osx - How do I forward a port accessible to the world on my Mac?
2014-07
I realize that there's a lot of info out there about port forwarding, but here's my specific situation.
I need to use Remote in (via VNC) to my Mac. By default, the Mac Remote Sharing server listens on port 5900. That would be all well and good except my company is blocking port 5900 incoming connections!
However, it is allowing port 3389. So what I'm trying to do is set it up so that I can listen for connections on port 3389 and forward them to 5900.
Here's what I tried:
ssh 127.0.0.1 -L3389:127.0.0.1:5900
This doesn't quite do what I want because then only connections from 127.0.0.1 will be accepted on port 3389.
netstat -an | egrep 'Proto|LISTEN'
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 0 0 *.5900 *.* LISTEN
tcp4 0 0 *.5900 *.* LISTEN
tcp4 0 0 127.0.0.1.3389 *.* LISTEN
I need to listen from the world, *
on port 3389
. How can I accomplish this?
Your question is a bit short on specific details, it is a bit hard to give direct answers without know some things:
Can you connect on the default VNC port from outside - say from a friend’s house, where your work is not blocking you? If so you can change the port that VNC listens on to 3389 and test that. How to change the default screen sharing / VNC port number on Mac OS X?
The ssh command you mention would need to be run from the CONNECTING machine not the "server". So you would run:
ssh address.of.your.mac -L9999:127.0.0.1:5900
and then connect VNC to localhost:9999 on your client machine. I use 9999 as an example since it is probably not in use and 5900 might be if your client is a Mac and 3389 might be if your client is Windows.
To be clear: you will need to be able to ssh into your Mac from work, the number after -L is the port you connect to on your connecting machine (localhost), 127.0.0.1:5900 is where VNC is already listening on your (remote) Mac.
- I would also think about a VPN to get around work restrictions (and for safety). OpenVPN can easily run on port 443 (HTTPS) which is probably allowed out, and will even work over a proxy server if your work restricts web access that way. Setting that up is not too hard but out of scope for this question.
Instead of port forwarding, you could change the port that launchd
listens for VNC connections on. (launchd
listens on behalf of screensharingd
, and launches screensharingd
when a connection attempt comes in).
screensharingd
is the default VNC server on in OS X. If you're using Apple Remote Desktop (a.k.a. ARD, "Remote Management") instead, these instructions would probably need to be modified somewhat.
Edit /System/Library/LaunchDaemons/com.apple.screensharing.plist
Find this key/value pair:
<key>SockServiceName</key>
<string>vnc-server</string>
And change it to this:
<key>SockServiceName</key>
<string>3389</string>
Then you'll probably need to reboot or use launchctl
to force launchd
to reload that plist.
Then, in your VNC client, specify the 3389 port. For example, OS X's built-in VNC client uses URLs, so you can hand it vnc://username:[email protected]:3389/
. Or leave off the username:password
so you get prompted.
Caveat lector: I haven't tried this myself, so try at your own risk. Consider making a backup copy of that plist file before editing it, so it's easy to put it back how it was.
You could try the -D
option with ssh which is dynamic port forwarding. So this may look like: ssh -D 3389 yourAccount@yourDoma[email protected]
I did this yesterday and am recalling this from memory but this is the basics of it. Once this command works you just enter your password and configure your application to listen on the port specified - 3389 in your case with 127.0.0.1 as the IP address.
I thinks this creates a sort of SOCKS proxy using ssh.
:D
I think you're looking for something like this, the Mac equivalent of iptables.
I don't have a Mac, so I can't test this myself, but I would suggest trying out
sudo ipfw add fwd 127.0.0.1,5900 tcp from any to 127.0.0.1 dst-port 3389
Note that there seem to be various different syntaxes that ipfw
can process (127.0.0.1,3389
and 127.0.0.1 3389
seem like they'll also work from what I can find). I would link you to the FreeBSD page, but as a new user I don't have enough rep for that yet :whistle:.
Alternatively since ipfw
has been deprecated, you may want to try pfctl
as described here.
I'd like to make all incoming connections to port 1000 of my host (IP: 200.234.XXX.XXX) to be forward to the port 80 on host 10.211.55.5
How can I do it on my host? It is running Mac OS X 10.5.8
Quite simple to do, Firstly you will need to enable the remote login service on your mac. This starts your ssh server.
Then run the following command in your OS X Terminal:
ssh -L 200.234.XXX.XXX:10000:10.211.55.5:80 -N 127.0.0.1
You may need to accept the server fingerprint initially as well as type in your local password for ssh login. (You can also set up a local to local ssh public / private key to make it not prompt for a password, but that it a different exercise.)
The format is thus basically:
ssh -L [<local addr>:]<local port>:<remote addr>:<remote port> -N 127.0.0.1
Assuming you have a UPnP router, its easy to configure ports by using PortMap
It has a very simple UI.
Well, I can tell you how I do that sort of thing on my Mac OS X 10.5.8 system.
I started on an answer about NAT, but I think you actually want a TCP forwarder program instead (you mention 'proxy' and port forwarding.)
There's a few ways of doing this, depending upon your needs even 'SSH' can be pressed into action, though my favourite short and sweet way is a Perl script tcpforward.
If you need some HTTP manipulation (you might need to tweak HTTP redirects, so that when a request comes for a URL without a trailing '/' you don't get redirected to the real, inaccessible, server), then Apache can do the job of a reverse proxy. You'll want to look at mod_proxy and specifically ProxyPass and ProxyPassReverse. Do not enable ProxyRequests, that's for forward proxying. It should be possible to use Mac OS's own Apache to do this, if you've got it running. It does come with mod_proxy and /etc/httpd/httpd.conf is the config file to update.
Even with Apache, you need to make sure that all the links in the real server's content are relative, if they reference the real server then you could try the mod_proxy_html module (I have no experience of how well that works.)
Is your machine connected directly to the internet (IE - without a router)? Normally you do the port forwarding on the router, but if you do use a modem to connect directly, iptables is probably the best way.
Here is a good article: http://www.cyberhq.nl/2005/06/30/port-forwarding-in-macos-x.html
But since you are forwarding to 80 I'm assuming you want it to go to a web server so I would just change the web server config to set up a reverse proxy or something like that.