macOS – Corresponding ipfw Rules for Iptables Rules

ipfwmacosvmware

I need to give Internet access to a VM under Vmware fusion 7 in Host-Only mode. I know how to do it in Linux, with the following IPtables rules:

sysctl -w net.ipv4.ip_forward=1

iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

But I can not find out how to do it in MacOS Sierra. Any help?

Thanks in advance!

Best Answer

To enable NAT for a host-only network in VMware Fusion do the following:

Enable forwarding by adding a file /etc/sysctl.conf with the content:
```
net.inet.ip.forwarding=1
```
and reboot
Connect the Mac to the host-only network and make a note of the network/netmask of the host.only network:

Enter ifconfig to get the vmnet IP of the Mac

...
vmnet3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 00:50:56:c0:00:03 
        inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255

In the IP setting of the guest VM enter an IP/netmask according to the host-only network settings (with the example above that's in the range 192.168.9.2-254/255.255.255.0), a gateway (the vmnet3 IP of the hosting Mac from step 3 - here: 192.168.9.1) and a DNS server.
Open the pf.conf file with:
```
sudo nano /etc/pf.conf
```
and add the lines:
```
nat on {en0, en1} proto {tcp, udp, icmp} from 192.168.9.0/24 to any -> {en0, en1}
pass from {lo0, 192.168.9.0/24} to any keep state
```
after the line rdr-anchor "com.apple/*".

Depending on your Mac and your network configuration only one interface is sufficient (either en0 or en1). Also use the proper network/netmask (your vmnet config instead of 192.168.9.0/24)!.

Save the file and exit nano.
Check your pf.conf with:
```
sudo pfctl -vnf /etc/pf.conf
```
If no error occurs enable pf with:
```
sudo pfctl -ef /etc/pf.conf
```

After a reboot you have to relaunch pf because it's not started automatically while booting. To launch pf while booting check step 4 in this answer: What is the modern way to do port-forwarding on El Capitan? (forward port 80 to 8080)

Related Solutions

MacOS – all these ipfw rules coming from

I cleared them out with:

$ sudo ipfw -f flush

But this is only a temporary fix, and I have no idea where these rules are coming from.

I've discovered that disabling the ruleset they belong to lasts longer:

$ sudo ipfw set disable 0

But they still get re-enabled after a reboot.

MacOS – sshdfilter and ipfw – why are the rules flushed so often

Change /etc/sshdfilterrc to add the rules to /etc/ipfilter/ipfw.conf. This file is imported when the flush is executed. Disadvantage is that this file has to be maintained....

This prevents the blocks staying in bit heaven when the flush comes along because this file is read after the flush is executed.

edit: on request added changes I made in /etc/sshdfilterrc

firewalladd='/sbin/ipfw add $idx deny all from $ip to any in; echo add $idx deny all from $ip to any in >> /etc/ipfilter/ipfw.conf;echo +`date` $ip >>/etc/ipfilter/sshdfilter_block.log'
firewalldel='/sbin/ipfw del $idx deny all from $ip to any in;grep -v " $ip ">/tmp/ipfw.conf;mv /tmp/ipfw.conf /etc/ipfilter/ipfw.conf;echo -`date` $ip >>/etc/ipfilter/sshdfilter_block.log'

this takes care of the block and the block Cancel actions, including some block.log to see when and how long an ip has been blocked.

Best Answer

Related Solutions

MacOS – all these ipfw rules coming from

MacOS – sshdfilter and ipfw – why are the rules flushed so often

Related Question