</var>" <a id="CO-NATD-NATD-INTERFACE"
name="CO-NATD-NATD-INTERFACE"><img src="./imagelib/callouts/4.png" hspace="0" vspace="0"
border="0" alt="(4)" /></a>
natd_flags="" <a id="CO-NATD-NATD-FLAGS" name="CO-NATD-NATD-FLAGS"><img
src="./imagelib/callouts/5.png" hspace="0" vspace="0" border="0" alt="(5)" /></a>
</pre>

<div class="CALLOUTLIST">
<dl compact="COMPACT">
<dt><a href="network-natd.html#CO-NATD-GATEWAY-ENABLE"><img
src="./imagelib/callouts/1.png" hspace="0" vspace="0" border="0" alt="(1)" /></a></dt>

<dd>Sets up the machine to act as a gateway. Running <tt class="COMMAND">sysctl
net.inet.ip.forwarding=1</tt> would have the same effect.</dd>

<dt><a href="network-natd.html#CO-NATD-FIREWALL-ENABLE"><img
src="./imagelib/callouts/2.png" hspace="0" vspace="0" border="0" alt="(2)" /></a></dt>

<dd>Enables the firewall rules in <tt class="FILENAME">/etc/rc.firewall</tt> at
boot.</dd>

<dt><a href="network-natd.html#CO-NATD-FIREWALL-TYPE"><img
src="./imagelib/callouts/3.png" hspace="0" vspace="0" border="0" alt="(3)" /></a></dt>

<dd>This specifies a predefined firewall ruleset that allows anything in. See <tt
class="FILENAME">/etc/rc.firewall</tt> for additional types.</dd>

<dt><a href="network-natd.html#CO-NATD-NATD-INTERFACE"><img
src="./imagelib/callouts/4.png" hspace="0" vspace="0" border="0" alt="(4)" /></a></dt>

<dd>Indicates which interface to forward packets through (the interface connected to the
Internet).</dd>

<dt><a href="network-natd.html#CO-NATD-NATD-FLAGS"><img src="./imagelib/callouts/5.png"
hspace="0" vspace="0" border="0" alt="(5)" /></a></dt>

<dd>Any additional configuration options passed to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> on boot.</dd>
</dl>
</div>

<p>Having the previous options defined in <tt class="FILENAME">/etc/rc.conf</tt> would
run <tt class="COMMAND">natd -interface fxp0</tt> at boot. This can also be run
manually.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> It is also possible to use a configuration file for <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> when there are
too many options to pass. In this case, the configuration file must be defined by adding
the following line to <tt class="FILENAME">/etc/rc.conf</tt>:</p>

<pre class="PROGRAMLISTING">
natd_flags="-f /etc/natd.conf"
</pre>

<p>The <tt class="FILENAME">/etc/natd.conf</tt> file will contain a list of configuration
options, one per line. For example the next section case would use the following
file:</p>

<pre class="PROGRAMLISTING">
redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80
</pre>