I need to give Internet access to a VM under Vmware fusion 7 in Host-Only mode. I know how to do it in Linux, with the following IPtables rules:
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
But I can not find out how to do it in MacOS Sierra. Any help?
Thanks in advance!
You should look into configuring pf (packet filter) in macos (or OS X) it's been included since Lion.
It Is substantially different from what you're used to, so there will be a learning curve.
pf originates on OpenBSD. They have information that includes examples on how to write pf rules.
https://www.openbsd.org/faq/pf/config.html#config
Using it for NAT has it's own manual:
https://www.openbsd.org/faq/pf/nat.html
To get started on the mac:
http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/ it's a bit old, but still should you get started.
I've no idea how vmware fusion does networking on the mac (parallels tends to add a ton of interfaces you see on the mac), I'd start with simple examples and slowly grow to a more complex setup.
I asked the same question in apple.stackexchange.com and here is the solution:
https://apple.stackexchange.com/questions/265237/corresponding-ipfw-rules-in-macos-for-this-iptables-rules/265298#265298
Related
I am trying to make a program that automatically lists all of the connections to my computer from outside of the router. The end goal of this script is that I would like to be able to have a clean list of the external IP addresses of every server/website I am connecting to. I am also trying to use this as a way to learn more about how networks, websites, and servers work so I am sorry for any mistakes I make with terminology and general knowledge!
My tcpdump bash script:
while :
do
# get myip and assign it to a variable
myip="$(ifconfig wlp2s0 | grep -E -o -m 1 "inet................" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")"
# tcpdump on my ip for all packets going to or from my ip address. the ipaddress of the packets is placed in IP Address.txt
sudo tcpdump -c 1 -nn host "$myip" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> IPaddress.txt
done
I thought that tcpdump would be the tool for this however I confess that I do not know how tcpdump works. This script is a bash file that I am running through ubuntu. How would I use tcpdump to collect the IP address of every website that I am connecting to? I read the tcpdump documentation and believe it can help me achieve my goal however if there are better tools out there I would love to hear it! Currently, this code only displays internal IP addresses. ;(
I'd lean more towards using ss or netstat.
ss --all --ipv4
Would show all IPv4 connections.
The same works for IPv6 of course; and you could add one of many arguments to get more detailed information if you want, such as --processes, --extended, or --info.
There's also a few more arguments to control the output format, making it more suitable for parsing:
ss --all --ipv4 --processes --no-header --oneline
Suggest to follow ss command .
Learn about ss command here.
Is there any possibility to capture packets by tcpdump from all devices in MacOS?
In Linux I would use 'sudo tcpdump -i any'. In my MacOS when I execute 'sudo tcpdump -D', I don't see "any" pseudo-device.
Per #ChristopherMaynard:
tcpdump docs specify any as working on linux: On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. However, it is not actually OS-specific.
tcpdump accepts the any interface on macos in my testing, so in answer to your question, the analog of any on linux is any on macos:
bash-5.0 $ sudo tcpdump -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
09:43:57.789302 IP6 dsldevice7.attlocal.net.domain > 2600:1700:a700:7340:6dad:2758:c536:f29f.56483: 4283 1/0/0 SOA (85)
09:43:57.789324 IP6 2600:1700:a700:7341:6dad:2759:c536:f29f > dsldevice7.attlocal.net: ICMP6, destination unreachable, unreachable port, 2600:1700:a700:7340:6ded:2759:c536:f29f udp port 56423, length 141
...
tcpdump should have the same options (manpage)
on both macos and linux, apart from those detailed below. If you have an older version of tcpdump (my version is 4.9.3/Apple version 83.200.3), you can update it with brew install tcpdump.
Macos/Linux Tcpdump Differences
You should still look at the manpages when in doubt, but this is a summary of differences:
Linux
-Q direction : Choose send/receive direction (in/out/inout)
Macos
-k : Control display of packet metadata
-Q : Specify a filter expression based on packet metadata
-P : Save to pcapng
Note: Unlike Linux or *BSD, Macos does not support -Q direction.
I am using macOS 10.12 and I want to do ip:port mapping
ex. 127.0.0.1:32769 to 10.0.0.1
then I can add 10.0.0.1 somedomain.com to my /etc/hosts
I did some search, and got solutions to this question on this post:
https://serverfault.com/questions/102416/iptables-equivalent-for-mac-os-x/673551#673551
but the command in this post works for only the newest one.
every time I use this command the system replies me:
$ sudo ifconfig lo0 10.0.0.2 alias
$ echo "rdr pass on lo0 inet proto tcp from any to 10.0.0.2 port 80 -> 127.0.0.1 port 32771" | sudo pfctl -ef -
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
how can I prevent flushing rules?
or is there any ways to get this work easier?
Thanks a lot
Amazon has their own port security and IPTABLES is not running by default. Do I need to configure and enable IPTABLES?
Only Whitelists
Amazon effectively only gives you whitelisting ability.
Their documentation points this out directly:
Security group rules are always permissive; you can't create rules that deny access.
If you want fine-grained control over blacklists or you want to set up port forwarding, using iptables is one way to go.
Examples
Perhaps you want to drop packets from a bot scanning your box
$ iptables -I INPUT -s 174.132.223.252 -j DROP
You also might want to run an application as a non-root user on an unprivileged port and forward to port 80.
$ iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
Is there a way a send custom (and event undemanded) arp responses via shell (e.g. by hand or by a shell script) on MacOS X or any other UNIX?
In addition, is there a way of making the software ask for the MAC representation for all IPs in the current subnet without sending pings the anyone?
Yes there is. This kind of activity is used in ARP Spoofing and ARP Poisoning attacks and is preformed for ex. by arpspoof. If You want to discover host's MAC, when You know its IP and it is located in Yours broadcast domain (LAN), use arping. ARP is layer 2 protocol, so it's packets are not forwarded by routers but it's much more reliable then ICMP echo (ping).
Some tools:
arp - standard program (win/unix)
used to list host's IP-MAC address
association cache, which contains
already learnt IPs
arping - unix program which sends ARP
Request for a given IP and displays
MAC contained in received ARP Response
arpspoof - a program from dsniff package generating bogus ARP Responses
A packet generator might do the trick. The wikipedia page links to some implementations but I don't know if they work on OSX.
There are also arp-scan using libpcap; and arpdropper using libnet.
To passively (or actively) sniff your network for ARP packets and display the IP and MAC address of the machine that generated the packet you may use a Mac OS X application called ArpSpyX.
# arpdropper requires http://sourceforge.net/projects/libnet-dev/ to compile
# (libnet & arpdropper successfully compiled on Mac OS X 10.6.8)
curl -LO http://thebends.googlecode.com/svn/trunk/misc/arpdropper.c
gcc -Wall -Wextra -lnet -o arpdropper arpdropper.c
./arpdropper
# Usage: ./arpdropper -i <device> -s <source ip> -d <dest ip>
# For arp replies:
# ./arpdropper -r -i <device> -s <source ip> -m <source mac> -d <dest ip>
# using nmap
# get a pre-compiled Mac OS X version of nmap at:
# http://nmap.org/download.html#macosx or
# http://www.berndsworld.com/downloads/
nmap -PR -oN nmap-arpscan.txt 192.168.0.0/16