How to forward IP/Ports within my net with my iMac and no router

Discussion in 'Mac OS X Server, Xserve, and Networking' started by MatuX, Feb 16, 2009.

  1. MatuX macrumors newbie

    Joined:
    Feb 16, 2009
    #1
    ey everyone,

    I've trying to find an answer for this for quite some time now but I haven't been able to do so...

    Basically, my configuration is as follows:
    I have an iMac that is connected directly to the Internet via an Ethernet (RJ-45) cable.
    Then I have two Windows computers (a Notebook and a Desktop) that connects to the internet through my iMac via WiFi.

    It's a typical network but with no routers or access points.

    Now... I have an Apache Web Server running on my Windows Notebook computer and I need it to be accessed from the outside world. So, the only thing I need to do is that when someone access:
    http://MYIPADDRESS:80/
    Force it to go to my Notebook computer in 10.0.2.2:8080.

    How can I achieve this on a Mac OS X? (I'm also a new user).

    Can I? Do I need an application to do so?

    Thanks in advance!
     
  2. DNSgeek macrumors newbie

    Joined:
    Feb 11, 2009
    Location:
    USA
    #2
    You may not be aware of it, but your iMac is the router in your network. To configure it to do port forwarding, use ipfw to create a forwarding rule that will change the route of packets flowing in on the ethernet interface. To find out more, open a terminal and look at the man page for ipfw. The packets will arrive at the specified IP, but with the dest IP of the iMac, so the web server will need a rule to accept those packets.

    Code:
    man ipfw
    Look specifically at the "fwd" action.

    Additionally, if you wanted to use an application for this, you could look at:

    http://www.sustworks.com/site/prod_ipnrx_overview.html

    But at that point you could buy a used router that will do the job just fine.

    :D
     
  3. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #3
    Hey!

    Yes! I imagined my iMac is acting as the net's router. But I'm so new at this whole new and amazing environment that I can get quite lost some times :)

    Thanks a lot for all the information, guys!

    Hey and thanks a lot for pointing myself out in the right direction.

    I don't know if this is the correct place to be asking this, but...

    I've come up with the ipfw rule, I believe it is correct:
    ipfw add 100 fwd 10.0.2.2,1443 dst-port 1443 via en0

    I've added to the ruleset (had to use the root account for this), but nothing happens. My Apache Web Server in 10.0.2.2 doesn't respond, but I can access it directly if I write 10.0.2.2 anywhere.

    I've tried changing the ServerName in my Apache to match my IP address (which is the destination IP of the incoming packets, I imagine) but still, nothing.

    Any help would be appreciated. Even if it is pointing me to another more appropriate forum.

    Thanks!
     
  4. DNSgeek macrumors newbie

    Joined:
    Feb 11, 2009
    Location:
    USA
    #4
    Apache runs on port 80 for http and port 443 if you are using SSL (https) - What is 1443?
     
  5. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #5
    1443 is the port where my Apache is running in my Windows computer.

    I didn't want to use 80, 8080 or 443 because since I'm learning, my first tries on setting the correct rules in my router computer where messing with my connection.

    Am I doing wrong? Do I really need to use the standard ports? Apache is running fine on 1443.

    Best regards
     
  6. DNSgeek macrumors newbie

    Joined:
    Feb 11, 2009
    Location:
    USA
    #6
    I was just making sure you didn't have an apache instance listening on 1443, and testing it in a browser on your iMac without specifying:

    http://<ip_address>:1443/

    FYI, you may not want to use port 1443. I recommend using port 8181 for testing.

    Try running the ipfw command with the -n flag set, so you can check your syntax before actually running the command.
     
  7. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #7
    My iMac is in 10.0.2.1.

