185965SbrianCopyright (c) 2001 Charles Mott <cm@linktel.net> 277690SbrianAll rights reserved. 320365Sjkh 477690SbrianRedistribution and use in source and binary forms, with or without 577690Sbrianmodification, are permitted provided that the following conditions 677690Sbrianare met: 777690Sbrian1. Redistributions of source code must retain the above copyright 877690Sbrian notice, this list of conditions and the following disclaimer. 977690Sbrian2. Redistributions in binary form must reproduce the above copyright 1077690Sbrian notice, this list of conditions and the following disclaimer in the 1177690Sbrian documentation and/or other materials provided with the distribution. 1226031Sbrian 1377690SbrianTHIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1477690SbrianANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1577690SbrianIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1677690SbrianARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1777690SbrianFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1877690SbrianDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1977690SbrianOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2077690SbrianHOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2177690SbrianLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2277690SbrianOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2377690SbrianSUCH DAMAGE. 2426031Sbrian 2577690Sbrian$FreeBSD$ 2677690Sbrian 2777690SbrianUser PPP NAT (Packet Aliasing) 2877690Sbrian 2977690Sbrian 3077690Sbrian 3120365Sjkh0. Contents 3220365Sjkh 1. Background 3320365Sjkh 2. Setup 3426031Sbrian 3. New commands in ppp 3526031Sbrian 4. Future Work 3636466Sbrian 5. Authors / Acknowledgements 3726031Sbrian 6. Revision History for Aliasing Code 3820365Sjkh 3920365Sjkh 4026031Sbrian 4120365Sjkh1. Background 4220365Sjkh 4377690SbrianUser mode ppp has embedded NAT (Network Address Translation) code. 4477690SbrianEnabling this, either by the "-nat" command line option or the 4577690Sbrian"nat enable yes" command in a ppp.conf file, makes the ppp host 4677690Sbrianautomatically NAT IP packets forwarded from a local network, making 4726031Sbrianthem appear to come from the ppp host machine. Incoming packets 4877690Sbrianfrom the outside world are then appropriately de-NAT'd. 4920365Sjkh 5077690SbrianThe process of NAT'ing involves both the IP address and the TCP or UDP 5177690Sbrianport numbers. ICMP echo and timestamp packets are natted by their id 5226031Sbriannumbers. ICMP error messages can be properly directed by examining the 5326031Sbrianfragment of the offending packet which is contained in the body of the 5426031Sbrianmessage. 5520365Sjkh 5620365SjkhThis software was specifically meant to support users who have 5726031Sbrianunregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x 5826031Sbrianaddresses). The ppp host can act as a gateway for these networks, and 5926031Sbriancomputers on the local area net will have some degree of Internet access 6026031Sbrianwithout the need for a registered IP address. Additionally, there will 6126031Sbrianbe no need for an Internet service provider to maintain routing tables 6226031Sbrianfor the local area network. 6320365Sjkh 6477690SbrianA disadvantage of NAT is that machines on the local network, 6526031Sbrianbehind the ppp host, are not visible from the outside world. They can 6626031Sbrianestablish TCP connections and make UDP inquiries (such as domain name 6726031Sbrianservice requests) but the connections seem to come from the ppp host 6826031Sbrianitself. There is, in effect, a partial firewall. Of course, if this is 6926031Sbrianwhat you want, the disadvantage becomes an advantage. 