Murus firewall - redirect an ip to localhost web server

firewall

IMHO your web server environment is flawed because you may simply replace 35.166.133.11 by 192.168.1.2 in the sources instead of routing packets from 192.168.1.2 to lo0 (35.166.133.11 keep state) and later redirecting them from lo0 to the source en0(192.168.1.2) again.

But in other setups it may be useful. E.g. if you run a second web server mimicking the Amazon Linux AMI Test Page at localhost or 192.168.1.3/4/5.

rdr only accepts incoming packets. Thus, you have to first route those packets to lo0, then add an rdr rule there (which will catch them as they will be routed in from "somewhere") to send them to your local web server at 192.168.1.2.

The order in the config file is necessarily rdr incomming packets, then filter packets (like pass), but chronologically the 2nd rule will hit first (on en0), which will then activate the first rule (on lo0).

# Step "2". redirect those same packets that were routed to lo0 below
rdr pass log on lo0 proto tcp from en0 to 35.166.133.11 port 80 -> 192.168.1.2 port 80
# Step "1". Route new IPv4 TCP connections leaving en0 to lo0
pass out on en0 route-to lo0 proto tcp from en0 to 35.166.133.11 port 80 keep state

in pf.conf this would look like this:

...
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass log on lo0 proto tcp from en0 to 35.166.133.11 port 80 -> 192.168.1.2 port 80
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
pass out on en0 route-to lo0 proto tcp from en0 to 35.166.133.11 port 80 keep state

In the above example you would have to change the interface en0 to e.g. en1 if en0 doesn't have the IP 192.168.1.2 but en1 does.

Unload your current pf.conf and stop pf: sudo pfctl -d. Then add the two additional lines above. After modifying pf.conf check the syntax of the file with sudo pfctl -vnf /etc/pf.conf which should result in the following output:

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

scrub-anchor "/*" all fragment reassemble
nat-anchor "/*" all
rdr-anchor "/*" all
rdr pass log on lo0 inet proto tcp from 192.168.1.2 to 35.166.133.11 port = 80 -> 192.168.1.2 port 80
anchor "/*" all
pass out on en0 route-to lo0 inet proto tcp from 192.168.1.2 to 35.166.133.11 port = 80 flags S/SA keep state
dummynet-anchor "/*" all

and if successful load it with sudo pfctl -e -f /etc/pf.conf.

After shutting down the web server on port 80 you can test this with netcat:

In a terminal window enter sudo nc -l 80. In a second terminal window enter sudo nc 35.166.133.11 80. Now enter some text in the second nc session and hit the enter key. The text should appear in the first, "listening" nc session. You can also enter text in the listening session which should appear in the second window. To end the session enter ctrlD in either of the two nc sessions.

Related

Installing Windows on MBP 2015 (Mojave) Using Boot Camp, Error: Not enough space!
activating screen sharing remotely
Apple Watch contact names missing after watchOS 3 update
Time Machine + FileVault on Lion or Mountain
Macbook Air failing to reconnect to network after sleep
My Internal SSD is Not Showing Up in Diskutil
How to create an accurate byte-level copy of an SSD to another drive?
Using iCloud Photo Library and Google Photos Simultaneously
How to delete pre-installed apps in Catalina?
2013 MacBookPro with Nvidia GPU and recent macOS
Restore Mavericks from Time Machine
How to create a bootable disk for an older Mac? [duplicate]