解法是:
You’re doing two things there.
- Enabling IP forwarding. The OS X equivalent might be:
sysctl -w net.inet.ip.forwarding=1…but since I don’t know exactly what you’re trying to do, this might be technically correct but unhelpful.
- Adding a largely unnecessary firewall rule. If you haven’t changed the default policy for your FORWARD chain (
iptables -P FORWARD ...), then this rule does nothing.OS X uses thepffirewall tools. Try herePrior to 10.7 Lion, OS X used theipfwfirewall tools, which are well documented all over the net. Try here, or here
但是 OS X 10.12上沒有 iptables, ipfw, pf 指令,只有 pfctl指令。
Mac OS 的防火牆軟體在10.10已經將IPFW取消,改用OpenBSD的PF,有關PF的User guide 可參考:https://www.openbsd.org/faq/pf/。
預設Mac OS X都會自動啟動PF,如果不讓PF於開機時啟動,可以執行下面的指令:
# rcctl disable pf
重啟Mac即可生效。
下面二個指令可啟動與關閉PF功能:
enable
# pfctl -e
disable
# pfctl -d
With OS X 10.7, Apple deprecated use of FreeBSD’s ipfw and switched to OpenBSD’s pf.
The control command for pf is pfctl(8).
You will find a brief discussion as of 10.7 here. This is useful for highlighting a couple ways OS X’s PF differs from the stock BSD version.
Documentation on PF is widely available, including Hansteen’s The Book of PF. The author also wrote a freely available tutorial, and the OpenBSD documentation is also freely available.
Note: If your machine is also running OS X Server under 10.8, you might need to fix a config errorthat Apple made before PF starts working.
pfctl替代解法1:
was able to get this working using the ifconfig and pfctl commands on Mac 10.10.2. With the following approach I’m successfully mapping 127.0.0.1:3000 to mydomain.com locally on my machine.
In your command line enter the following two commands to forward connections to 127.0.0.1:3000 to 10.0.0.1:
sudo ifconfig lo0 10.0.0.1 alias
echo "rdr pass on lo0 inet proto tcp from any to 10.0.0.1 port 80 -> 127.0.0.1 port 3000" | sudo pfctl -ef -
Then edit your /etc/hosts or /private/etc/hosts file and add the following line to map your domain to 10.0.0.1.
10.0.0.1 mydomain.com
After you save your hosts file flush your local DNS:
sudo discoveryutil udnsflushcaches
Now open mydomain.com in a browser and you’ll be seeing the server hosted on your localhost port (i.e. 127.0.0.1:3000). Basically this process maps an <ip>:<port> to a new <ip> so that you can then map a host that IP.
PF相關指令
http://man.openbsd.org/pfctl
#pfctl -e //啟動 PF
#pfctl -d //停用 PF
#pfctl -f /etc/pf.conf //重新載入 pf.conf 設定檔
為了防止 pf 規則寫錯:
pfctl -f 的時候不忘加上 ;sleep 10; pfctl -d
#pfctl -nf /etc/pf.conf //檢查 PF 語法是否正確 (未載入)
#pfctl -Nf /etc/pf.conf //僅載入 NAT 的設定檔
#pfctl -Rf /etc/pf.conf //僅載入防火牆的過濾設定檔
#pfctl -Of /etc/pf.conf //僅載入選項規則(optiion)的設定檔
#pfctl -sn //顯示現階段 NAT 的規則 = pfctl -s nat
#pfctl -sr //顯示現階段過濾的規則 = pfctl -s rules
#pfctl -ss //顯示現階段封包運作狀態 = pfctl -s state
#pfctl -si //顯示現階段過濾封包的統計資料 = pfctl -s info
#pfctl -sa //顯示現階段所有統計的資料 = pfctl -s all
#pfctl -sm = pfctl -s memory
#pfctl -sq //檢視目前佇列 = pfctl -s queue
#pfctl -vsr //顯示現階段過濾封包的統計資料 = pfctl -vs rules
#pfctl -t ssh-bruteforce -Tshow //顯示 table 內資料
#pfctl -F nat //清空 NAT 規則
#pfctl -F queue //清空佇列
#pfctl -F rules //清空封包過濾規則
#pfctl -F all //清空所有的規則清空計數器
#pfctl -F info
#pfctl -F Tables
PF Tables 的使用:
顯示 table 內資料
#pfctl -t ssh-bruteforce -Tshow
#pfctl -t table_name -T add spammers.org
#pfctl -t table_name -T delete spammers.org
#pfctl -t table_name -T flush
#pfctl -t table_name -T show
#pfctl -t table_name -T zero
過濾掃瞄偵測軟體
#block in quick proto tcp all flags SF/SFRA
#block in quick proto tcp all flags SFUP/SFRAU
#block in quick proto tcp all flags FPU/SFRAUP
#block in quick proto tcp all flags /SFRA
#block in quick proto tcp all flags F/SFRA
#block in quick proto tcp all flags U/SFRAU
#block in quick proto tcp all flags P
在Linux 上的解法:
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080
