network-natd.html

FreeBSD操作系统的详细使用手册

<p>For more information about the configuration file, consult the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> manual page
about the <var class="OPTION">-f</var> option.</p>
</blockquote>
</div>

<p>Each machine and interface behind the LAN should be assigned IP address numbers in the
private network space as defined by <a href="ftp://ftp.isi.edu/in-notes/rfc1918.txt"
target="_top">RFC 1918</a> and have a default gateway of the <b
class="APPLICATION">natd</b> machine's internal IP address.</p>

<p>For example, client <tt class="HOSTID">A</tt> and <tt class="HOSTID">B</tt> behind the
LAN have IP addresses of <tt class="HOSTID">192.168.0.2</tt> and <tt
class="HOSTID">192.168.0.3</tt>, while the natd machine's LAN interface has an IP address
of <tt class="HOSTID">192.168.0.1</tt>. Client <tt class="HOSTID">A</tt> and <tt
class="HOSTID">B</tt>'s default gateway must be set to that of the <b
class="APPLICATION">natd</b> machine, <tt class="HOSTID">192.168.0.1</tt>. The <b
class="APPLICATION">natd</b> machine's external, or Internet interface does not require
any special modification for <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> to work.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-NATDPORT-REDIRECTION"
name="NETWORK-NATDPORT-REDIRECTION">24.8.4 Port Redirection</a></h2>

<p>The drawback with <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> is that the
LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing
connections to the world but cannot receive incoming ones. This presents a problem if
trying to run Internet services on one of the LAN client machines. A simple way around
this is to redirect selected Internet ports on the <b class="APPLICATION">natd</b>
machine to a LAN client.</p>

<p>For example, an IRC server runs on client <tt class="HOSTID">A</tt>, and a web server
runs on client <tt class="HOSTID">B</tt>. For this to work properly, connections received
on ports 6667 (IRC) and 80 (web) must be redirected to the respective machines.</p>

<p>The <var class="OPTION">-redirect_port</var> must be passed to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> with the
proper options. The syntax is as follows:</p>

<pre class="PROGRAMLISTING">
     -redirect_port proto targetIP:targetPORT[-targetPORT]
                 [aliasIP:]aliasPORT[-aliasPORT]
                 [remoteIP[:remotePORT[-remotePORT]]]
</pre>

<p>In the above example, the argument should be:</p>

<pre class="PROGRAMLISTING">
    -redirect_port tcp 192.168.0.2:6667 6667
    -redirect_port tcp 192.168.0.3:80 80
</pre>

<p>This will redirect the proper <span class="emphasis"><i
class="EMPHASIS">tcp</i></span> ports to the LAN client machines.</p>

<p>The <var class="OPTION">-redirect_port</var> argument can be used to indicate port
ranges over individual ports. For example, <var class="REPLACEABLE">tcp
192.168.0.2:2000-3000 2000-3000</var> would redirect all connections received on ports
2000 to 3000 to ports 2000 to 3000 on client <tt class="HOSTID">A</tt>.</p>

<p>These options can be used when directly running <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a>, placed within
the <var class="LITERAL">natd_flags=""</var> option in <tt
class="FILENAME">/etc/rc.conf</tt>, or passed via a configuration file.</p>

<p>For further configuration options, consult <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a></p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-NATDADDRESS-REDIRECTION"
name="NETWORK-NATDADDRESS-REDIRECTION">24.8.5 Address Redirection</a></h2>

<p>Address redirection is useful if several IP addresses are available, yet they must be
on one machine. With this, <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> can assign
each LAN client its own external IP address. <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=natd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">natd</span>(8)</span></a> then rewrites
outgoing packets from the LAN clients with the proper external IP address and redirects
all traffic incoming on that particular IP address back to the specific LAN client. This
is also known as static NAT. For example, the IP addresses <tt
class="HOSTID">128.1.1.1</tt>, <tt class="HOSTID">128.1.1.2</tt>, and <tt
class="HOSTID">128.1.1.3</tt> belong to the <b class="APPLICATION">natd</b> gateway
machine. <tt class="HOSTID">128.1.1.1</tt> can be used as the <b
class="APPLICATION">natd</b> gateway machine's external IP address, while <tt
class="HOSTID">128.1.1.2</tt> and <tt class="HOSTID">128.1.1.3</tt> are forwarded back to
LAN clients <tt class="HOSTID">A</tt> and <tt class="HOSTID">B</tt>.</p>

<p>The <var class="OPTION">-redirect_address</var> syntax is as follows:</p>

<pre class="PROGRAMLISTING">
-redirect_address localIP publicIP
</pre>

<div class="INFORMALTABLE"><a id="AEN37819" name="AEN37819"></a>
<table border="0" frame="void" class="CALSTABLE">
<col />
<col />
<tbody>
<tr>
<td>localIP</td>
<td>The internal IP address of the LAN client.</td>
</tr>

<tr>
<td>publicIP</td>
<td>The external IP address corresponding to the LAN client.</td>
</tr>
</tbody>
</table>
</div>

<p>In the example, this argument would read:</p>

<pre class="PROGRAMLISTING">
-redirect_address 192.168.0.2 128.1.1.2
-redirect_address 192.168.0.3 128.1.1.3
</pre>

<p>Like <var class="OPTION">-redirect_port</var>, these arguments are also placed within
the <var class="LITERAL">natd_flags=""</var> option of <tt
class="FILENAME">/etc/rc.conf</tt>, or passed via a configuration file. With address
redirection, there is no need for port redirection since all data received on a
particular IP address is redirected.</p>

<p>The external IP addresses on the <b class="APPLICATION">natd</b> machine must be
active and aliased to the external interface. Look at <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=rc.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rc.conf</span>(5)</span></a> to do
so.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-isdn.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="network-plip.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">ISDN</td>
<td width="34%" align="center" valign="top"><a href="advanced-networking.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Parallel Line IP (PLIP)</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>