    I placed the Apache webserver on port 80, so it is accesable by simply:

    http://10.0.2.2/
    (thats the IP where my Windows pc is and the Apache is located)

    I've tried many different combinations and it simply won't work. Currently I'm doing:
    "ipfw add 100 fwd 10.0.2.2 tcp from any to any dst-port 80"

    This actually makes the port 80 unavailable somehow so I can't surf the web or anything through port 80, which I don't understand why. But then, 10.0.2.2 *is* accesible.
    But if I try to access it from 10.0.2.1 or my external IP, I can't.

    This is getting frustrating, I can't believe this can be so hard to achieve!
     
  8. DNSgeek macrumors newbie

    Joined:
    Feb 11, 2009
    Location:
    USA
    #8
    Ok, there a re a few things wrong with that setup.

    Try:
    Code:
    sudo ipfw add 100 fwd 10.0.2.2,8181 src-ip any dst-ip 10.0.2.1
    This might be a dumb question, but why don't you just use the apache server on your iMac?

     
  9. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #9
    Nothing... I can't even access 10.0.2.2:8181 (Apache) from 10.0.2.1 (my iMac) with that ipfw rule.

    Also tried:
    Code:
    ipfw fwd 10.0.2.2,8181 ip from any to any dst-ip 10.0.2.1 dst-port 8181
    ipfw fwd 10.0.2.2,8181 ip from any to any dst-ip 200.XXX.XXX.XXX dst-port 8181 (200.xxx etc. is my external ip address).
    ipfw fwd 10.0.2.2,8181 ip from any to any dst-ip 200.XXX.XXX.XXX
    
    Absolutely nothing...

    I have a big server infrastructure I created for a job that I will be moving to a Windows Server in the near future. I don't want to put it on a Mac/Unix environment since that would mean a lot of wasted work for the final requirement of the job.
    That's why I don't really want to move the Apache to my iMac but instead, forward all the packets there.

    Thanks for your help :)

    EDIT:
    Perhaps I also need to forward the packets Apache sends? I really don't understand why is this failing.
    ipfw man on forward also says:
    And, ashamedly, I don't really know how to make such rule on Apache or even Windows.

    Why is this so difficult? :(
     
  10. DNSgeek macrumors newbie

    Joined:
    Feb 11, 2009
    Location:
    USA
    #10
    Try one more thing. I forgot to edit this for your setup there. Do an ifconfig -a and get the IP of your iMac's Ethernet connection. This will be the public facing address of your setup. If this is an RFC1918 address, this will never work. When you said you were connected to the Internet with an Ethernet cable, I need to ask you what is on the other end. If it is a broadband router (Cable modem, FIOS, etc.), then you more than likely have a DHCP lease for an RFC1918 address on your iMac's Ethernet interface. The other alternative is that you are plugged into a switch on a University or Corporate network. In this scenario, you may or may not have a publicly route-able IP address, which is the key to this whole thing not working.

    Code:
    sudo ipfw add 100 fwd 10.0.2.2,8181 src-ip any dst-ip <ip_address_of_ethernet_interface>
    At this point, I'd say if you have a big server infrastruture you've created, it's worth spending the $30 on a used Linksys that will do what you want and give you a WebGUI to play with.
     
  11. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #11
    From the ipfw man page:

    The correct solution for the kind of port-forwarding behavior your are seeking is to use an ipfw rule to divert traffic to natd, which will then perform the necessary forwarding along with header rewriting.

    ipfw add 100 divert natd ip from any to any via en0 (you can tailor this to specific traffic if you please)

    Then you need to run natd with this parameter to forward the port you desire:

    -redirect-port tcp 10.0.2.2:8181 8181
     
  12. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #12
    Thanks for your help,

    That divert is already being done (divert 8668 ip from any to any via en0) without me writing any rule.
    I added divert 8668 ip from any to any dst-ip 200.122.xxx.xxx dst-port 8181 as well just in case.

    When I try to execute the natd line, it says:
    natd: aliasing address not given

    If I try to write -alias_address various_combinations_of_seemingly_valid_ips
    It says:
    natd: Unable to bind divert socket.: Address already in use

    I checked this on the internet and it says I need to kill my natd service, change the natd.conf file and re-execute natd using this conf file.
    But there is no natd.conf file in my system and I don't want to kill my natd service since I'm afraid that might end up doing more harm than good since I've no idea what the current natd configuration is.

