8

I need to have the mac take traffic coming into it on one port send the traffic to a different but still local port.

I.e. Traffic comes in on port 1234 and transfers to port 5900 (vnc)

This is because the router wont allow me to set up portforward where the origin and destination ports differ and I need to connect to multiple machines.

So for example in my router I have set up: port 1234 -> 192.168.0.2:1234 port 1235 -> 192.168.0.3:1235 port 1236 -> 192.168.0.4:1236

Then I need the mac to take incoming port and send it to local port 5900

Dave
  • 81
  • 1
  • 1
  • 2
  • As an aside: some VNC implementations support repeaters/proxies. Like [UltraVNC Repeater](http://www.uvnc.com/addons/repeater.html). This might help one to forward just the default port to a single computer, which can then forward requests to other computers. However: that would require you to have one Mac running at all times. Also, I don't know if the built-in Screen Sharing server supports this feature. – Arjan Nov 30 '10 at 15:31
  • 1
    VNC supports ports less than 5900. Set the display to -4666 (5900 - 1234). VNC will then listen on port 1234. – BillThor Nov 30 '10 at 16:17
  • @BillThor, that might be hard on a Mac: [How to change the default screen sharing / VNC port number on Mac OS X?](http://superuser.com/questions/148095/how-to-change-the-default-screen-sharing-vnc-port-number-on-mac-os-x) – Arjan Nov 30 '10 at 16:24
  • Or: use SSH to connect to the Macs? (The VNC protocol is not secure, though OS X adds an option to encrypt the data. I don't know what it does, but using SSH you can also [use a Windows VNC client to connect](http://superuser.com/questions/53348/) securely.) So, on the client computer: `ssh -L 1234:localhost:5900 -p 22 your-remote-mac` and connect your VCN client to `localhost:1234`. However, using your router, this needs a unique `sshd` port for each Mac. See [How to change sshd port on Mac OS X?](http://serverfault.com/questions/18761/how-to-change-sshd-port-on-mac-os-x/67616#67616) – Arjan Dec 01 '10 at 10:51
  • Anyone who knows how to configure the IP Firewall? I thought `sudo ipfw add fwd 127.0.0.1,1234 tcp from any to me dst-port 5900` might do the trick, but: no cigar. Maybe in 10.6 one needs to [actually enable `ipfw`](http://www.ibiblio.org/macsupport/ipfw/) manually? (The built-in Application Firewall in System Preferences is a different thing altogether.) – Arjan Dec 01 '10 at 10:57
  • Yes, ipfw port forwarding seems broken in Mac 10.7 (and maybe earlier versions) – Claudio Floreani Apr 16 '12 at 22:47

2 Answers2

5

I doubt a local SSH tunnel is the easiest solution, but to forward 1234 to 5900:

ssh -g -L 1234:localhost:5900 localhost

The -g is needed to allow remote hosts to connect to the local port 1234.

To run this in the background:

ssh -Nfg -L 1234:localhost:5900 localhost

You can include the options in your SSH config file, like LocalForward 1234 localhost:5900.

To test this when Screen Sharing is not running, run the built-in Python web server: python -m SimpleHTTPServer 5900, and then point a browser to http://localhost:1234

Arjan
  • 30,974
  • 14
  • 75
  • 112
3

This article on Port Forwarding on Mac OS X seems to have the answer.

Here is the example they provide at the end:

The following example forwards any inbound 443 traffic to PRO Server running on local host (127.0.0.1) port 4282.

sudo ipfw add 1443 forward 127.0.0.1,4282 ip from any to any 443 in
slhck
  • 223,558
  • 70
  • 607
  • 592
Roozbeh
  • 31
  • 1
  • Also, check that both "sysctl -n net.inet.ip.fw.enable" and "sysctl -n net.inet.ip.forwarding" are enabled (set to 1). This should be the way to do it, however it seems broken in Mac OS 10.7 – Claudio Floreani Apr 16 '12 at 22:46
  • The link is broken! – Fusion Sep 22 '21 at 17:17
  • Recent versions of macOS use PF, so you'd need to add something like `rdr pass inet proto tcp from any to 127.0.0.1 port 443 -> 127.0.0.1 port 4282` to `/etc/pf.anchors/sample`, and then configure the new anchor in `/etc/pf.conf` – chronospoon Jun 10 '23 at 19:13