OSX: Mimic Ubuntu IP Masquerading via iptables with ipfw

Good day,

I am attempting to replicate a setup I have between a router and an Ubuntu PC, and have the same setup working on my MacBook (10.6, Snow Leopard).

First, I have a router that has a USB port. When I plug it into my Ubuntu PC, it creates an RNDIS connection, allowing me to connect to the router over the USB cable via an IP connection. When I plug it into my computer via USB, it gets assigned an IP address of 172.16.84.1, and a new adapter appears when I type ifconfig. I can then SSH into the device via ssh admin@172.16.84.1.

When I log in to the device, I flush the routes, then create the default route:

admin@localhost> route -f
admin@localhost> route add default 172.16.84.2

Now, in my Ubuntu machine, I use iptables to enable IP masquerading:

root@Valhalla> sudo iptables -t nat -A POSTROUTING -s 172.16.84.2 -j MASQUERADE

Once this is all done, the router has internet access over the USB connection to my PC.

I am trying to replicate this exact setup on my MacBook now (Snow Leopard), but iptables does not exist for OSX, not even a Macports version exists. I have scoured through other questions on StackOverflow that cover the usage of the ipfw command, which apparently works as a drop-in replacement for iptables. However, the syntax is significantly different, and I'm pretty much lost.

Does anyone with some experience with ipfw have some suggestions on how I could accomplish this and create a NAT connection via IP masquerading like I could with my Ubuntu PC?

Thank you for your assistance.

Cloud

Posted 2012-12-10T22:19:28.807

Reputation: 521

Answers

well, the easiest way to do it using OSX is simply by using the System Preferences->Sharing->Internet Sharing. You check Internet Sharing, and configure it so it states Share your connection from Ethernet 2 (as I suppose your USB network device appears as), To computers using Ethernet (as I suppose you want your local network to be on Ethernet, otherwise choose airport or anything relevant).

The bearded way to do it is to indeed use ipfw and route. A simple google search gives a good tutorial on both methods at the following URL:

http://www.ibiblio.org/macsupport/ipfw/ (the commandline way is after the GUI way)

HTH

zmo

Posted 2012-12-10T22:19:28.807

Reputation: 255

I'm not familiar with the term "bearded way". What does that mean? I'm looking for a programmatic non-GUI approach. – Cloud – 2012-12-14T15:05:46.480

"bearded" is a joke to say "for real men that has a beard" :-) for the non-GUI approach, you can use the link I gave you. In that link, they even show you how you can set things up using the UI, and then print the rules to be able to replay them later on. – zmo – 2012-12-14T15:51:31.043

why you just not use simple internet sharing on you macosx ? System Preferences > Sharing > Internet Sharing

for ipfw nat rules are (lats say that your internet is en0 and local interface en1)

sysctl -w net.inet.ip.fw.one_pass=1 (you need to be root)
sysctl -w net.inet.ip.forwarding=1
/sbin/ipfw add 1040 allow ip from any to any via en1 (allow everything that will pass via local interface)
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any natd -interface en0 (where en0 your outgoing interface)
/usr/sbin/natd -interface en0 (nat itself)

NauT

Posted 2012-12-10T22:19:28.807

Reputation: 325

would it be possible for you guys to post the final solution here. Thanks – sukhvir – 2014-07-20T16:37:08.920

This is close to what I'm trying to do, but steps 3 and 4 generated "bad command/file not found" errors. Are these sysctl or ipfw commands? – Cloud – 2012-12-13T19:51:56.977

those are ipfw commands – NauT – 2012-12-13T19:59:45.233

The first three commands work, but the fourth has issues: local$> ipfw nat 1 config log if en1 reset same_ports deny_in

ipfw: bad command `nat' – Cloud – 2012-12-13T21:55:47.570

ok, looks like I made a mistake, by trying to use same rule-set like on BSD on OSX, here we go with valid command /sbin/ipfw add divert natd all from any to any via en0 /sbin/ipfw add pass all from any to any natd -interface en0 (where en0 your outgoing interface) – NauT – 2012-12-13T23:00:09.160

All but step 5 worked: > sudo /sbin/ipfw add pass all from any to any natd -interface en0

ipfw: unrecognised option [-1] -interface\n – Cloud – 2012-12-14T15:21:56.367

without step 5 but with step 6 nat probably should work ? did it worked out ? – NauT – 2012-12-14T16:18:28.580

No luck. The router could neither ping specific IP addresses or host names. – Cloud – 2012-12-14T16:34:45.997

let us continue this discussion in chat

– NauT – 2012-12-14T16:37:15.280