Mac OS X Server 10.2 as a NAT router 
16 October 2002
Note: This article is an update to Aaron’s earlier article. Please read it before proceeding with the directions below.
Note: Due to spam attacks, we have removed Aaron’s e-mail address from this article. If you need to reach him, please contact us through the Feedback form and we’ll forward the mail along.
Well, here I am again, looking to update the info for Mac OS X Server 10.2. NAT still works great in this OS update, but there was a problem that seemed to pop up. For some reason, the priority and sequence of the startup items were changed, and so the 'ipfw' would always be flushed after NAT had been configured, leaving your divert command nowhere to be found. So, I have borrowed some new scripts, and have made a collage of some files. The combination of files will not only restore your NAT system in 10.2, but will now add some 'ipfw' manual configuration options right in the startup scripts. Enjoy, good luck, and send me and email if you have any problems.
1. Configure your server just as the article says, until you get to the first mentioning of the NAT.tar files. This pack of files will be replaced by a new pack that I have created and configured.
2. Download the “IPFW.sit” from this Web site and uncompress it.
3. Create a new directory in /System/Library/StartupItems/ called ‘IPFW’. So the path will look like this: /System/Library/StartupItems/IPFW/
cd /System/Library/StartupItems mkdir IPFW cd IPFW
4. From the folder that you uncompressed “IPFW.sit” into, you should see two files: “IPFW” and “StartupParameters.plist". Copy both of these files into your /System/Library/StartupItems/IPFW/ directory. (You can do this either as the superuser in the terminal with 'mv' or 'cp' commands, or you can login as root into the Finder and drag and drop)
5. Make sure you change permissions and ownership on both of these files as follows:
chmod 755 IPFW chmod 644 StartupParameters.plist chown * root
By doing this, you are ensuring that the files are owned by the proper user, and have the proper read, write and execute permissions. If you do an 'ls -l' command to get a detailed list it should look like this:
-rwxr-xr-x 1 root wheel 1431 Oct. 5 12:04 IPFW -rw-r--r-- 1 root wheel 523 Oct 5 12:05 StartupParameters.plist
(Don’t be concerned with the numbers after 'wheel' or the date, they are just examples, but be most concerned with the permissions at the beginning or the owner of the document)
6. After the IPFW files are in place you need to create another file and make some changes to system files. First we will edit the hostconfig file. This files is located at /etc/ (type 'cd /etc'). When you are in /etc/ type 'pico hostconfig' (again, you need to be superuser to do the editing, otherwise you can use sudo before commands: 'sudo pico hostconfig'). In the hostconfig file look for the line that says: IPFORWARDIG=-NO- and change it to read IPFORWARDING=-YES-.
7. Next we will create a new file. In the /etc directory type: 'pico rc.natd'. Pico will bring up a new document, and you can paste in this information:
# Config File used by natd startup script in /System/Library/StartupItems/IPFW # Logging parameters log yes log_denied yes # Networking parameters use_sockets yes same_ports yes interface en0
Save the file and exit pico.
8. Now you should be able to run NAT on startup.
The startup files included were written to go along with the article for how to configure Mac OS X Server as a NAT router using 2 NIC cards. So as far as that article goes, your internal network will have the IP addresses 10.0.0.x and the subnet mask 255.255.255.0. If you are looking for another series of ips to distribute on your internal network, you will have to change the various files accordingly and also reconfigure your DHCP settings in the “Server Settings” Application on your machine.
Here are the two files included for startup scripts:
# IPFW script
#!/bin/sh
. /etc/rc.common
ConsoleMessage “Configuring IPFW"
IPFW=/sbin/ipfw
# Enabling IP Forwarding
sysctl -w net.inet.ip.forwarding=1
# Setting up Secondary NIC
ifconfig en1 10.0.0.1 netmask 255.255.255.0
# Starting NAT
natd -config /etc/rc.natd
# Variables for network interfaces
ETHERNET=en0
ETNERNET2=en1
#AIRPORT=en2
StartService ()
{
if [ “${FIREWALL:=-YES-}” = “-YES-” ]; then
CheckForNetwork
# check for network
if [ “${NETWORKUP}” = “-NO-” ]; then exit; fi
# clear all rules
ConsoleMessage “Flushing IPFW Ruleset"
${IPFW} -f flush
ConsoleMessage “Starting IPFW"
# Allow loopback traffic; deny spoofing
${IPFW} add 1000 allow all from any to any via lo0
${IPFW} add 1100 deny all from any to 127.0.0.0/8 via en0
# Block internal network accessing certain websites
${IPFW} add 2000 deny tcp from 208.365.67.122 to any in via en0
ConsoleMessage “Starting NAT"
# Start NAT diverting
${IPFW} add 8000 divert natd all from any to any via en0
# Allow outgoing traffic
#${IPFW} add 65535 allow all from any to any
fi
} #end of StartService ()
StopService ()
{
#if pid=$(GetPID ntpd); then
ConsoleMessage “Stopping ipfw"
#kill -TERM “${pid}"
#else
#echo “ntpd is not running."
#fi
}
RestartService () { StopService; StartService; }
RunService “$1"
StartupParameters.plist:
StartupParameters.plist:
<?xml version="1.0” encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM
"file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="1.0">
<dict>
<key>Description</key>
<string>IPFW</string>
<key>Messages</key>
<dict>
<key>start</key>
<string>Starting IPFW</string>
<key>stop</key>
<string>Stopping IPFW</string>
</dict>
<key>OrderPreference</key>
<string>Last</string>
<key>Provides</key>
<array>
<string>Firewall</string>
</array>
<key>Requires</key>
<array>
<string>Network</string>
</array>
</dict>
</plist>
These files were posted just to show you the content of the two files that are already included in the IPFW.sit. By looking at the IPFW startup file, you can see that there is A LOT of flexibility with commands that can be included for 'ipfw' rulesets. So if you are familiar with how to write [allow/deny] rules within the 'ipfw' firewall, then you can add them directly to this document.
Good luck, and I hope your server setup goes well. Please feel free to email me with questions.
Thanks to Ben Lachman, and Legionare from the MacNN forums for the files and info on how to program NAT, IPFW, and StartupItems.