How to forward traffic from one machine to another with `pfctl`

internet-sharingNetworkpfctl

I am trying to forward traffic like this:

Internal Network Computer (192.168.1.*) → Server (192.168.186:1234) → Internal Network Computer (192.168.1.198:80)

  • Server is plugged into the router via ethernet on interface en0

  • Internal Computer is connected to router via wifi

  • Server can access 192.168.1.198:80 with no problems

According to various other related questions, I have gotten the following rules

nat on en0 from any to en0 -> (en0)
rdr pass inet proto tcp from any to any port 1234 -> 192.168.1.198 port 80

However I get the following when telneting:

$ telnet 192.168.1.186 1234
Trying 192.168.1.186...
telnet: connect to address 192.168.1.186: Operation timed out
telnet: Unable to connect to remote host

Using Wireshark on the 192.168.1.198 I have confirmed that the telenet connection is received however it doesn't seem to connect.

Some more info:

  • rdr's from 127.0.0.1 to 127.0.0.1 work fine, for example:

    rdr pass inet proto tcp from any to any port 1234 -> 127.0.0.1 port 80

  • I have confirmed that port 80 is open on 192.168.1.198, and that it is accessible from the server

  • Firewall (in System Preferences) is disabled on both computers

  • I have enabled cross interface traffic forwarding with

    sudo sysctl -w net.inet.ip.forwarding=1

  • I think it may be something with NAT (see the below posts) but I am not sure

The same issue is discussed on GitHub. @ctgreybeard, @dandriana, @snimavat, and @sergeyzwezdin have all reported the same issue. Does anyone have a solution?

Please Note: I would like to use pfctl and not SSH or another service.

Here are some other related posts:

https://serverfault.com/questions/791181/redirecting-traffic-to-a-specific-address-and-port-using-pf-on-macos

How can I setup my mac (OS X Yosemite) as an internet gateway

Best Answer

This is how I got it to work.

My example uses three hosts on my network (10.10.0.0/16):

10.10.10.10 = Linux client
10.10.6.237 = Mac "real server" providing a service on port 3000
10.10.1.200 = Mac "server" performing pf redirection, listening on port 2004, interface vlan0

natrdr.pf

rdr on vlan0 inet proto tcp from 10.10.0.0/16 to 10.10.1.200 port 2004 -> 10.10.6.237 port 3000
nat on vlan0 inet proto tcp from 10.10.0.0/16 to 10.10.6.237 port 3000 -> 10.10.1.200

The specificity ensures your server isn't NATting traffic that it shouldn't.

For those doing this from scratch, after creating your natrdr.pf file above, run the following commands from the command line or a shell script, sudo or as root. Integrating the pf rules with Apple's pf.conf files is an exercise left to the reader.

# Enable packet forwarding

sysctl -w net.inet.ip.forwarding=1

# Unless you have any rules you want to keep, let's flush existing NAT rules
pfctl -F nat

# Enable packet filtering
pfctl -e

# Load rules from our file
pfctl -f natrdr.pf

# Confirm rules are loaded
pfctl -s nat

# Check to see connections 
pfctl -s states

I then used telnet 10.10.1.200 2004 and was immediately forwarded to the Node/express server running on port 3000 on 10.10.6.237.

Example output of pfctl -s states to verify it's working:

ALL tcp 10.10.6.237:3000 <- 10.10.1.200:2004 <- 10.10.10.10:40744       ESTABLISHED:ESTABLISHED
ALL tcp 10.10.10.10:40744 -> 10.10.1.200:35947 -> 10.10.6.237:3000       ESTABLISHED:ESTABLISHED

So, to make it match your setup:

rdr on en0 inet proto tcp from 192.168.1.0/24 to 192.168.1.186 port 1234 -> 192.168.1.198 port 80
nat on en0 inet proto tcp from 192.168.1.0/24 to 192.168.1.198 port 80 -> 192.168.1.186

The order of rules is important.

The redirect rule does what's expected: it forwards all traffic coming into the server to the real server.

The NAT rule changes the (now redirected) packets to have a source IP address of the redirecting server instead of the original client.

The combination of these rules ensures that a reverse path for the return packets to follow is automatically created.

Related Question