Enable NAT routing
From Mac OS X Server FAQ
Apple's Network Services PDF is actually pretty slim on this topic, so we'll give it some play. Also a link to afp548 for an article that frames this a bit with a more traditional approach, written for 10.2 Server. In 10.3 Server, Apple has included GUI tools for this, but there is still a bit of room to discuss it in context.
Contents |
Caveats
Think long and hard before you configure Mac OS X Server to act as a criticial piece of your network infrastructure. Even the most well managed OS X Servers are prone to at least a little down time for things like system updates. Given that this function is easily passed off to dedicated hardware that is quite cheap and very reliable, it's hard to recommend doing it this way as more than an interim solution.
Ingredients
- A Mac OS X Server with at least two network interfaces (ethernet ports, firewire ports, etc)
- Network connection to share, say an internet connection via DSL
- At least one computer or network ("the LAN") to which you will provide upstream access ("the Internet")
- Whatever is physically required to make the network operational (e.g. cables)
Instructions
- Start by getting your server's primary port up and running. Make sure it can access the upstream network properly. As on Mac OS X Client, the order of the network services in the Network Port Configurations section of the Network preference pane determines the server's default route and dns servers, so drag the primary port to the top of the list.
- Determine how the other machines on the LAN will get their IP addresses. Popular options include Mac OS X Server's own DHCP service, another DHCP server on the LAN, or static address assignment. Whichever method you choose, configure your server's LAN interface with a static ip address, and configure the other clients to point to you as their gateway / router.
- In the Settings pane of the NAT service, select your primary connection, and start the NAT service.
- Finally, enabling the firewall is required. This would be a good time to review the firewall settings to make sure you allow all necessary traffic. Firewall buzzkills are the worst ;) Note especially that what you choose here will affect the network access of your soon-to-be-clients in ways wholly unforseen by apple's documentation. Once you are satisfied, start the Firewall service. This allows the <code>divert</code> rule to function, which is what feeds the <code>natd</code> program that actually does all the rewriting of the packet headers.
Forensics
<b>Display the routing table</b>. The default route is the one marked... er... default ;)
netstat -rn
<b>List the Firewall rules</b>; make sure the divert rule is in there if you want to do NAT:
sudo ipfw show
<b>Query the state of IP forwarding</b>. This should get enabled when the NAT service is turned on, but just in case... 0 means off and 1 means on.
sysctl net.inet.ip.forwarding
If necessary, you can <b>flip ip forwarding on and off</b> as follows:
sudo sysctl -w net.inet.ip.forwarding=1 sudo sysctl -w net.inet.ip.forwarding=0
The same can be done for ipfw ("The Firewall Service"); this setting is twiddled when you stop or start the Firewall service with Server Admin; it is what causes the rules loaded into ipfw to take effect or not.
sudo sysctl -w net.inet.ip.fw.enable=1 sudo sysctl -w net.inet.ip.fw.enable=0
<code>/etc/hostconfig</code> needs to be modified in order to allow the <code>IPFiter</code> and <code>Network</code> startup items to <b>enable the firewall and ip forwarding at startup</b>. Server Admin seems to successfully twidles <code>IPFILTER</code> when enabling or disabling the Firewall service, but <code>IPFORWARDING</code> seems more stuborn, so this may require hand editing.
IPFORWARDING=-YES- IPFILTER=-YES-