7020365Sjkh 7126031SbrianA second disadvantage is that "IP encoding" protocols, which send IP 7226031Sbrianaddress or port information within the data stream, are not supported 7326031Sbrianfor the cases where exception code exists. This implementation has 7426031Sbrianworkarounds for FTP and IRC DCC, the most well known of the IP encoding 7526031Sbrianprotocols. This frees users from depending on using the ftp passive 7626031Sbrianmode and avoiding IRC DCC sends, as is sometimes the case with other 7726031Sbrianmasquerading solutions. 7820365Sjkh 7926031SbrianThe implementation supports all standard, non-encoding TCP and UDP protocols. 8026031SbrianExamples of these protocols are http, gopher and telnet. The standard UDP 8136466Sbrianmode of Real-Audio is not presently supported, but the TCP mode does work 8226031Sbriancorrectly. 8320365Sjkh 8477690SbrianThe NAT code also handles many ICMP messages. In particular, 8526031Sbrianping and traceroute are supported. 8620365Sjkh 8720365Sjkh 8820365Sjkh 8920365Sjkh2. Packet Aliasing Setup 9020365Sjkh 9126031SbrianIt is recommended that users first verify correct ppp operation without 9277690SbrianNAT enabled. This will confirm that the ppp.conf file is 9326031Sbrianproperly set up and that there are no ppp problems. Then start ppp with 9477690Sbrianthe "-nat" option on the command line. The user should verify that 9577690Sbrianthe ppp host can correctly connect to the Internet in NAT 9626031Sbrianmode. Finally, check that machines on the private network can access 9726031Sbrianthe Internet. 9820365Sjkh 9977690SbrianThe NAT software handles all packets, whether they come from 10026031Sbrianthe host or another computer on the local area network. Thus, a correctly 10126031Sbrianoperating ppp host indicates that the software should work properly for 10226031Sbrianother computers on the private network. 10320365Sjkh 10426031SbrianIf the ppp host can access the Internet, but other computers on the local 10526031Sbriannetwork cannot, check that IP forwarding is enabled on the ppp host. Also, 10626031Sbrianverify that the other computers use this machine as a gateway. Of course, 10726031Sbrianyou should also verify that machines within the local area network 10826031Sbriancommunicate properly. A common error is inconsistent subnet addresses 10926031Sbrianand masks. 11020365Sjkh 11120365Sjkh 11220365Sjkh 11326031Sbrian3. New commands in ppp 11420365Sjkh 11577690SbrianIn order to control NAT behaviour in a simple manner (no need for 11677690Sbrianrecompilation), a new command has been added to ppp: nat. This 11777690Sbrianis in addition to the -nat command line option. System managers and 11836466Sbrianmore experienced users may prefer to use the ppp command syntax 11977690Sbrianwithin the ppp.conf file. The nat command also allows NAT 12036466Sbrianbehaviour to be more precisely specified. 12120365Sjkh 12226031SbrianThe decision to add a command instead of extending 'set' or 'option' was 12377690Sbrianto make obvious that these options only work when NAT is enabled. 12420365Sjkh 12577690SbrianThe syntax for 'nat' is 12620365Sjkh 12777690Sbrian ppp> nat option [yes|no] 12820365Sjkh 12926031Sbrianwhere option is given by one of the following templates. 13020365Sjkh 13126031Sbrian 13277690Sbrian - nat enable [yes|no] (default no) 13326031Sbrian 13477690SbrianEnable NAT functionality. If disabled, no other NAT 13577690Sbrianoptions will have any effect. You should usually enable NAT 13626031Sbrianbefore routing any packets over the link; good points are in the 13726031Sbrianinitial script or right before adding a route. If you do not always 13877690Sbrianwant NAT, consider using the -nat option to ppp instead of this 13926031Sbriancommand. 