How do I enable IP-forwarding in MacOS X?

解法是:

You’re doing two things there.

  1. Enabling IP forwarding. The OS X equivalent might be:
    sysctl -w net.inet.ip.forwarding=1
    

    …but since I don’t know exactly what you’re trying to do, this might be technically correct but unhelpful.

  2. Adding a largely unnecessary firewall rule. If you haven’t changed the default policy for your FORWARD chain (iptables -P FORWARD ...), then this rule does nothing.OS X uses the pf firewall tools. Try herePrior to 10.7 Lion, OS X used the ipfw firewall tools, which are well documented all over the net. Try here, or here

 

但是 OS X 10.12上沒有 iptables, ipfw, pf 指令,只有 pfctl指令。

Mac OS 的防火牆軟體在10.10已經將IPFW取消,改用OpenBSD的PF,有關PF的User guide 可參考:https://www.openbsd.org/faq/pf/。

預設Mac OS X都會自動啟動PF,如果不讓PF於開機時啟動,可以執行下面的指令:

# rcctl disable pf

重啟Mac即可生效。

下面二個指令可啟動與關閉PF功能:

enable
# pfctl -e

disable
# pfctl -d

 

With OS X 10.7, Apple deprecated use of FreeBSD’s ipfw and switched to OpenBSD’s pf.

The control command for pf is pfctl(8).

You will find a brief discussion as of 10.7 here. This is useful for highlighting a couple ways OS X’s PF differs from the stock BSD version.

Documentation on PF is widely available, including Hansteen’s The Book of PF. The author also wrote a freely available tutorial, and the OpenBSD documentation is also freely available.

Note: If your machine is also running OS X Server under 10.8, you might need to fix a config errorthat Apple made before PF starts working.


pfctl替代解法1:

 was able to get this working using the ifconfig and pfctl commands on Mac 10.10.2. With the following approach I’m successfully mapping 127.0.0.1:3000 to mydomain.com locally on my machine.

In your command line enter the following two commands to forward connections to 127.0.0.1:3000 to 10.0.0.1:

sudo ifconfig lo0 10.0.0.1 alias
echo "rdr pass on lo0 inet proto tcp from any to 10.0.0.1 port 80 -> 127.0.0.1 port 3000" | sudo pfctl -ef -

Then edit your /etc/hosts or /private/etc/hosts file and add the following line to map your domain to 10.0.0.1.

10.0.0.1 mydomain.com

After you save your hosts file flush your local DNS:

sudo discoveryutil udnsflushcaches

Now open mydomain.com in a browser and you’ll be seeing the server hosted on your localhost port (i.e. 127.0.0.1:3000). Basically this process maps an <ip>:<port> to a new <ip> so that you can then map a host that IP.

 


PF相關指令
http://man.openbsd.org/pfctl

#pfctl -e //啟動 PF
#pfctl -d //停用 PF
#pfctl -f /etc/pf.conf //重新載入 pf.conf 設定檔

為了防止 pf 規則寫錯:
pfctl -f 的時候不忘加上 ;sleep 10; pfctl -d
#pfctl -nf /etc/pf.conf //檢查 PF 語法是否正確 (未載入)
#pfctl -Nf /etc/pf.conf //僅載入 NAT 的設定檔
#pfctl -Rf /etc/pf.conf //僅載入防火牆的過濾設定檔
#pfctl -Of /etc/pf.conf //僅載入選項規則(optiion)的設定檔
#pfctl -sn //顯示現階段 NAT 的規則 = pfctl -s nat
#pfctl -sr //顯示現階段過濾的規則 = pfctl -s rules
#pfctl -ss //顯示現階段封包運作狀態 = pfctl -s state
#pfctl -si //顯示現階段過濾封包的統計資料 = pfctl -s info
#pfctl -sa //顯示現階段所有統計的資料 = pfctl -s all
#pfctl -sm = pfctl -s memory
#pfctl -sq //檢視目前佇列 = pfctl -s queue
#pfctl -vsr //顯示現階段過濾封包的統計資料 = pfctl -vs rules
#pfctl -t ssh-bruteforce -Tshow //顯示 table 內資料
#pfctl -F nat //清空 NAT 規則
#pfctl -F queue //清空佇列
#pfctl -F rules //清空封包過濾規則
#pfctl -F all //清空所有的規則清空計數器
#pfctl -F info
#pfctl -F Tables

PF Tables 的使用:

顯示 table 內資料
#pfctl -t ssh-bruteforce -Tshow
#pfctl -t table_name -T add spammers.org
#pfctl -t table_name -T delete spammers.org
#pfctl -t table_name -T flush
#pfctl -t table_name -T show
#pfctl -t table_name -T zero

過濾掃瞄偵測軟體
#block in quick proto tcp all flags SF/SFRA
#block in quick proto tcp all flags SFUP/SFRAU
#block in quick proto tcp all flags FPU/SFRAUP
#block in quick proto tcp all flags /SFRA
#block in quick proto tcp all flags F/SFRA
#block in quick proto tcp all flags U/SFRAU
#block in quick proto tcp all flags P

 


在Linux 上的解法:

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080

相關文章

寫留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *