How to forward traffic from one machine to another with `pfctl`?
I am trying to forward traffic like this:
Internal Network Computer (192.168.1.*) → Server (192.168.186:1234) → Internal Network Computer (192.168.1.198:80)
Server is plugged into the router via ethernet on interface en0
Internal Computer is connected to router via wifi
Server can access 192.168.1.198:80 with no problems
According to various other related questions, I have gotten the following rules
nat on en0 from any to en0 -> (en0)
rdr pass inet proto tcp from any to any port 1234 -> 192.168.1.198 port 80
However I get the following when telnet
ing:
$ telnet 192.168.1.186 1234
Trying 192.168.1.186...
telnet: connect to address 192.168.1.186: Operation timed out
telnet: Unable to connect to remote host
Using Wireshark on the 192.168.1.198 I have confirmed that the telenet connection is received however it doesn't seem to connect.
Some more info:
-
rdr
's from127.0.0.1
to127.0.0.1
work fine, for example:rdr pass inet proto tcp from any to any port 1234 -> 127.0.0.1 port 80
I have confirmed that port 80 is open on 192.168.1.198, and that it is accessible from the server
Firewall (in System Preferences) is disabled on both computers
-
I have enabled cross interface traffic forwarding with
sudo sysctl -w net.inet.ip.forwarding=1
I think it may be something with NAT (see the below posts) but I am not sure
The same issue is discussed on GitHub. @ctgreybeard, @dandriana, @snimavat, and @sergeyzwezdin have all reported the same issue. Does anyone have a solution?
Please Note: I would like to use pfctl and not SSH or another service.
Here are some other related posts:
https://serverfault.com/questions/791181/redirecting-traffic-to-a-specific-address-and-port-using-pf-on-macos
How can I setup my mac (OS X Yosemite) as an internet gateway
This is how I got it to work.
My example uses three hosts on my network (10.10.0.0/16):
10.10.10.10 = Linux client
10.10.6.237 = Mac "real server" providing a service on port 3000
10.10.1.200 = Mac "server" performing pf redirection, listening on port 2004, interface vlan0
natrdr.pf
rdr on vlan0 inet proto tcp from 10.10.0.0/16 to 10.10.1.200 port 2004 -> 10.10.6.237 port 3000
nat on vlan0 inet proto tcp from 10.10.0.0/16 to 10.10.6.237 port 3000 -> 10.10.1.200
The specificity ensures your server isn't NATting traffic that it shouldn't.
For those doing this from scratch, after creating your natrdr.pf
file above, run the following commands from the command line or a shell script, sudo or as root. Integrating the pf
rules with Apple's pf.conf
files is an exercise left to the reader.
# Enable packet forwarding
sysctl -w net.inet.ip.forwarding=1
# Unless you have any rules you want to keep, let's flush existing NAT rules
pfctl -F nat
# Enable packet filtering
pfctl -e
# Load rules from our file
pfctl -f natrdr.pf
# Confirm rules are loaded
pfctl -s nat
# Check to see connections
pfctl -s states
I then used telnet 10.10.1.200 2004
and was immediately forwarded to the Node/express server running on port 3000 on 10.10.6.237.
Example output of pfctl -s states
to verify it's working:
ALL tcp 10.10.6.237:3000 <- 10.10.1.200:2004 <- 10.10.10.10:40744 ESTABLISHED:ESTABLISHED
ALL tcp 10.10.10.10:40744 -> 10.10.1.200:35947 -> 10.10.6.237:3000 ESTABLISHED:ESTABLISHED
So, to make it match your setup:
rdr on en0 inet proto tcp from 192.168.1.0/24 to 192.168.1.186 port 1234 -> 192.168.1.198 port 80
nat on en0 inet proto tcp from 192.168.1.0/24 to 192.168.1.198 port 80 -> 192.168.1.186
The order of rules is important.
The redirect rule does what's expected: it forwards all traffic coming into the server to the real server.
The NAT rule changes the (now redirected) packets to have a source IP address of the redirecting server instead of the original client.
The combination of these rules ensures that a reverse path for the return packets to follow is automatically created.