Mac OS X: Set Port Forwarding Nat Router (Internet Sharing)

I‘d like to set my Macbook as a router for my other desktop computer. How do I set NAT and port forwarding under MAC OS X? How do I forward ports using OS X for BitTorrent clients?

Network address translation (NAT) is the process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another. Almost all modern Operating system provides NAT support. In other words, if your Mac book connected to the Internet, you can share its Internet connection with other computers on your LAN.

In this example, your Macbook is connected to the Internet via Airport and you are sharing the Internet via Ethernet which is connected to your desktop. Airport gets a public IP address via ISP connection and Ethernet has the following manual IP settings:

Mac OS X Ethernet Network Settings

WARNING! These examples may stop networking and the Internet on your laptop and desktop computer if not executed with care. You must have basic understanding of TCP/IP networking.

Turn On Internet Sharing

Open System Preferences by visiting Apple menu > System Preferences:

Fig.01: Mac OS X System Preferences

Click Sharing:

Fig.02: Mac OS X Sharing the Internet Connection

Select Internet Sharing:

Fig.03: Mac OS X Sharing Airport Internet Connection With Ethernet Connected Computers

You need to select your Internet connection using Airport. Also use select “Ethernet”. Change these settings as per your requirement.

How Do I Use Shared Internet Connection On Other Computers?

You need to input the following networking settings for desktop computer called desktop1:

  • IP address
  • IP netmask
  • IP gateway
  • IP DNS server

For example, if you are using Ubuntu Linux on desktop update networking configuration as follows in /etc/network/interfaces:

auto eth0
iface eth0 inet static

How Do I Setup Port Forwarding OS X Router?

Macbook OS X has no direct GUI option to configure port forwarding. However, you can create a shell script as follows (open terminal and create a script called

# bit-torrent port forwarding with mac os x
killall -9 natd
sleep 5
# The following will forward 6881 to 6999 port to desktop computer located at
# => airport IP
# => Desktop client ip
#  natd provides a Network Address Translation facility for use with divert(4) sockets under FreeBSD.
# -------------------------------------------------------------------------------------------------
/usr/sbin/natd -alias_address -interface en1 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0 -redirect_port tcp 6881-6999 -l

Simply run this script whenever you need to forward ports:

chmod +x
sudo ./

Sample ipfw rules

Type the following command to list current rules (these are set by above Internet sharing procedure):

sudo ipfw list

Sample outputs:

00010 divert 8668 ip from any to any via en1
33300 deny log icmp from any to me in icmptypes 8
65535 allow ip from any to any

See ipfw man page to secure your network via firewall. My Ubuntu desktop connected to transmission BT client:

Fig.04: Transmission Ubuntu BT Client Connected To The Internet Via OS X Router


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 17 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
17 comments… add one
  • jaysunn Jan 9, 2010 @ 15:47

    Nice Work VIvek,

    I am really excited about the recent additions in OSX to your infamuos BLOG.

    Keep it up,

    And Thanks,


  • 🐧 nixCraft Jan 10, 2010 @ 6:31

    Thanks Jaysunn!

    I’m getting lots of questions about OS X via email and I think it is a time to address all of them. In short, you will see more OS X here but no Windows 7 soon :) heh

  • Andrew Jan 21, 2010 @ 13:55

    Sorry moderator the above post was mangled here is the correct one please ignore the first in moderating

    This is not really the best way to do it if you already have and existing network as OS X will change your network settings to its own defaults 10.0.0.x/8 on airport and 192.168.2.x/24 on ethernet.

    If your internet connection is pppd based you are better of calling

    /usr/sbin/sysctl -w net.inet.ip.forwarding=1
    /usr/sbin/natd -clamp_mss -dynamic -unregistered_only -interface $1
    /sbin/ipfw add divert natd all from any to any via $1

    from with in your /etc/ppp/ip-up file and

    killall -9 natd
    /usr/sbin/sysctl -w net.inet.ip.forwarding=0
    echo y |/sbin/ipfw flush

    from your /etc/ppp/ip-down file

    If you are using ethernet as your internet connection even better you can start natd at boot as well as ipfw using configuration files.

    This ensures your network remains the way it is, and you are not running unnecessarily services on your OS X machine, as enabling internet sharing via the GUI automatically starts up a named DNS proxy server, a BOOTP service and NATD which you may not really need in an existing network.

    The above examples do not include firewall protection, they are just to show a command line based way of achieving this in a better way.

  • Patrick Dec 20, 2010 @ 20:30

    How can I reset all the changes I’ve made?

  • Cedric Mar 3, 2011 @ 20:07

    Many thanks for this useful article and posts.


    One question.

    You propose calling the following processes from the init files:
    /usr/sbin/natd -clamp_mss -dynamic -unregistered_only -interface $1
    /sbin/ipfw add divert natd all from any to any via $1

    I don’t understand why it is necessary to provide the “via $1” argument and I’m also wondering whether this is correct. I understand from the man page of ipwf that the via argument causes the interface to always be checked. I understand that we may want to masquerade before sending out packets coming from our internal LAN. So the interface is always checked, packets will be sent to natd for masquerading when coming in.

