Mac OS X: Set Port Forwarding Nat Router (Internet Sharing)

by on January 6, 2010 · 14 comments· LAST UPDATED January 6, 2010

in , ,

I'd like to set my Macbook as a router for my other desktop computer. How do I set NAT and port forwarding under MAC OS X? How do I forward ports using OS X for BitTorrent clients?

Network address translation (NAT) is the process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another. Almost all modern Operating system provides NAT support. In other words, if your Mac book connected to the Internet, you can share its Internet connection with other computers on your LAN.

In this example, your Macbook is connected to the Internet via Airport and you are sharing the Internet via Ethernet which is connected to your desktop. Airport gets a public IP address via ISP connection and Ethernet has the following manual IP settings:

Mac OS X Ethernet Network Settings

Mac OS X Ethernet Network Settings

WARNING! These examples may stop networking and the Internet on your laptop and desktop computer if not executed with care. You must have basic understanding of TCP/IP networking.

Turn On Internet Sharing

Open System Preferences by visiting Apple menu > System Preferences:

Mac OS X System Preferences

Fig.01: Mac OS X System Preferences

Click Sharing:

Mac OS X Sharing the Internet Connection And Remote Management Services

Fig.02: Mac OS X Sharing the Internet Connection

Select Internet Sharing:

Mac OS X Sharing Airport Internet Connection With Ethernet Connected Computers

Fig.03: Mac OS X Sharing Airport Internet Connection With Ethernet Connected Computers

You need to select your Internet connection using Airport. Also use select "Ethernet". Change these settings as per your requirement.

How Do I Use Shared Internet Connection On Other Computers?

You need to input the following networking settings for desktop computer called desktop1:

  • IP address 192.168.2.2
  • IP netmask 255.255.255.0
  • IP gateway 192.168.2.1
  • IP DNS server 192.168.2.1

For example, if you are using Ubuntu Linux on desktop update networking configuration as follows in /etc/network/interfaces:

auto eth0
iface eth0 inet static
address 192.168.2.2
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1

How Do I Setup Port Forwarding OS X Router?

Macbook OS X has no direct GUI option to configure port forwarding. However, you can create a shell script as follows (open terminal and create a script called osx_fw.sh):

#!/bin/bash
# bit-torrent port forwarding with mac os x
killall -9 natd
sleep 5
# The following will forward 6881 to 6999 port to desktop computer located at 192.168.2.2
# 192.168.1.100 => airport IP
# 192.168.2.2 => Desktop client ip
#  natd provides a Network Address Translation facility for use with divert(4) sockets under FreeBSD.
# -------------------------------------------------------------------------------------------------
/usr/sbin/natd -alias_address 192.168.1.100 -interface en1 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0 -redirect_port tcp 192.168.2.2:6881-6999 6881-6999 -l

Simply run this script whenever you need to forward ports:

chmod +x osx_fw.sh
sudo ./osx_fw.sh

Sample ipfw rules

Type the following command to list current rules (these are set by above Internet sharing procedure):

sudo ipfw list

Sample outputs:

00010 divert 8668 ip from any to any via en1
33300 deny log icmp from any to me in icmptypes 8
65535 allow ip from any to any

See ipfw man page to secure your network via firewall. My Ubuntu desktop connected to transmission BT client:

Transmission Ubuntu BT Client

Fig.04: Transmission Ubuntu BT Client Connected To The Internet Via OS X Router

References:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 14 comments… read them below or add one }

1 jaysunn January 9, 2010 at 3:47 pm

Nice Work VIvek,

I am really excited about the recent additions in OSX to your infamuos BLOG.

Keep it up,

And Thanks,

Jaysunn

Reply

2 nixCraft January 10, 2010 at 6:31 am

Thanks Jaysunn!

I’m getting lots of questions about OS X via email and I think it is a time to address all of them. In short, you will see more OS X here but no Windows 7 soon :) heh

Reply

3 Andrew January 21, 2010 at 1:55 pm

Sorry moderator the above post was mangled here is the correct one please ignore the first in moderating

This is not really the best way to do it if you already have and existing network as OS X will change your network settings to its own defaults 10.0.0.x/8 on airport and 192.168.2.x/24 on ethernet.

If your internet connection is pppd based you are better of calling

/usr/sbin/sysctl -w net.inet.ip.forwarding=1
/usr/sbin/natd -clamp_mss -dynamic -unregistered_only -interface $1
/sbin/ipfw add divert natd all from any to any via $1

from with in your /etc/ppp/ip-up file and

killall -9 natd
/usr/sbin/sysctl -w net.inet.ip.forwarding=0
echo y |/sbin/ipfw flush

from your /etc/ppp/ip-down file

If you are using ethernet as your internet connection even better you can start natd at boot as well as ipfw using configuration files.

This ensures your network remains the way it is, and you are not running unnecessarily services on your OS X machine, as enabling internet sharing via the GUI automatically starts up a named DNS proxy server, a BOOTP service and NATD which you may not really need in an existing network.

DISCLAIMER,
The above examples do not include firewall protection, they are just to show a command line based way of achieving this in a better way.

Reply

4 Patrick December 20, 2010 at 8:30 pm

How can I reset all the changes I’ve made?

Reply

5 Cedric March 3, 2011 at 8:07 pm

Many thanks for this useful article and posts.

Andrew,

One question.

You propose calling the following processes from the init files:
/usr/sbin/natd -clamp_mss -dynamic -unregistered_only -interface $1
/sbin/ipfw add divert natd all from any to any via $1

I don’t understand why it is necessary to provide the “via $1″ argument and I’m also wondering whether this is correct. I understand from the man page of ipwf that the via argument causes the interface to always be checked. I understand that we may want to masquerade before sending out packets coming from our internal LAN. So the interface is always checked, packets will be sent to natd for masquerading when coming in.

To make it clearer, if WAN is on en0 and LAN is on en1, then the script should probably rather call:
/usr/sbin/natd -clamp_mss -dynamic -unregistered_only -interface en0
/sbin/ipfw add divert natd all from any to any via en1 # i.e.

Do you agree?

Thanks.

Reply

6 nixCraft March 3, 2011 at 9:35 pm

$1 indicates that those commands are stored in a shell script. In this case it is stored in /etc/ppp/ip-up to use $1, $2 etc. The /etc/ppp/up-up is executed with the parameters as follows:

interface-name tty-device speed local-IP-address remote-IP-address ipparam
 $1                  $2            $3        $4                    $5                         $6

See pppd man page.

Reply

7 Perrie March 17, 2011 at 1:22 pm

Hi I use Command and Conquer Zero Hour on my MAC computer but have problems with the game There is a warning which comes up :
Port Restricted Cone Nat Router
Your internet connection is behind a port restricted cone nat router that may prevent you from connecting to some players in peer group games.

I have been supplied with a wireless router Huawei Echolife HG521, and I need to enable port forwarding for UDP port 16000.

How does this need to be set up?

Reply

8 Rick April 29, 2011 at 7:43 am

I am writing from my friend’s account who is a tech but out of town. th
I am trying to share my internet connection on this intel powerbook osx 10.6.7
I get internet just fine via ethernet modem (eztether) and want to create a wireless network for my other computers to share so I guess i want this computer to be router too. So I have enabled airport, selected create computer to computer network, set up name, password, etc. It can be see by other air computers but it only selbf assigns a faux IP. When I go to DCHP manual using a subnet that the orig ethernet input is giving me, it still will not translate to usable addys. This should be automatic on a mac no? Even when I use all manual and insert the same subnet settings as the EZ share are showing (all internal – sans the DNS ) I still get no love. I want to share this connection with my other powerbooks by air so HELP. Thanks in advance. Mike (using Rick’s computer with permission.)

Reply

9 Nick August 28, 2011 at 11:57 am

Hi all,

I’ve been trying to get this to work because I’m in Afghanistan and our ISP only allows 1 device to connect to the network at a time. Since I have a MBP and an iPad, I wanted to connect both at the same time. I’ve tried using the directions above to share my internet connect (on en0) across my AirPort to my iPad, but it does not appear that NAT is working, because my ISP blocks my iPad from the internet. Am I missing something!?

Thanks!

Reply

10 Andy January 28, 2012 at 7:24 pm

This doesn’t work for 10.7 anymore. How can I do port forwarding with pfctl?
In 10.7. ipfw is obsolete: ” Note that use of this utility is DEPRECATED. Please use pfctl(8) instead.”

Reply

11 nixCraft January 28, 2012 at 9:25 pm

Take a look at pf tutorial. I will write a new one soon for 10.7.

Reply

12 Andy January 29, 2012 at 7:09 am

I want to reach my internal web server from the internet. I have 2 network cards. The external is en2 and the internal is en0. The external ip is 10.222.10.165. I edit the pf.conf file like this:
#
# com.apple anchor point
#
nat-anchor “com.apple/*”
rdr-anchor “com.apple/*”
anchor “com.apple/*”
load anchor “com.apple” from “/etc/pf.anchors/com.apple”
web_serv_int = “192.168.2.1″
web_serv_ext = “10.222.10.165″

pass on en2 from $web_serv_int to any binat-to $web_serv_ext

I get an error at the last line. Whats wrong. Internet- and web-sharing is turned on
http://whatismyipaddress.com/ says my ip is 80.226.1.7 should I use this ip for external web_serv?

Reply

13 Sanjay January 31, 2012 at 1:09 pm

Please could you show how to NAT a L2TP VPN connection with natd and pf. I have never got this to work with ipfw.

Reply

14 Andy February 2, 2012 at 7:38 am

My problem is fixed. I use a UMTS connection. All incoming traffic to specific ports is blocked from the provider. So it is impossible to reach the internal web server from outside.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: