El Valle del Viento Helado (English): 2008

This evening I have to us the NAT (network address traslation) infrestructres that came with MacOS X. The TCP/IP stack of MacOS X and the network utilities came from FreeBSD. The firewall is ipfw and is actived by default. The command line utility that controlles the firewall is ipfw. Unlike Linux, the nat engine is in user space, implemented in a proccess called natd. There are ipfw rules that select the ip packets and send to natd using the divert mechanism

Sharing your Internet connection

The easy way to share your internet connection is to use the Internet. We excecute de System Preferences application, next click in Sharing and the system show the next configuration pane (in spanish):

internet sharing

Now, we must select the public interface (the one is connected to Internet), in this example the airport and we also must select the private interface (where are the computers you want to access Internet throught NAT). Now, we push the Init button and the NAT is active.

We can see in changes that the GUI have done in the system now. We launch the Terminal Application and execute the ipfw show command. We can see the first rule that divert all traffic to the natd process:

00010  26221  16201955 divert 8668 ip from any to any via en1
02000 264607  23464758 allow ip from any to any via lo*
02010      0         0 deny ip from 127.0.0.0/8 to any in
02020      0         0 deny ip from any to 127.0.0.0/8 in
02030      0         0 deny ip from 224.0.0.0/3 to any in
02040      0         0 deny tcp from any to 224.0.0.0/3 in
02050 209103  38244907 allow tcp from any to any out
02060 333894 376385236 allow tcp from any to any established
02065      0         0 allow tcp from any to any frag
12190      3       192 deny tcp from any to any
65535   7662    912661 allow ip from any to any

We can also check that the natd is executing in the system:

ibookdrizzt:~ terron$ ps aux|grep natd
root 372 0.0 0.0 27332 580 ?? Ss 12:14AM 0:00.43 /usr/sbin/natd -alias_address 192.168.1.33 -interface en1
ibookdrizzt:~ terron$

That natd is done when the packet leave the machine throught the public interface. The return flow of packets, when arrive to the machine providing, are diverted to the natd process. If there is an entry in the translation table, the destination address is rewritten in accordance with the contents of the table.

Setting manual NAT

We want to configure the NAT in the next scenario:

We have a PowerMac G5 connected to a wireless network where there is a wifi router connectd to Internet.The wireless network uses the address range 192.168.1.0/24 and the PowerMac uses the IP address 192.168.1.100 (interface en1, Airport). Also, the PowerMac is connected an ethernet network and uses the IP address 192.168.2.1 (interface en0). We want that the PowerMac uses NAT to translate all the IP address in the 192.168.2.0/24 rango to a IP in the range 192.168.1.x, if possible the same IP assignated to the interface en1.

The NAT is done in MacOS X just before the packet leave the network interface. In the previus scheme, the packets go yo Internet via the interface en1. We must configure natd to intercept packets before leave the interface and traslate the source address and source port in case we need it. We must intercept any packet whose source address is in network 192.168.2.0/24 to any address. We add a rule to the ipfw firewall that select all packet from network 192,.168.2.0/24. In the Terminal application:

ipfw -f flush

ipfw add divert natd all from 192.168.2.0/24 to any via en1

Warning, the first command, delete all the firewall rules. If we want to keep the current ruleset, we must to insert the rule in the firewall and not use the ipfw -f flush command. We can see the actual rule set using the ipfw show command.

Now, we must run the natd command. This program traslate the source address and port from the packet being natted. The address traslated is called alias and usually is the same of the public interface. We also must use the -v parameter to natd if we want to debug the process because it automatically go to background. In theory, the next command will do the work:

/usr/sbin/natd -v -interface en1

But if we test the configuration, it doesn't work, why?. Because this configuration traslate adequately the packets the leave the machine, but the packets that came back from Internet no.This occurs because the implementation of NAT is a user program, and you must configure the firewall, ipfw, to send the packets back to the process natd. However, in Linux, this is done automatically because it maintains the translation tables in the kernel. In this sceneario the solution is easy, because we can use another alias address and another divert rule to send the traffic:

ifconfig en1 192.168.1.101 alias

ipfw -f flush

ipfw add divert natd all from 192.168.2.0/24 to any via en1

ipfw add divert natd all from any to 192.168.1.101 via en1

natd -a 192.168.1.101

Problems

The implementation of NAT using MacOS X isn't very efficient. The need to move packages from the kernel to user mode programs and then again to move to the kernel for transmission makes it slower to complete implementations in the Linux kernel and its NetFilter.

The support of inspection protocols is very limited, only supports FTP and IRC, with the rest of protocols that send information with embebbed ip addresses and ports not supported.

References

Sharing your Internet connection

man page of ipfw (FreeBSD)

man page of divert(FreeBSD)

Project Netfilter

man page of natd (MacOS X)

Mac OS X Server 10.2 as a NAT router

Technorati Tags: firewall, macosx, nat

Three weeks ago, my wife and I went to the Jerte's Valley (Valle del Jerte in spanish), in Caceres, during the cherry flowering. The flowering lasts just ten days and the valley is covered in the distinctive white color of the cherry blossoms.

We took the A-5 motorway till Navalmoral de la mata, then we took the EX-1 heading Plasencia, but the GPS guided us throught a local road parallel to the river Tietar till the EX-392 road that took us to Jaraíz de la Vega. It would have been easier to take the EX-392 in Navalmoral de la Mata heading Jaraíz de la Vega or arrive to Plasencia and enter into the valley jerte through the N-110.

From Jaraiz de la Vega we took a road that led us throught the mountains through the villages of Pasarón de la Vega, Arroyomolinos de la Vera, Barrada, Carrera reaching Valdastillas. In this area we began to see the first cherry trees and the side of the mountais were white of cherry blossoms.

Slopes covered with cherry blossoms

One of the villages on the slope of the valley.

As we descend from the side of the mountain, across the road which passes through Valdastillas, to the N-110. We took some pictures of the cherry blossoms

Cherry blossoms

The road descends among the cherry trees

We arrived to the N-110 road and we followed it till Navaconcejo where we tool lunch in a little restaurant. This town is divided by the river Jerte and has a beautiful bridge over it.

Bridge over Jerte in Navaconcejo

Cherry blossoms from Navaconcejo

We took again the car and drive throught the N-110 road till we arrived to Cabezuela del Valle. We left the car and walked down a path that runs parallel to the river Jerte.

The Jerte river, in Cabezuela del Valle.
The town was full of suvenir stores where you can buy the tipical cherry trees and products of the zone.

A small waterfall

After the walk, we took the car again, and following the N-110 we arrived to Tornavacas and we began to drive throught the pass of Tornavacas. We took some pictures of the cherry blossoms before we arrived to the highest part of the pass.

cherry blossoms

cherry trees

From there you can enjoy a beautiful lanscape. Mountais around were snowier than the last time (in spanish) we where in Tornavacas. Two more pictures from out trip. First one you can see the town of Tornavacas and Cabezuela del Valle and the second one you can see all the Valley of Jerte. The pictures are a bit dark because the day was cloudy and you couldn't see all the cherry blossoms.

El Valle del Jerte, desde lo alto de Tornavacas

El Valle del Jerte

We decided to return to Madrid throught Avila. The idea was to follow the N-110 from the Pass of Tornavacas which runs through the towns of Barco de Ávila and Piedrahita, then arrive to Avila and take the A-6 motorway to Madrid. But when we arrived to Barco de Avila, it started to snow abundantly:

The old bridge in the middle of the snowstorm

We arrived to Piedrahita without problems, but the snowstorm was stronger. When we leaved Piedrahita, there was a lot of snow in the road and people drove slowly. We couldn't arrive to the Pass of Villatoro, and the policy shorted the road to people that didn't have tire chains. We returned to Piedrahita, then we toolk the road to Alba the Tormes, from there to Peñaranda de Bracamonte, then to Arevalo where we took the A-6 motorway to Madrid. The snowstorm was heavy, and we took some beautiful pictures when the night arrived.

The road covered with snow