14026031Sbrian 14126031Sbrian 14277690Sbrian - nat deny_incoming [yes|no] (default yes) 14326031Sbrian 14426031SbrianSet to "yes" to disable all incoming connections. This just drops 14577690Sbrianconnections to, for example, ftp, telnet or web servers. The NAT 14626031Sbrianmechanism prevents these connections. Technically, this option denies 14777690Sbrianall incoming TCP and UDP requests, making the NAT software a 14836466Sbrianfairly efficient one-way firewall. The default is no, which will allow 14926031Sbrianall incoming connections to telnetd, ftpd, etc. 15026031Sbrian 15126031Sbrian 15277690Sbrian - nat log [yes|no] 15326031Sbrian 15477690SbrianControls logging of NAT link creation to "/var/log/alias.log" - this 15526031Sbrianis usually only useful if debugging a setup, to see if the bug is in 15677690Sbrianthe PPP NATing. The debugging information is fairly limited, listing 15777690Sbrianthe number of NAT links open for different protocols. 15826031Sbrian 15926031Sbrian 16077690Sbrian - nat same_ports [yes|no] (default yes) 16126031Sbrian 16277690SbrianWhen a connection is being established going through the NAT 16326031Sbrianroutines, it will normally have its port number changed to allow the 16477690SbrianNAT code to track it. If same_ports is enabled, the NAT 16526031Sbriansoftware attempts to keep the connection's source port unchanged. 16636466SbrianThis will allow rsh, RPC and other specialised protocols to work 16726031Sbrian_most of the time_, at least on the host machine. Please, do not 16826031Sbrianreport this being unstable as a bug - it is a result of the way 16977690SbrianNAT has to work. TCP/IP was intended to have one IP address 17026031Sbrianper machine. 17126031Sbrian 17226031Sbrian 17377690Sbrian - nat use_sockets [yes|no] (default yes) 17426031Sbrian 17577690SbrianThis is a fairly obscure option. For the most part, the NAT 17677690Sbriansoftware does not have to allocate system sockets when it chooses a 17777690SbrianNAT port number. Under very specific circumstances, FTP data 17836466Sbrianconnections (which don't know the remote port number, though it is 17926031Sbrianusually 20) and IRC DCC send (which doesn't know either the address or 18026031Sbrianthe port from which the connection will come), there can potentially be 18126031Sbriansome interference with an open server socket having the same port number 18236466Sbrianon the ppp host machine. This possibility for interference only exists 18326031Sbrianuntil the TCP connection has been acknowledged on both sides. The safe 18426031Sbrianoption is yes, though fewer system resources are consumed by specifying 18526031Sbrianno. 18626031Sbrian 18726031Sbrian 18877690Sbrian - nat unregistered_only [yes|no] (default no) 18926031Sbrian 19077690SbrianNAT normally remaps all packets coming from the local area 19126031Sbriannetwork to the ppp host machine address. Set this option to only map 19226031Sbrianaddresses from the following standard ranges for private, unregistered 19326031Sbrianaddresses: 19426031Sbrian 19526031Sbrian 10.0.0.0 -> 10.255.255.255 19626031Sbrian 172.16.0.0 -> 172.31.255.255 19726031Sbrian 192.168.0.0 -> 192.168.255.255 */ 19826031Sbrian 19926031SbrianIn the instance that there is a subnet of public addresses and another 20026031Sbriansubnet of private addresses being routed by the ppp host, then only the 20177690Sbrianpackets on the private subnet will be NAT'd. 20226031Sbrian 20326031Sbrian 20477690Sbrian- nat port <proto> <local addr>:<port> <nat port> 20526031Sbrian 20698243SbrianThis command allows incoming traffic to <nat port> on the host 20726031Sbrianmachine to be redirected to a specific machine and port on the 20826031Sbrianlocal area network. One example of this would be: 20926031Sbrian 21077690Sbrian nat port tcp 192.168.0.4:telnet 8066 21126031Sbrian 21236466SbrianAll traffic to port 8066 of the ppp host would then be sent to 21326031Sbrianthe telnet port (23) of machine 192.168.0.4. Port numbers 21426031Sbriancan either be designated numerically or by symbolic names 21526031Sbrianlisted in /etc/services. Similarly, addresses can be either 21626031Sbrianin dotted quad notation or in /etc/hosts. 