How do I forward a port accessible to the world on my Mac?

I realize that there's a lot of info out there about port forwarding, but here's my specific situation.

I need to use Remote in (via VNC) to my Mac. By default, the Mac Remote Sharing server listens on port 5900. That would be all well and good except my company is blocking port 5900 incoming connections!

However, it is allowing port 3389. So what I'm trying to do is set it up so that I can listen for connections on port 3389 and forward them to 5900.

Here's what I tried: ssh 127.0.0.1 -L3389:127.0.0.1:5900

This doesn't quite do what I want because then only connections from 127.0.0.1 will be accepted on port 3389.

 netstat -an | egrep 'Proto|LISTEN'
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp6       0      0  *.5900                 *.*                    LISTEN
tcp4       0      0  *.5900                 *.*                    LISTEN
tcp4       0      0  127.0.0.1.3389         *.*                    LISTEN

I need to listen from the world, * on port 3389. How can I accomplish this?

Shamoon

Posted 2014-04-25T21:31:17.160

Reputation: 267

Usually VNC software lets you tell it which port to listen on in the settings. Is there no option for that? – Colyn1337 – 2014-04-29T10:29:42.033

You wrote, that the firewall of your company will block 5900. Outgoing or incoming? And from where to where do you will connect? Where is your Mac? And could you connect to any service on your Mac? From where do you will establish the connection to your Mac? And which kind of ports do you could use outgoing? – UsersUser – 2014-05-01T12:16:25.700

Answers

Your question is a bit short on specific details, it is a bit hard to give direct answers without know some things:

Can you connect on the default VNC port from outside - say from a friend’s house, where your work is not blocking you? If so you can change the port that VNC listens on to 3389 and test that. How to change the default screen sharing / VNC port number on Mac OS X?
The ssh command you mention would need to be run from the CONNECTING machine not the "server". So you would run:
```
ssh address.of.your.mac -L9999:127.0.0.1:5900
```
and then connect VNC to localhost:9999 on your client machine. I use 9999 as an example since it is probably not in use and 5900 might be if your client is a Mac and 3389 might be if your client is Windows.

To be clear: you will need to be able to ssh into your Mac from work, the number after -L is the port you connect to on your connecting machine (localhost), 127.0.0.1:5900 is where VNC is already listening on your (remote) Mac.

I would also think about a VPN to get around work restrictions (and for safety). OpenVPN can easily run on port 443 (HTTPS) which is probably allowed out, and will even work over a proxy server if your work restricts web access that way. Setting that up is not too hard but out of scope for this question.

heurist

Posted 2014-04-25T21:31:17.160

Reputation: 51

Instead of port forwarding, you could change the port that launchd listens for VNC connections on. (launchd listens on behalf of screensharingd, and launches screensharingd when a connection attempt comes in).

screensharingd is the default VNC server on in OS X. If you're using Apple Remote Desktop (a.k.a. ARD, "Remote Management") instead, these instructions would probably need to be modified somewhat.

Edit /System/Library/LaunchDaemons/com.apple.screensharing.plist

Find this key/value pair:

<key>SockServiceName</key>
<string>vnc-server</string>

And change it to this:

<key>SockServiceName</key>
<string>3389</string>

Then you'll probably need to reboot or use launchctl to force launchd to reload that plist.

Then, in your VNC client, specify the 3389 port. For example, OS X's built-in VNC client uses URLs, so you can hand it vnc://username:password@host.example.com:3389/. Or leave off the username:password so you get prompted.

Caveat lector: I haven't tried this myself, so try at your own risk. Consider making a backup copy of that plist file before editing it, so it's easy to put it back how it was.

Spiff

Posted 2014-04-25T21:31:17.160

Reputation: 84 656

You could try the -D option with ssh which is dynamic port forwarding. So this may look like: ssh -D 3389 yourAccount@yourDomain.com

I did this yesterday and am recalling this from memory but this is the basics of it. Once this command works you just enter your password and configure your application to listen on the port specified - 3389 in your case with 127.0.0.1 as the IP address.

I thinks this creates a sort of SOCKS proxy using ssh.

user_loser

Posted 2014-04-25T21:31:17.160

Reputation: 141

I think you're looking for something like this, the Mac equivalent of iptables.

I don't have a Mac, so I can't test this myself, but I would suggest trying out

sudo ipfw add fwd 127.0.0.1,5900 tcp from any to 127.0.0.1 dst-port 3389

Note that there seem to be various different syntaxes that ipfw can process (127.0.0.1,3389 and 127.0.0.1 3389 seem like they'll also work from what I can find). I would link you to the FreeBSD page, but as a new user I don't have enough rep for that yet :whistle:.

Alternatively since ipfw has been deprecated, you may want to try pfctl as described here.

Pockets

Posted 2014-04-25T21:31:17.160

Reputation: 270