Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > ipfw and NAT - how to do so per user?

ipfw and NAT - how to do so per user?
Thread Tools
djava
Fresh-Faced Recruit
Join Date: Oct 2004
Status: Offline
Reply With Quote
Oct 16, 2004, 10:03 PM
 
Hello all, we know that:

ipfw add divert natd ip from any to any via en0

enables NAT for all clients. However I need to enable NAT per IP address. I guessed that:

ipfw add divert natd ip from 192.168.0.2 to any via en0

would have done the trick but it doesn't.

What else is needed, what am I missing?

thanks in advance!

djava
     
kampl
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status: Offline
Reply With Quote
Oct 19, 2004, 10:06 PM
 
What are you trying to do exactly? I can't determine it from your question.

You want to NAT what to what in what direction?

For instance:

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via ep0
add 01001 check-state
     
djava  (op)
Fresh-Faced Recruit
Join Date: Oct 2004
Status: Offline
Reply With Quote
Oct 20, 2004, 12:25 PM
 
en0 is connected to the internet via a router (192.168.1.x subnet)
en1 is connected to a local subnet (e.g. wifi AP 192.168.0.x subnet)

I want to NAT users on an individual basis:

This works for all users:

natd -s -m -a 192.168.1.1 -n en0 (where 192.168.1.1 is the en0 IPaddress)
ipfw add divert natd ip from any to any via en0

Now instead of any to any (allowing all on 192.168.0.x to access internet),
I'd like to only allow 192.168.0.4 access with all other security issues aside (I just want to get it working initially)

ipfw add divert natd ip from 192.168.0.4 to any via en0
or
ipfw add divert natd ip from any to 192.168.0.4 via en0

doesn't seem to give 192.168.0.4 NAT access to the Internet.

The idea is to programmatically do this in a script with 192.168.0.4 replaced with a variable with a minimal number of rules as possible to give a 192.168.0.x client NAT access after logging into a local web server on the same machine.

thanks
djava
     
djava  (op)
Fresh-Faced Recruit
Join Date: Oct 2004
Status: Offline
Reply With Quote
Oct 24, 2004, 10:46 AM
 
Currently a solution that works (albeit not consistently as sometimes the host box will lose internet access due to these nat rules feeding back the packets back into the rules) are using the following rules together :

ipfw add divert natd ip from any to [client ip] via en0
ipfw add divert natd ip from [client ip] to any via en0

When it does work it allows one to selectively allow a client ip access to the Internet, ideal for captive portal applications. however it's seems to be inconsistent leaving me to believe there are bugs with MacOS X's natd and/or ipfw implementation.

thanks,
djava
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -5. The time now is 09:36 PM.
All contents of these forums © 1995-2011 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.7 © 2000-2011, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2