21726031Sbrian 21826031Sbrian 21977690Sbrian- nat addr <local addr> <public addr> 22026031Sbrian 22126031SbrianThis command allows traffic for a public IP address to be 22226031Sbrianredirected to a machine on the local network. This function 22326031Sbrianis known as "static NAT". An address assignment of 0 refers 22426031Sbrianto the default address of the ppp host. Normally static 22526031SbrianNAT is useful if your ISP has allocated a small block of 22626031SbrianIP addresses to the user, but it can even be used in the 22726031Sbriancase of a single, dynamically allocated IP address: 22826031Sbrian 22977690Sbrian nat addr 10.0.0.8 0 23026031Sbrian 23126031SbrianThe above command would redirect all incoming traffic to 23298243Sbrianmachine 10.0.0.8. 23326031Sbrian 23477690SbrianIf several address NATs specify the same public address 23526031Sbrianas follows 23626031Sbrian 23777690Sbrian nat addr 192.168.0.2 public_addr 23877690Sbrian nat addr 192.168.0.3 public_addr 23977690Sbrian nat addr 192.168.0.4 public_addr 24026031Sbrian 24136466Sbrianthen incoming traffic will be directed to the last 24226031Sbriantranslated local address (192.168.0.4), but outgoing 24377690Sbriantraffic to the first two addresses will still be NAT'd 24426031Sbrianto the specified public address. 24526031Sbrian 24626031Sbrian 24726031Sbrian 24826031Sbrian4. Future Work 24926031Sbrian 25077690SbrianWhat is called NAT here has been variously called masquerading, packet 25177690Sbrianaliasing and transparent proxying by others. It is an extremely useful 25277690Sbrianfunction to many users, but it is also necessarily imperfect. The 25377690Sbrianoccasional IP-encoding protocols always need workarounds (hacks). 25477690SbrianUsers who are interested in supporting new IP-encoding protocols 25526031Sbriancan follow the examples of alias_ftp.c and alias_irc.c. 25626031Sbrian 25726031SbrianICMP error messages are currently handled only in the incoming direction. 25877690SbrianA handler needs to be added to correctly NAT outgoing error messages. 25926031Sbrian 26026031SbrianIRC and FTP exception handling make reasonable, though not strictly correct 26126031Sbrianassumptions, about how IP encoded messages will appear in the control 26226031Sbrianstream. Programmers may wish to consider how to make this process more 26326031Sbrianrobust. 26426031Sbrian 26577690SbrianThe NAT engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c 26626031Sbrianand alias_util.c) runs in user space, and is intended to be both portable 26726031Sbrianand reusable for interfaces other than ppp. To access the basic engine 26836466Sbrianonly requires four simple function calls (initialisation, communication of 26977690Sbrianhost address, outgoing NAT and incoming de-NATing). 27026031Sbrian 27126031Sbrian 27226031Sbrian 27336466Sbrian5. Authors / Acknowledgements 27426031Sbrian 27586806SbrianCharles Mott (cm@linktel.net) <versions 1.0 - 1.8, 2.0, 2.1> 27626031SbrianEivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands> 27726031Sbrian 27826031SbrianListed below, in chronological order, are individuals who have provided 27926031Sbrianvaluable comments and/or debugging assistance. 28026031Sbrian 28126031Sbrian Gary Roberts 28226031Sbrian Tom Torrance 28326031Sbrian Reto Burkhalter 28426031Sbrian Martin Renters 28526031Sbrian Brian Somers 28626031Sbrian Paul Traina 28726031Sbrian Ari Suutari 28826031Sbrian J. Fortes 28926031Sbrian Andrzej Bialeki 29026031Sbrian 29126031Sbrian 29226031Sbrian 29326031Sbrian6. Revision History for Aliasing Code 29426031Sbrian 29526031SbrianVersion 1.0: August 11, 1996 (cjm) 29626031Sbrian 29726031SbrianVersion 1.1: August 20, 1996 (cjm) 29826031Sbrian PPP host accepts incoming connections for ports 0 to 1023. 29926031Sbrian 30026031SbrianVersion 1.2: September 7, 1996 (cjm) 30126031Sbrian Fragment handling error in alias_db.c corrected. 30226031Sbrian 30326031SbrianVersion 1.3: September 15, 1996 (cjm) 30436466Sbrian - Generalised mechanism for handling incoming connections 30526031Sbrian (no more 0 to 1023 restriction). 30626031Sbrian - Increased ICMP support (will handle traceroute now). 