    To make it clearer, if WAN is on en0 and LAN is on en1, then the script should probably rather call:
    /usr/sbin/natd -clamp_mss -dynamic -unregistered_only -interface en0
    /sbin/ipfw add divert natd all from any to any via en1 # i.e.

    Do you agree?


    • 🐧 nixCraft Mar 3, 2011 @ 21:35

      $1 indicates that those commands are stored in a shell script. In this case it is stored in /etc/ppp/ip-up to use $1, $2 etc. The /etc/ppp/up-up is executed with the parameters as follows:

      interface-name tty-device speed local-IP-address remote-IP-address ipparam
       $1                  $2            $3        $4                    $5                         $6

      See pppd man page.

  • Perrie Mar 17, 2011 @ 13:22

    Hi I use Command and Conquer Zero Hour on my MAC computer but have problems with the game There is a warning which comes up :
    Port Restricted Cone Nat Router
    Your internet connection is behind a port restricted cone nat router that may prevent you from connecting to some players in peer group games.

    I have been supplied with a wireless router Huawei Echolife HG521, and I need to enable port forwarding for UDP port 16000.

    How does this need to be set up?

  • Rick Apr 29, 2011 @ 7:43

    I am writing from my friend’s account who is a tech but out of town. th
    I am trying to share my internet connection on this intel powerbook osx 10.6.7
    I get internet just fine via ethernet modem (eztether) and want to create a wireless network for my other computers to share so I guess i want this computer to be router too. So I have enabled airport, selected create computer to computer network, set up name, password, etc. It can be see by other air computers but it only selbf assigns a faux IP. When I go to DCHP manual using a subnet that the orig ethernet input is giving me, it still will not translate to usable addys. This should be automatic on a mac no? Even when I use all manual and insert the same subnet settings as the EZ share are showing (all internal – sans the DNS ) I still get no love. I want to share this connection with my other powerbooks by air so HELP. Thanks in advance. Mike (using Rick’s computer with permission.)

  • Nick Aug 28, 2011 @ 11:57

    Hi all,

    I’ve been trying to get this to work because I’m in Afghanistan and our ISP only allows 1 device to connect to the network at a time. Since I have a MBP and an iPad, I wanted to connect both at the same time. I’ve tried using the directions above to share my internet connect (on en0) across my AirPort to my iPad, but it does not appear that NAT is working, because my ISP blocks my iPad from the internet. Am I missing something!?


  • Andy Jan 28, 2012 @ 19:24

    This doesn’t work for 10.7 anymore. How can I do port forwarding with pfctl?
    In 10.7. ipfw is obsolete: ” Note that use of this utility is DEPRECATED. Please use pfctl(8) instead.”

  • Andy Jan 29, 2012 @ 7:09

    I want to reach my internal web server from the internet. I have 2 network cards. The external is en2 and the internal is en0. The external ip is I edit the pf.conf file like this:
    # anchor point
    nat-anchor “*”
    rdr-anchor “*”
    anchor “*”
    load anchor “” from “/etc/pf.anchors/”
    web_serv_int = “”
    web_serv_ext = “”

    pass on en2 from $web_serv_int to any binat-to $web_serv_ext

    I get an error at the last line. Whats wrong. Internet- and web-sharing is turned on says my ip is should I use this ip for external web_serv?

  • Sanjay Jan 31, 2012 @ 13:09

    Please could you show how to NAT a L2TP VPN connection with natd and pf. I have never got this to work with ipfw.

  • Andy Feb 2, 2012 @ 7:38

    My problem is fixed. I use a UMTS connection. All incoming traffic to specific ports is blocked from the provider. So it is impossible to reach the internal web server from outside.

  • gowtham May 18, 2014 @ 21:22

    no luck. I want to share mac’s internet connection with BeagleBoneBlack(BBB). I’ve enabled internet sharing. I set BBB’s default gw to I tried to ping It didn’t ping. subnet of mac n BBB is subnet of mac n lan is what could be the reason. I think we got to setup NAT. Help me out please.

    • gowtham May 18, 2014 @ 21:29

      $ sudo ipfw list
      65535 allow ip from any to any

      above is the result whether I turn internet sharing off or on!

  • John Oct 1, 2016 @ 6:48

    sudo ./
    Binding to NATPM port failed!

    I get that when i run the script.

    The script w/ changes:
    /usr/sbin/natd -alias_address -interface en1 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0 -redirect_port tcp 21 -l
    I have my mac connected to a ppp vpn on centos, I’m sharing that connection with a ethernet to my pc. The pc has ftp setup, i can connect to it on the mac by using the internal ip address of the pc. I’m not for sure if the vpn would cause that binding to NATPM port failed. Can anyone help?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum