How to forward IP/Ports within my net with my iMac and no router

[MatuX]

ey everyone,

I've trying to find an answer for this for quite some time now but I haven't been able to do so...

Basically, my configuration is as follows:
I have an iMac that is connected directly to the Internet via an Ethernet (RJ-45) cable.
Then I have two Windows computers (a Notebook and a Desktop) that connects to the internet through my iMac via WiFi.

It's a typical network but with no routers or access points.

Now... I have an Apache Web Server running on my Windows Notebook computer and I need it to be accessed from the outside world. So, the only thing I need to do is that when someone access:
http://MYIPADDRESS:80/
Force it to go to my Notebook computer in 10.0.2.2:8080.

How can I achieve this on a Mac OS X? (I'm also a new user).

Can I? Do I need an application to do so?

Thanks in advance!

 

[DNSgeek]

You may not be aware of it, but your iMac is the router in your network. To configure it to do port forwarding, use ipfw to create a forwarding rule that will change the route of packets flowing in on the ethernet interface. To find out more, open a terminal and look at the man page for ipfw. The packets will arrive at the specified IP, but with the dest IP of the iMac, so the web server will need a rule to accept those packets.

man ipfw

Look specifically at the "fwd" action.

Additionally, if you wanted to use an application for this, you could look at:

http://www.sustworks.com/site/prod_ipnrx_overview.html

But at that point you could buy a used router that will do the job just fine.

 

[MatuX]

Hey!

Yes! I imagined my iMac is acting as the net's router. But I'm so new at this whole new and amazing environment that I can get quite lost some times

Thanks a lot for all the information, guys!

Hey and thanks a lot for pointing myself out in the right direction.

I don't know if this is the correct place to be asking this, but...

I've come up with the ipfw rule, I believe it is correct:
ipfw add 100 fwd 10.0.2.2,1443 dst-port 1443 via en0

I've added to the ruleset (had to use the root account for this), but nothing happens. My Apache Web Server in 10.0.2.2 doesn't respond, but I can access it directly if I write 10.0.2.2 anywhere.

I've tried changing the ServerName in my Apache to match my IP address (which is the destination IP of the incoming packets, I imagine) but still, nothing.

Any help would be appreciated. Even if it is pointing me to another more appropriate forum.

Thanks!

 

[DNSgeek]

Apache runs on port 80 for http and port 443 if you are using SSL (https) - What is 1443?

 

[MatuX]

1443 is the port where my Apache is running in my Windows computer.

I didn't want to use 80, 8080 or 443 because since I'm learning, my first tries on setting the correct rules in my router computer where messing with my connection.

Am I doing wrong? Do I really need to use the standard ports? Apache is running fine on 1443.

Best regards

 

[DNSgeek]

I was just making sure you didn't have an apache instance listening on 1443, and testing it in a browser on your iMac without specifying:

http://<ip_address>:1443/

FYI, you may not want to use port 1443. I recommend using port 8181 for testing.

Try running the ipfw command with the -n flag set, so you can check your syntax before actually running the command.

 

[MatuX]

My iMac is in 10.0.2.1.

I placed the Apache webserver on port 80, so it is accesable by simply:

http://10.0.2.2/
(thats the IP where my Windows pc is and the Apache is located)

I've tried many different combinations and it simply won't work. Currently I'm doing:
"ipfw add 100 fwd 10.0.2.2 tcp from any to any dst-port 80"

This actually makes the port 80 unavailable somehow so I can't surf the web or anything through port 80, which I don't understand why. But then, 10.0.2.2 *is* accesible.
But if I try to access it from 10.0.2.1 or my external IP, I can't.

This is getting frustrating, I can't believe this can be so hard to achieve!

 

[DNSgeek]

Ok, there a re a few things wrong with that setup.

Try:

sudo ipfw add 100 fwd 10.0.2.2,8181 src-ip any dst-ip 10.0.2.1

This might be a dumb question, but why don't you just use the apache server on your iMac?

