• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL



natd Network Address Translation Daemon.
natd [-ldsmvu] [-dynamic] [-i <inport>] [-o <outport>] [-p <port>] [-a
<address>] [-n <interface>] [-f <configfile>]

natd [-log] [-deny_incoming] [-log_denied] [-use_sockets] [-same_ports]
[-verbose] [-log_facility <facility_name>] [-unregistered_only] [-
dynamic] [-inport <inport>] [-outport <outport>] [-port <port>] [-
alias_address <address>] [-interface <interface>] [-config
<configfile>] [-redirect_port <linkspec>] [-redirect_address <localIP>
									<publicIP>] [-reverse] [-proxy_only] [-proxy_rule <proxyspec>] [-pptal
ias <localIP>]


natd provides a Network Address Translation facility for use with divert (4) sockets. It is intended for use only with NICs—if you want to do NAT on a PPP link, use the -alias switch to ppp (8).
natd normally runs in the background as a daemon. It is passed raw IP packets as they travel into and out of the machine, and will possibly change these before reinjecting them into the IP packet stream.
natd changes all packets destined for another host so that their source IP number is that of the current machine. For each packet changed in this way, an internal table entry is created to record this fact. The source port number is also changed to indicate the table entry applying to the packet. Packets that are received with a target IP of the current host are checked against this internal table. If an entry is found, it is used to determine the correct target IP number and port to place in the packet.
-log Logs various aliasing statistics and information to the file /var/log/alias.log. This file is truncated each time natd is started.
-deny_incoming Rejects packets destined for the current IP number that have no entry in the internal translation table.
-use_sockets Allocates a socket (2) to establish an FTP data or IRC DCC send connection. This option uses more system resources, but guarantees successful connections when port numbers conflict.
-same_ports Tries to keep the same port number when allocating outgoing packets. With this option, a protocol such as RPC will have a better chance of working. If it is not possible to maintain the port number, it will be silently changed as usual.
-verbose Doesn't call fork (2) or daemon (3) on startup. Instead, stays attached to the controlling terminal and displays all packet alterations to the standard output. This option should be used only for debugging.
-unregistered_only Alters only outgoing packets with an unregistered source address. According to RFC 1918, unregistered source addresses are,, and
-log_denied Logs denied incoming packets via syslog (see also log_facility).
-log_facility <facility_name> Uses specified log facility when logging information via syslog. Facility names are as in syslog.conf (5).
-dynamic If the -n or -interface option is used, natd monitors the routing socket for alterations to the <interface> passed. If the interface's IP number is changed, natd will dynamically alter its concept of the alias address.
-i <inport>

-inport <inport> Reads from and writes to <inport>, treating all packets as packets coming into the machine.
-o <output>

-outport <outport> Reads from and writes to <outport>, treating all packets as packets going out of the machine.
-p <port>

-port <port> Reads from and writes to <port>, distinguishing packets as incoming or outgoing using the rules specified in divert. If <port> is not numeric, it is searched for in /etc/services database. If this flag is not specified, the divert port named natd is used as a default.
-a <address>

-alias_address <address> Uses <address> as the alias address. If this option is not specified, the -n or -interface option must be used. The specified address should be the address assigned to the public network interface. All data passing out through this address's interface is rewritten with a source address equal to <address>. All data arriving at the interface from outside is checked to see whether it matches any already-aliased outgoing connection. If it does, the packet is altered accordingly. If not, all -redirect_port and -redirect_address assignments are checked and action is taken. If no other action can be made and if -deny_incoming is not specified, the packet is delivered to the local machine and port as specified in the packet.
-n <interface>

-interface <interface> Uses <interface> to determine the alias address. If there is a possibility that the IP number associated with <interface> might change, the -dynamic flag should also be used. If this option is not specified, the -a or -alias_address flag must be used. The specified <interface> must be the public network interface.
-f <configfile>

-config <configfile> Reads the configuration from <configfile>. <configfile> contains a list of options, one per line in the same form as the long form of the command-line flags. For example, the line

specifies an alias address of Options that don't take an argument are specified with an option of yes or no in the configuration file. For example, the line

-log yes

is synonymous with -log. Empty lines and lines beginning with # are ignored.
-redirect_port <proto>

Redirects incoming connections arriving to given port to another host and port. <proto>is either tcp or udp;<targetIP> is the desired target IP number; <targetPORT> is the desired target PORT number; <aliasPORT> is the requested PORT Number and <aliasIP> if the aliasing address. <remoteIP> and <remotePORT> can be used to specify the connection more accurately, if necessary. For example, the argument
tcp inside1:telnet 6666

means that tcp packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine.
<localIP> <publicIP>

Redirects traffic for public IP address to a machine on the local network. This function, known as static NAT, is normally useful if your ISP has allocated a small block of IP addresses to you, but it can be used in the case of a single address:

The preceding command would redirect all incoming traffic to machine

If several address aliases specify the same public address as follows

redirect_address <public_addr>
redirect_address <public_addr>
redirect_address <public_addr>

the incoming traffic will be directed to the last translated local address (, but outgoing traffic to the first two addresses still be aliased to specified public address.
-reverse Reverses operation of natd. This can be useful in some transparent proxying situations in which outgoing traffic is redirected to the local machine and natd is running on the incoming interface (it usually runs on the outgoing interface).
-proxy_only Forces natd to perform transparent proxying only. Normal address translation is not performed.
-proxy_rule [<type> encode_ip_hdr | encode_tcp_stream] port <xxxx>

server <a.b.c.d:yyyy> Enables transparent proxying. Packets with the given port going through this host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use encode_ip_header to put this information into the IP option field or encode_tcp_stream to inject the data into the beginning of the TCP stream.
-pptpalias <localIP> Allows PPTP packets to go to the defined localIP address. PPTP is VPN or secure IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic, it uses an old IP encapsulation protocol called GRE. This natd option will translate any traffic of this protocol to a single server to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic for PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have a firewall list active.



Not a subscriber?

Start A Free Trial

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint