Redirect Local Port through bridge to Internet Shared static IP

firewall high-sierra internet-sharing pfctl

I have my cable modem (10.0.0.1) to my iMac (10.0.0.36), and my iMac (10.0.0.36) with a (bridge100 192.168.2.1) Internet Shared IP to my debian machine (192.168.2.34), and all of that is working perfectly. I would now like to forward port 80 from the internet through the bridge on my iMac to my debian machine...

10.0.0.1:80 <-> 10.0.0.36:8080 <-> 192.168.2.1:8080 <-> 192.168.2.34:80

I found the following link, which lead me to

rdr on bridge100 inet proto tcp from any to 10.0.0.36 port = 8080 -> 192.168.2.34 port 80

However, it's not working... Now in the link they are going to localhost, and I found this link which says i may need something like

pass out route-to (bridge100 192.168.2.1) from any to 10.0.0.36

But I have not been able to get pfctl to parse the above line correctly

Any ideas on how I can forward from 10.0.0.36:80 <-> 192.168.2.1 <-> 192.168.2.34:80 ?

Edit: The cable modem/router is a TG852G from Xfinity...

Edit: pfdump

                                        r     scrub-anchor "com.apple/*" all fragment reassemble
                                        r     anchor "com.apple/*" all
                                        r     anchor "usr.home/*" all
                                        n     nat-anchor "com.apple/*" all
                                        n     rdr-anchor "com.apple/*" all
                                        A       com.apple
                                        A       com.apple.internet-sharing
                                        A       usr.home
com.apple                               r     anchor "200.AirDrop/*" all
com.apple                               r     anchor "250.ApplicationFirewall/*" all
com.apple                               A       com.apple/200.AirDrop
com.apple                               A       com.apple/250.ApplicationFirewall
com.apple/200.AirDrop                   A       com.apple/200.AirDrop/Bonjour
com.apple/200.AirDrop/Bonjour           r     pass in on p2p0 inet6 proto udp from any to any port = 5353 keep state
com.apple/200.AirDrop/Bonjour           r     pass out on p2p0 proto tcp all flags any keep state
com.apple.internet-sharing              r     scrub-anchor "base_v4" all fragment reassemble
com.apple.internet-sharing              r     anchor "base_v4" all
com.apple.internet-sharing              n     nat-anchor "base_v4" all
com.apple.internet-sharing              n     rdr-anchor "base_v4" all
com.apple.internet-sharing              A       com.apple.internet-sharing/base_v4
com.apple.internet-sharing/base_v4      r     scrub on en1 all no-df fragment reassemble
com.apple.internet-sharing/base_v4      r     scrub on bridge100 all no-df max-mss 1460 fragment reassemble
com.apple.internet-sharing/base_v4      r     scrub on bridge100 proto esp all no-df fragment reassemble
com.apple.internet-sharing/base_v4      r     pass on en1 all flags any keep state
com.apple.internet-sharing/base_v4      r     pass on en1 proto esp all no state
com.apple.internet-sharing/base_v4      r     pass on bridge100 all flags any keep state rtable 7
com.apple.internet-sharing/base_v4      n     nat on en1 inet from 192.168.2.0/24 to any -> (en1:0) extfilter ei
com.apple.internet-sharing/base_v4      n     no nat on bridge100 inet from 192.168.2.1 to 192.168.2.0/24
com.apple.internet-sharing/base_v4      n     rdr on bridge100 inet proto tcp from 192.168.2.0/24 to any port = 21 -> 127.0.0.1 port 8021
usr.home                                r     anchor "SSH" all
usr.home                                A       usr.home/SSH
usr.home/SSH                            n     rdr on en1 inet proto tcp from any to 10.0.0.36 port = 8080 -> 192.168.2.34 port 80

Solution 1:

The proper command to redirect http traffic in your case is:

echo "rdr on $ext inet proto tcp from any to 10.0.0.36 port = 80 -> 192.168.2.34 port 80" | sudo pfctl -a com.apple/HTTP -f -

With $ext: the interface of the iMac connected to the router/modem (probably either en0 or en1). A redirect is done on the incoming interface and traffic! Therefore rdr on bridge100 ... doesn't make any sense here: you don't expect HTTP traffic with the destination 192.168.2.34 from the bridge100 to the network behind the very same bridge100.

The above command uses the temporary sub-anchor com.apple/HTTP and after a reboot it will be gone.

If you want to enable it permanently, create a separate anchor as outlined in this answer: pfctl - howto add an anchor and make it active / load it or here: Port Forwarding on Mac Pro with macOS Sierra.

A pass out route-to ... is only required if you want to redirect outgoing traffic from the iMac.

In theory an additional static route is required on the (TG852G) router/modem:

route to 192.168.2.0/24 via 10.0.0.36

Here (different router though) it worked without it.

Double-NAT solutions are generally not recommended in SOHO environments and I suggest to attach the Debian Linux server directly to one of the Ethernet ports of the router/modem or an interconnected switch.

Related

Force an SVN checkout command to overwrite current files
macOS Calendar adding its own alerts
Workaround for connecting two 2017 iMacs and using one as a second display
airpods flashing orange and sound is gone in left
Is there a way to write with FTP using the Finder [duplicate]
Blutooth stopped connecting to car automatically
Do iPhones use active scanning to find Wi-Fi networks when Ask to Join Networks is off?
iOS Face ID validation invoked when browsing in Safari
What is an abstract data type in object oriented programming?
Connecting two monitors to MacBook Pro 2017 while charging it
Is it possible to screencast from an iOS device to a Chromecast?
How to retrieve notification once I cleared them?