Apple Intelligence is now available on iPhone, iPad, and Mac!

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Routing localhost traffic to external IP address

I have a host with Mac OS and another machine (192.168.100.50) in the same LAN. I would like to configure Mac OS in that way if I access localhost:443 it will redirect to 192.168.100.50:443.

I'm able to redirect ports inside Mac OS, so if I access localhost:444 it redirects to localhost:443 this way:


  1. sudo sysctl net.inet.ip.forwarding=1


2. /etc/pf.anchors/dev:

rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 443 -> 127.0.0.1 port 444


3. /etc/pf.conf:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr-anchor "dev"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "dev" from "/etc/pf.anchors/dev"


4. sudo pfctl -ef /etc/pf.conf


But if I change from any to 127.0.0.1 port 443 -> 127.0.0.1 port 444 to from any to 127.0.0.1 port 443 -> 192.168.100.50 port 443 it doesn't work.


I guess I should set up NAT somehow, but I'm not sure how to do that with PF to achieve that. So any help will be very appreciated.


MacBook Pro 15", macOS 10.14

Posted on May 1, 2019 6:45 AM

Reply
Question marked as Top-ranking reply

Posted on May 1, 2019 8:59 PM

If you just want to route a single port, then establish an ssh tunnel


ssh -N -n -L 443:localhost:443 192.168.100.50


You can setup ssh-keygen keys so you do not need to use a password.


Now you can use localhost:443 as long as the ssh tunnel is established.


ssh tunnels are secure. ssh tunnels can even tunnel across the internet as long as you can address the remote system. I actually use an ssh tunnel to VNC with my Mom's iMac 300 miles away. I tunnel port 5900 (the VNC port).


You also do not need to do 443 to 443, you can do any local port you like and have it sent to port 443 on the remote


ssh -N -n -L 12345:localhost:443 192.168.100.50


So localhost:12345 will be delivered to port 443 on host 192.168.100.50

Similar questions

25 replies
Question marked as Top-ranking reply

May 1, 2019 8:59 PM in response to sergeyzwezdin

If you just want to route a single port, then establish an ssh tunnel


ssh -N -n -L 443:localhost:443 192.168.100.50


You can setup ssh-keygen keys so you do not need to use a password.


Now you can use localhost:443 as long as the ssh tunnel is established.


ssh tunnels are secure. ssh tunnels can even tunnel across the internet as long as you can address the remote system. I actually use an ssh tunnel to VNC with my Mom's iMac 300 miles away. I tunnel port 5900 (the VNC port).


You also do not need to do 443 to 443, you can do any local port you like and have it sent to port 443 on the remote


ssh -N -n -L 12345:localhost:443 192.168.100.50


So localhost:12345 will be delivered to port 443 on host 192.168.100.50

May 2, 2019 2:47 AM in response to BobHarris

Finally, I managed to setup it via SSH.


Just for sake of convenience I installed Core Tunnel app: https://itunes.apple.com/ru/app/core-tunnel-ssh-tunnel-2/id1354318707?mt=12


On Windows machine I've installed OpenSSH: https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse


The single drawback of Core Tunnel is it's unable to bind to local 443 port. So I used another one and PF rule to redirect 443 to this port.


Thank you very much!

May 1, 2019 5:43 PM in response to sergeyzwezdin

DO NOT CHANGE localhost. Ever! You will just break your Macs ability to do networking.


If the other machine is a Mac, then give it a simple name via System Preferences -> Sharing - Computer name. For example: "other". Then you can access that system using "other.local"


If the other system is not a Mac, then see if it has a way to give it a simple name, and then it should be available via "simplename.local" For example I've done this with my Synology NAS.


If you cannot give the other system a simple name that works with .local you can add a simple name to your /etc/hosts file (just DO NOT associate it with localhost)

192.168.100.50 simplename

And you can access that host via "simplename"


But as MrHoffman said, if you change localhost, you are going screw up your Mac.

May 2, 2019 1:56 PM in response to sergeyzwezdin

I'd look to use Parallels networking here, as that includes different configuration options for remapping the internal (emulated) network. Selecting bridged mode should put the Parallels guest onto the same network as the Mac, for instance. Alternate-clicking on the Parallels icon in the Dock should also bring up a networking selection where the port-forwarding can be configured.

May 3, 2019 6:13 AM in response to sergeyzwezdin

I did some googling, _AND_ I have not tested this, but it might do what you want.


This webpage seems to explain what the curl --resolve option is doing

https://curl.haxx.se/libcurl/c/CURLOPT_RESOLVE.html


And this page skirts on the edge of explaining

https://support.acquia.com/hc/en-us/articles/360005257154-Use-cURL-s-resolve-option-to-pin-a-request-to-an-IP-address


The first URL says the DNS cache is populated with the host:port association you want, and then any app using DNS to lookup the address will get the curl --resolve DNS entry.


Or at least that is how I am interpreting those 2 webpages.

May 3, 2019 7:04 AM in response to BobHarris

I just tried this at work, and it did not seem to do what I was thinking.


All it seemed to do was re-vector curl to the specified destination via localhost and fetch the webpage. Not what I was thinking, but totally in keeping with what curl does for a living.


If you just wanted to fetch a webpage from the other system via localhost, I guess it could work.


Maybe BDaqua can clarify if my experience is what he expected, or if he expects something else?


The ssh tunnel will intercept any app going to localhost:443

May 3, 2019 7:14 AM in response to sergeyzwezdin

You showed Parallels. That’s commonly used on macOS, and folks do try to network from guests within.


Okay.


Backing up... Rather than a proposed and unworkable solution—the wholesale remapping localhost to else-host—can we back up a step here and learn more about the problem you are working to resolve here and what you are trying to do—that’s what, and not how you are trying to do it—and what software is involved? Some background and requirements? Again, I’m not looking for any proposed solutions here, but rather some more on the background and requirements here.

May 3, 2019 6:36 PM in response to MrHoffman

Well, I have WIndows machine in LAN where I run server-side code for some web-application. I couldn't run it on Mac because of .NET Framework - that's why I need Windows machine.


I understand that I could give that host some short name and map to it, but it's another story — things will be easier if I could access it by localhost:443. That's why I was trying to find solution to do that.


And actually, idea with SSH tunnel works like a charm. So problem solved :-)

Routing localhost traffic to external IP address

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.