    Any ideas?

    EDIT:
    Well, I killed my natd and couldn't get it to start again. Much less run the redirect_port param.

    From what I've seen, I really think doing this natd config may be the way to go to solve this. But I can't solve this.
     
  13. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #13
    The aliasing address error is because you must always specify either an IP address to bind to with the -a <ip address> parameter, or an interface to bind to with the -interface <if> parameter. If you already have a natd.conf file, this should already be specified.

    The line you'll add to the natd.conf file is of the form:

    Code:
    [b]redirect_port tcp inside_address:port [outside_address:]port[/b]
    Where
    Code:
    [b]inside_address:port[/b]
    is the host and port you want to forward traffic to, and
    Code:
    [b]outside_address:port[/b]
    is the address and port that people on the outside are going to use to access your web server. Note that the outside_address portion is optional, and you may omit it.

    If you need to forward udp traffic as well, copy and paste that line but replace tcp with udp.
     
  14. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #14
    Okay, I have to post this followup after I had an epiphany of sorts.

    You are running Mac OS X Client. You do not have a natd.conf file. You also do not have an ipfw configuration file.

    When you check the box in System Preferences to enable Internet Sharing, Mac OS X automatically adds the correct divert rule to the ipfw rules list, and it automatically kicks off an instance of natd with the correct parameters passed in for basic internet sharing.

    Mac OS X Server provides some very nice GUI facilities to fine tune how natd operates, such as setting up port forwarding. Unfortunately, you do not have this luxury in Mac OS X client. That isn't to say that this goal is unattainable. Far from it. You will just have to do things differently.

    I don't have the time at the moment, but I will followup with instructions on how to create a Launch Agent that will set up ipfw and natd for you at boot time. You will disable Internet Sharing in System Preferences, and use this Agent to set it up for you. If at any time you want to stop this form of internet sharing, just disable to the Launch Agent and run a script I will provide that will remove the divert firewall rule and kill the natd daemon.
     
  15. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #15
    DNSgeek and ElectricSheep,

    Thanks a lot for the effort both of you are putting into this.

    I wouldn't imagine anyone would spend this much time into helping a complete stranger to solve such an issue.

    I really appreciate it!
     
  16. notjustjay macrumors 603

    notjustjay

    Joined:
    Sep 19, 2003
    Location:
    Canada, eh?
    #16
    Wow, I hope the OP gets this worked out, but I have to say, after reading halfway through the thread, *I* was ready to buy a used router and send it to him!

    But then, I never like going through complex solutions when an easy one exists... (hence why I switched to OS X ;) )

    Good luck!
     
  17. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #17
    Well, that's the downside of living in a third world country.
    An Airport Express costs $600 and an Airport Extreme, $800 (all local currency).

    If we take in account our salary average is proportionally the same as yours (meaning: you get, dunno, 2000 USD a month average, we get $ 2000 a month average (which is about 550 usd a month)). Buying something that expensive is a clear PAIN :D

    And don't get me started with Macbooks and iMacs costs :rolleyes:

    Such is life!
     
  18. DNSgeek macrumors newbie

    Joined:
    Feb 11, 2009
    Location:
    USA
    #18
    Don't sell yourself short. Argentina is hardly a third world country.... :)
     
  19. MatuX thread starter macrumors newbie

    Joined:
    Feb 16, 2009
    #19
    Haha, well that's encouraging in some way :)

    Did you get my PM, DNSgeek? I sent you my IM info...
     
  20. coloradotechie macrumors newbie

    Joined:
    Sep 3, 2009
    #20
    Has this been solved yet?

    I was wondering if this has been solved yet. Any updates?

    :)
     
  21. astrorider macrumors 6502

    Joined:
    Sep 25, 2008
    #21

Share This Page