30726031Sbrian - Improved TCP close connection logic. 30826031Sbrian 30926031SbrianVersion 1.4: September 16, 1996 31026031Sbrian Can't remember (this version only lasted a day -- cjm). 31126031Sbrian 31226031SbrianVersion 1.5: September 17, 1996 (cjm) 31326031Sbrian Corrected error in handling incoming UDP packets 31426031Sbrian with zero checksum. 31526031Sbrian 31626031SbrianVersion 1.6: September 18, 1996 31726031Sbrian Simplified ICMP data storage. Will now handle 31826031Sbrian tracert from Win95 as well as FreeBSD traceroute. 31926031Sbrian 32036466SbrianVersion 1.7: January 9, 1997 (cjm) 32198243Sbrian - Reduced malloc() activity for ICMP echo and 32226031Sbrian timestamp requests. 32326031Sbrian - Added handling for out-of-order IP fragments. 32426031Sbrian - Switched to differential checksum computation 32526031Sbrian for IP headers (TCP, UDP and ICMP checksums 32626031Sbrian were already differential). 32726031Sbrian - Accepts FTP data connections from other than 32826031Sbrian port 20. This allows one ftp connections 32926031Sbrian from two hosts which are both running packet 33026031Sbrian aliasing. 33126031Sbrian 33236466SbrianVersion 1.8: January 14, 1997 (cjm) 33326031Sbrian - Fixed data type error in function StartPoint() 33426031Sbrian in alias_db.c (this bug did not exist before v1.7) 33526031Sbrian 33626031SbrianVersion 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>) 33736466Sbrian - Upgraded base PPP version to be the source code from 33826031Sbrian FreeBSD 2.1.6, with additional security patches. This 33926031Sbrian version should still be possible to run on 2.1.5, though - 34026031Sbrian I've run it with a 2.1.5 kernel without problems. 34126031Sbrian (Update done with the permission of cjm) 34226031Sbrian 34326031SbrianVersion 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>) 34426031Sbrian - Added support for IRC DCC (ee) 34526031Sbrian - Changed the aliasing routines to use ANSI style throughout - 34626031Sbrian minor API changes for integration with other programs than PPP (ee) 34726031Sbrian - Changed the build process, making all options switchable 34826031Sbrian from the Makefile (ee) 34926031Sbrian - Fixed minor security hole in alias_ftp.c for other applications 35026031Sbrian of the aliasing software. Hole could _not_ manifest in 35126031Sbrian PPP+pktAlias, but could potentially manifest in other 35226031Sbrian applications of the aliasing. (ee) 35326031Sbrian - Connections initiated from packet aliasing host machine will 35426031Sbrian not have their port number aliased unless it conflicts with 35526031Sbrian an aliasing port already being used. (There is an option to 35626031Sbrian disable this for debugging) (cjm) 35726031Sbrian - Sockets will be allocated in cases where there might be 35826031Sbrian port interference with the host machine. This can be disabled 35998243Sbrian in cases where the ppp host will be acting purely as a 36026031Sbrian masquerading router and not generate any traffic of its own. 36126031Sbrian (cjm) 36226031Sbrian 36326031SbrianVersion 2.0: March, 1997 (cjm) 36436466Sbrian - Incoming packets which are not recognised by the packet 36526031Sbrian aliasing engine are now completely dropped in ip.c. 36626031Sbrian - Aliasing links are cleared when a host interface address 36736466Sbrian changes (due to re-dial and dynamic address allocation). 36826031Sbrian - PacketAliasPermanentLink() API added. 36926031Sbrian - Option for only aliasing private, unregistered IP addresses 37026031Sbrian added. 37126031Sbrian - Substantial rework to the aliasing lookup engine. 37226031Sbrian 37326031SbrianVersion 2.1: May, 1997 (cjm) 37426031Sbrian - Continuing rework to the aliasing lookup engine to support 37526031Sbrian multiple incoming addresses and static NAT. 37636466Sbrian - Now supports outgoing as well as incoming ICMP error messages/ 37726031Sbrian - PPP commands to support address and port redirection. 37826031Sbrian 379