My iMac is in 10.0.2.1.

I placed the Apache webserver on port 80, so it is accesable by simply:

http://10.0.2.2/
(thats the IP where my Windows pc is and the Apache is located)

I've tried many different combinations and it simply won't work. Currently I'm doing:
"ipfw add 100 fwd 10.0.2.2 tcp from any to any dst-port 80"

This actually makes the port 80 unavailable somehow so I can't surf the web or anything through port 80, which I don't understand why. But then, 10.0.2.2 *is* accesible.
But if I try to access it from 10.0.2.1 or my external IP, I can't.

This is getting frustrating, I can't believe this can be so hard to achieve!

 

[MatuX]

Nothing... I can't even access 10.0.2.2:8181 (Apache) from 10.0.2.1 (my iMac) with that ipfw rule.

Also tried:

ipfw fwd 10.0.2.2,8181 ip from any to any dst-ip 10.0.2.1 dst-port 8181
ipfw fwd 10.0.2.2,8181 ip from any to any dst-ip 200.XXX.XXX.XXX dst-port 8181 (200.xxx etc. is my external ip address).
ipfw fwd 10.0.2.2,8181 ip from any to any dst-ip 200.XXX.XXX.XXX

Absolutely nothing...

I have a big server infrastructure I created for a job that I will be moving to a Windows Server in the near future. I don't want to put it on a Mac/Unix environment since that would mean a lot of wasted work for the final requirement of the job.
That's why I don't really want to move the Apache to my iMac but instead, forward all the packets there.

Thanks for your help

EDIT:
Perhaps I also need to forward the packets Apache sends? I really don't understand why is this failing.
ipfw man on forward also says:

The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. For packets forwarded locally, the local address of the socket will be set to the original destinationtion address of the packet. This makes the netstat(1) entry look rather weird but is intended for use with transparent proxy servers.

And, ashamedly, I don't really know how to make such rule on Apache or even Windows.

Why is this so difficult?

 

[DNSgeek]

Try one more thing. I forgot to edit this for your setup there. Do an ifconfig -a and get the IP of your iMac's Ethernet connection. This will be the public facing address of your setup. If this is an RFC1918 address, this will never work. When you said you were connected to the Internet with an Ethernet cable, I need to ask you what is on the other end. If it is a broadband router (Cable modem, FIOS, etc.), then you more than likely have a DHCP lease for an RFC1918 address on your iMac's Ethernet interface. The other alternative is that you are plugged into a switch on a University or Corporate network. In this scenario, you may or may not have a publicly route-able IP address, which is the key to this whole thing not working.

sudo ipfw add 100 fwd 10.0.2.2,8181 src-ip any dst-ip <ip_address_of_ethernet_interface>

At this point, I'd say if you have a big server infrastruture you've created, it's worth spending the $30 on a used Linksys that will do what you want and give you a WebGUI to play with.

 

[ElectricSheep]

From the ipfw man page:

The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them.

The correct solution for the kind of port-forwarding behavior your are seeking is to use an ipfw rule to divert traffic to natd, which will then perform the necessary forwarding along with header rewriting.

ipfw add 100 divert natd ip from any to any via en0 (you can tailor this to specific traffic if you please)

Then you need to run natd with this parameter to forward the port you desire:

-redirect-port tcp 10.0.2.2:8181 8181

 

[MatuX]

From the ipfw man page:

The correct solution for the kind of port-forwarding behavior your are seeking is to use an ipfw rule to divert traffic to natd, which will then perform the necessary forwarding along with header rewriting.

ipfw add 100 divert natd ip from any to any via en0 (you can tailor this to specific traffic if you please)

Then you need to run natd with this parameter to forward the port you desire:

-redirect-port tcp 10.0.2.2:8181 8181

Thanks for your help,

That divert is already being done (divert 8668 ip from any to any via en0) without me writing any rule.
I added divert 8668 ip from any to any dst-ip 200.122.xxx.xxx dst-port 8181 as well just in case.

