44

There is a cool utility out there called sshuttle. It has depended on ipfw to forward packets in the past. It appears that ipfw is mostly broken in Mavericks and the advice is to use PacketFilter for this now.

I've spent most of the day looking at PacketFilter and it appears ipfw has a feature that PacketFilter does not support (hope I'm wrong about this).

The following rule:

ipfw -q add 12300 fwd 127.0.0.1,12300 tcp from any to any not ipttl 42 keep-state setup

will forward all traffic to 127.0.0.1 (localhost) port 12300. It does not, however, change the destination IP or port in the TCP packet. This is important to sshuttle as it uses the information about the original destination to forward the packet on to another network.

The closest rule I can find in the PacketFilter world is:

rdr pass proto tcp from any to any -> 127.0.0.1 port 12300

This rule does send the traffic to 127.0.0.1 (localhost) port 12300 but it also rewrites the destination address to be 127.0.0.1.

Any ideas on how to get the behavior sshuttle needs in OS X?

timiTao
  • 1,417
  • 3
  • 20
  • 34
Matt Smith
  • 588
  • 4
  • 9
  • Have you set the forwarding flags in the kernel (IE: `sudo sysctl -w net.inet.ip.forwarding=1`)? What are the IP addresses in question IE: Client's, Router/Computers's external and internal, and Destination IP? without any redirection rules have you tried to configure your client to use your Maverick machine as a gateway (IE: on the client `route add -net netmask 255.255.255.255 gw `? – Liam Kelly Oct 27 '17 at 12:50
  • Did you figure this out? Would you mind answering your question if you did? Thanks! – Chéyo Nov 27 '17 at 04:51
  • maybe tag the packet before the rdr and then route based on the tag? – ramrunner Dec 06 '17 at 18:14

1 Answers1

0

Why not try a Loopback Alias:

  1. Create a custom alias for the loopback interface 127.0.0.2.
  2. Then, redirect the traffic to 127.0.0.2:12300.

This way even if pf rewrites the destination IP to 127.0.0.2, it would be different from 127.0.0.1. This could perhaps make it possible for you to differentiate traffic between the IP Addresses.

ifconfig lo0 alias 127.0.0.2

Then for your pf rule, you could do something like this:

rdr pass proto tcp from any to any -> 127.0.0.2 port 12300

If this doesn't work, would it be possible to use a third-party package like redsocks? Keep in mind this won't be a drop-in replacement for the exact ipfw functionality, however, with some configuration and potentially some scripting, perhaps this could be used to serve a similar purpose.

If your primary objective is to work with sshuttle specifically, I recommend looking into any updates or forks of the project that might have arisen to address macOS's changes, as mentioned previously.

0xe1λ7r
  • 1,957
  • 22
  • 31