Port mapping & NAT are not working under 10.2 Server

[Anonymous]

Hi,

I’m having issues setting up the 10.2 server to handle port mapping while running NAT. I currently am using IPNetShareX (after reading the tutorials on setting up NAT under 10.2 manually, I decided to take the 30-sec route and those tutorials do not mention anything about port-mapping).

I read over IPNetShareX’s site and found directions for setting up port mapping ( http://www.sustworks.com/site/prod_gnat_port_mapping.html ) but I continously get this error: “natd: Unable to bind divert socket.: Address already in use” when I try to do anything with this command: “sudo natd -n en0 -redirect_port tcp 192.168.0.1:80 80”. I have tried different ports, tcp and udp, different IPs, non-existant IPs, closed ports, etc. No luck whatsoever. And all the information is correct in the command as far as I know.

I am not running any firewalls or anything, as far as I know, that should be messing with natd or ipfw. I’ve read over the applicable man files, everything looks OK. This seems like it should work, yet it doesn’t!

Galen P. Zink
blueandwhiteg3 at softhome dot net

[jaharmi]

I had to put my forward rule first in my ipfw ruleset in order to make it work while running natd. I ended up throwing away IPNetShareX, but using some of its config file settings, in my own StartupItem. This worked for me under Mac OS X 10.1 and 10.2 (Server for 10.1, client for 10.2).

For example, see the rules below. ($IPFW=/sbin/ipfw, I created a variable so I didn’t have to keep retyping the path. $WANIP is a variable for my outside IP address. $WAN is a variable for my outside Internet interface, which is en0.) These rules are in the order I use them.

forward packets from Web port 80 to Web port 8000

$IPFW add 0001 fwd 127.0.0.1,8000 tcp from any to $WANIP 80 in

Allow loopback traffic; deny spoofing

$IPFW add 1000 allow all from any to any via lo0
$IPFW add 2000 deny all from any to 127.0.0.0/8 via $WAN

enable NAT

$IPFW delete 10
$IPFW add 25000 divert natd all from any to any via $WAN

I found that if I didn’t forward port 80 [i:99482db5e0]before[/i:99482db5e0] I included the natd rule (natd is already running in a previous line in the StartupItem script), I wouldn’t get outside Internet access on my LAN machines, or I couldn’t see the Web server I was forwarding the port to. Or something else would go wrong.

The “delete 10” rule gets rid of the line 10 rule that Apple’s InternetSharing application always inserts into the current ipfw config when it runs. In my firewall script, I also start InternetSharing (I think I was one of the first to find the app responsible for Internet Sharing, if you look in the comments at MacOSXHints.com). That is a line earlier in my script than the firewall rules I’ve listed above, so InternetSharing is already running (and will have inserted its annoying rule 10, which enables natd) when the system executes the rules I printed above.

Note that if you ran IPNetShareX, you could edit its config file to add the rules I have listed above. It should be in /Library/StartupItems/IPNetShareX/. You would need to modify the rules to suit your configuration; you won’t have the variables defined that I have in my rules, for example.

I’m running UserLand Frontier as my Web server. It will not respond on port 80 because it runs in user space (so you even have to run it while a user is logged into the machine, which I don’t like), so I have to use a forwarding rule. I also run Apache on the same system but have it serving on a different port, and that works fine, too.

I don’t understand your “sudo natd -n en0 -redirect_port tcp 192.168.0.1:80 80” command. Are you putting this in natd.conf to configure natd? If so, I would not take that route. I never got forwarding to work in natd under 10.1 or 10.2, so I went the route of telling ipfw (as above) to do the work, and it works fine for me.

Hope this helps …

[legacyb4]

Agreed.

I spent the better part of Sunday last weekend setting up a 2-NIC firewall using [url=http://www.mandrakesoft.com/products/mnf]Mandrake Linux’s Multi Network Firewall[/url] which is a pretty decent and [b:2e590ffe38]free[/b:2e590ffe38] solution.

It’s a 250MB or so ISO download and an installer almost as simple as OS X but you do have to understand firewalling basics to get it configured beyond the default rules. Out of the box, it’s configured to have a very restricted outgoing rule set (HTTP, SMTP, POP, and some of other Internet basics).

It also provides additional functionality like DHCP server, two forms of Intrusion Detection systems (Snort and Prelude), content filtering (great for ad blocking at the firewall), access control based on time and groups (if you want to exert a little control in an office environment), and full IPSec VPN functionality.

It’s not as sexy or fun as OS X, but why waste a Mac on a such dreary duties? Scrape up an older PC with a hard drive, throw in some memory and an extra network card, and you can focus on more fun stuff.

Sorry to get off topic…

Cheers.

[quote:2e590ffe38=”MacTroll”]I don’t use natd and ipfw too much on my servers. I prefer a hardware device between my goodies and the world.

Joel[/quote:2e590ffe38][/url]

[Author]

Posts