When I try to execute the natd line, it says:
natd: aliasing address not given

If I try to write -alias_address various_combinations_of_seemingly_valid_ips
It says:
natd: Unable to bind divert socket.: Address already in use

I checked this on the internet and it says I need to kill my natd service, change the natd.conf file and re-execute natd using this conf file.
But there is no natd.conf file in my system and I don't want to kill my natd service since I'm afraid that might end up doing more harm than good since I've no idea what the current natd configuration is.

Any ideas?

EDIT:
Well, I killed my natd and couldn't get it to start again. Much less run the redirect_port param.

From what I've seen, I really think doing this natd config may be the way to go to solve this. But I can't solve this.

 

[ElectricSheep]

The aliasing address error is because you must always specify either an IP address to bind to with the -a <ip address> parameter, or an interface to bind to with the -interface <if> parameter. If you already have a natd.conf file, this should already be specified.

The line you'll add to the natd.conf file is of the form:

[b]redirect_port tcp inside_address:port [outside_address:]port[/b]

Where

[b]inside_address:port[/b]

is the host and port you want to forward traffic to, and

[b]outside_address:port[/b]

is the address and port that people on the outside are going to use to access your web server. Note that the outside_address portion is optional, and you may omit it.

If you need to forward udp traffic as well, copy and paste that line but replace tcp with udp.

 

[ElectricSheep]

Okay, I have to post this followup after I had an epiphany of sorts.

You are running Mac OS X Client. You do not have a natd.conf file. You also do not have an ipfw configuration file.

When you check the box in System Preferences to enable Internet Sharing, Mac OS X automatically adds the correct divert rule to the ipfw rules list, and it automatically kicks off an instance of natd with the correct parameters passed in for basic internet sharing.

Mac OS X Server provides some very nice GUI facilities to fine tune how natd operates, such as setting up port forwarding. Unfortunately, you do not have this luxury in Mac OS X client. That isn't to say that this goal is unattainable. Far from it. You will just have to do things differently.

I don't have the time at the moment, but I will followup with instructions on how to create a Launch Agent that will set up ipfw and natd for you at boot time. You will disable Internet Sharing in System Preferences, and use this Agent to set it up for you. If at any time you want to stop this form of internet sharing, just disable to the Launch Agent and run a script I will provide that will remove the divert firewall rule and kill the natd daemon.

 

[MatuX]

DNSgeek and ElectricSheep,

Thanks a lot for the effort both of you are putting into this.

I wouldn't imagine anyone would spend this much time into helping a complete stranger to solve such an issue.

I really appreciate it!

 

[notjustjay]

Wow, I hope the OP gets this worked out, but I have to say, after reading halfway through the thread, *I* was ready to buy a used router and send it to him!

But then, I never like going through complex solutions when an easy one exists... (hence why I switched to OS X )

Good luck!

 

[MatuX]

Well, that's the downside of living in a third world country.
An Airport Express costs $600 and an Airport Extreme, $800 (all local currency).

If we take in account our salary average is proportionally the same as yours (meaning: you get, dunno, 2000 USD a month average, we get $ 2000 a month average (which is about 550 usd a month)). Buying something that expensive is a clear PAIN

And don't get me started with Macbooks and iMacs costs

Such is life!

 

[DNSgeek]

Don't sell yourself short. Argentina is hardly a third world country....

 

[MatuX]

Don't sell yourself short. Argentina is hardly a third world country....

Haha, well that's encouraging in some way

Did you get my PM, DNSgeek? I sent you my IM info...

 

[coloradotechie]

Has this been solved yet?

I was wondering if this has been solved yet. Any updates?

 

[astrorider]

I was wondering if this has been solved yet. Any updates?

Following this seems to work for me under Snow Leopard:
http://www.cyberciti.biz/faq/howto-configure-macosx-as-nat-router/