User profile for user: Chris Armstrong4
Chris Armstrong4 Author
User level: Level 1
5 points

Port Forwarding Problem

I'm trying to forward requests from one port to another and running into problems.

I have a Mac Server (10.5) and a number of Mac clients. I want requests going to one of my clients for port 80 (192.168.1.20:80), to go instead to port 8080 (192.168.1.20:8080).

I've tried everything I can but I can't seem to get this to work. Here's what I've done:

I've added this to my ipfw.conf file:
add 100 fwd 192.168.1.20,80 ip from any to 192.168.1.20 dst-port 10080

But that didn't seem to work.


I also tried to add the correct info the my natd.conf.apple file.

natd.conf.apple:
interface en0
natportmap_interface en1
dynamic yes
log yes
log_denied no
deny_incoming no
use_sockets yes
same_ports yes
unregistered_only yes
reverse no
proxy_only no
clamp_mss yes
redirect_port tcp 192.168.1.20:80 192.168.1.20:10080


I stop and restart both NAT and Firewall from the Server Admin.

Only other thing I can figure is that I've got two NIC's in the server (en1 & en0) en1 is where all the clients are and the 192.168.1.xxx IP addresses. But en0 is the direct connection to the internet. So is it possible that my port forwarding is working, but on the wrong interface?


Is there something I'm doing wrong here?

Any help would be greatly appreciated. Thanks in advance.

Posted on Mar 3, 2011 5:52 PM

Reply
3 replies
User profile for user: harry-pmsi
harry-pmsi
User level: Level 3
535 points

Mar 5, 2011 8:03 PM in response to Chris Armstrong4

Hi,
From my reading of Lui and Albitz DNS and BIND, assigning separate ports to the same query stream doesn't work. Page 270-272 states zone transfers can accommodate separate ports for nameserver messages. query-source requests can specify separate ports for UDP based queries only. For both ipV4 and ipV6 only SOA and forwarded dynamic updates can be sent on such a transfer of source by specifying a source port. This does not include http traffic.

Essentially, splitting the port occurs at the tcp layer and can only be used for control statements. Port 80 and 1080 normally handle http traffic which occurs at the ip layer.

HTH,
Harry
Reply
User profile for user: Leif Carlsson
Leif Carlsson
User level: Level 5
4,954 points

Mar 5, 2011 11:30 PM in response to Chris Armstrong4

Is this supposed to work from WAN or from LAN and WAN?

If from WAN you first need to allow tcp port 80 in (ipfw) on the public IP, and then forward it (natd.conf). In ipfw turn on logging of denied packets while testing.

(And if you only have one public IP and you forward port 80 to a LAN machine the server can't serve tcp port 80 on the public IP.)



natd.conf.apple: should look something like this:

interface en0
natportmap_interface en1
dynamic yes
log yes
log_denied no
deny_incoming no
use_sockets yes
same_ports yes
unregistered_only yes
reverse no
proxy_only no
clamp_mss yes
redirect_port tcp 192.168.1.20:8080 <public IP>:80



You could also do it in two steps:

Let tcp port 80 in and then through to the LAN machine.

Forward from tcp port 80 to tcp port 8080 (or was it 10080?) on the LAN machine.


I don't know if NAT loopback works in the server but if it does it should be possible to use the public ip from a LAN machine to get to the other LAN machine via the server.


I think an ipfw fwd rule would look something like : fwd 192.168.1.20,8080 tcp from any to 192.168.1.20 dst-port 80 (on the client machine).



There are some tools available (use with caution):

The Natural (old) http://www.jamiegriffin.com/gdog/thenatural/

WaterRoof : http://hanynet.com
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Port Forwarding Problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up