does port mapping work in reverse?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Lokrado, Aug 11, 2010.

  1. macrumors regular

    does portmapping work in reverse?
    say i have an AEBS and i change port 1 from the external to port 2 on the internal network, would my outgoing traffic from my internal network on port 2 be forwarded to port 1 on the external network?

    the same goes for on a mac - is there a command i can do to make portmapping on device, in reverse aswell.

    say i wanted to make an L2TP server running on os x server run on port 23, i would need to map on the AEBS and on the client.
    or is there a different way i could do this?
  2. macrumors newbie

    Hope I understood your question correctly. Here goes!

    Normally, yes, port mapping does work both ways.

    If your client is on the internal network you need make sure the client knows to connect to the servers internal IP using port 23.

    If your client is on the internet you need to make sure client knows to connect to your external IP using the whatever port you map to the servers on port 23.

    The port mapping on the router only needs to be done if you want to connect to the server from the internet.
  3. macrumors regular

    right, how do i do portmapping on the mac?
  4. macrumors 601

    In the application or its configuration files.
  5. macrumors regular

    the application would be system preferences and the configuration files are inaccessible, anything else you wanna add while talking about L2TP which uses UDP 1701 and is not ment to be changed.

    aka, i'm looking for a terminal command/utility
  6. macrumors 601

    If it's not meant to be changed, then why would you change it? All of OS X's configuration files are accessible.

    You're description above is confusing when you say moving port 1 to port 2. It's not clear what you're trying to do.
  7. macrumors 6502a


    We could probably help you best if you could explain exactly what you're intending to do, and why you can't do it on standard ports. I don't typically suggest running any services on non-standard ports if you can help it.
  8. macrumors regular

    usually when people want to run something standardized on non standardized ports their either a) behind a firewall they do not control or b) behind a proxy they do not control. Both alike that of a schools, an IPS's or corporates. :D

    now to receive the non standardized connection with standardized software on a network I do not control, I would need an in-machine port mapping app or terminal utility. I do not want to configure the apps as i use these standardized protocols normally in other places, hence the port mapping, or port changing if you will.

    I found this, but it seems to attempt to modify the routers settings which i do not have access to.

    and if i can access and read/modify the system preferences and/or VPN client config file ill eat my hat and freak out due to security issues.....
  9. macrumors 65816

    The firewall used by OS X (IPFW) will do port mapping for you. If you google for that plus OS X you will find many examples of how to do it and you can select the method that most suits you.

    If you are the administrator of the box, you can modify anything and everything in it. Anything else would be silly.

  10. macrumors regular

    so something like this?

    25100 allow udp from any 67 to any dst-port 68 in

    would forward port 67 to 68 on udp inbound? - what about outbound? What does the DST mean?

    right but in a say firewire disk mode scenario?
  11. macrumors newbie

    Thats only adds a firewall rule. Simply put it means the firewall will allow UPD traffic from any source IP on port 67 to travel to any destination IP on port 68 through the inbound traffic flow on the firewall.

    It won't do the actual port translation.

    What you want is a static nat statement. It's been a long time since I have had to mess with the IPFW stuff so can't remember the syntax but lookup the natd and divert commands.

    Still not sure why you want to do this on your client computer. You shouldn't need to mess with the firewall and nat rules just to get your client software to connect to a service on a non-standerd port.
  12. macrumors regular

    well how would you do it then? i'm specifically wanting to use the build in VPN client, and i dont see any option to change ports.
  13. macrumors 65816

    Unless you have the firewall turned on, it's already allowing all traffic anyway. All you would need is something like this:

    sudo ipfw add 100 forward,22 ip from any to any 33 in

    The syntax is a bit funny, but this means 'send any inbound traffic for port 33 to localhost port 22'. Note, you do *not* need any natd/divert statements as suggested by the previous poster since you aren't doing any NAT.

  14. macrumors regular

    Thank You! Makes sense!
    what would happen to the traffic going out of local port 22? would it get sent thru port 33?
  15. macrumors 65816

    Outbound traffic that is a response to inbound traffic to port 33 would be sent from port 33. If some other machine talks directly to port 22, the return traffic would be sent from port 22.

  16. macrumors 6502a


    This should work, but you'd need the rule on both the server, and then reverse the ports on the client if you plan to not set any app or service to non-standard ports.

    You've stated this is on a network you don't have control over. There may be legal issues involved here, as you're actually granting yourself non-authorized remote access to the network (more serious than you may think). To be safe I'd verify that you have permission to do this. I don't know your particular situation, but this is just to warn you that if it's a work machine you could put your job on the line. Though, if their network operators are competent, your attempt to circumvent may be futile as other ports are likely to be under the same restrictions. Also, many companies have VPNs already that you can use.

    If it's just another restrictive ISP, you're usually pretty safe to run stuff on nonstandard ports, but it may violate your terms of use. But also sometimes just a quick call to them may get your traffic unblocked on the port you are wanting to use. I personally purchase a block of static IPs from my ISP and they allow me to run any service I wish (with the exception of illegal content, spam/malware, and pornography IIRC) for an extra $15 a month.
  17. macrumors regular

    which is what i plan to do.

    i know which ports i'm able to use.

    yeah these have either PPTP, L2TP which both run on standardized ports or openVPN which on mac has no support for 64bit kernel, atleast not in a properly functioning way, i know the tuntap drivers are updated.

Share This Page