Connection sharing with Mac OS X via NAT

[Valerio-click]

Hi all,

In addition to what illustrated in https://github.com/inversepath/usbarmory/wiki/Host-communication is it also possible, using PF firewall, to share Internet connection on Mac OS X without modifying the internal configuration of USBArmory.

It is sufficient to add the following rule (using pfctl)

nat on $ext_if from $int_if:network to any -> ($ext_if)

where $ext_if is the interface that has direct access to Internet and $int_if is the USB Armory interface on the host machine. 

Valerio

[Andrea Barisani]

Thanks! I will add this on the wiki.

> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/b8cd27b2-b528-4226-8941-b856e0ee3dff%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Andrea Barisani]

Can you provide the exact command and/or steps that someone would need to perform in order to enable this? I'd like to put easy to use instructions on the wiki.

It is not clear to me if a configuration file must be edited or if one command via sudo can be executed.

Thanks!

[valerio-click]

Sure!!

Suppose that the external interface is en0 (that one that routes to Internet) and the USBarmory is active on en5 then it is sufficient to do the following steps:

STEP 1 (enable ipforwarding):

sudo sysctl -w net.inet.ip.forwarding=1

STEP 2: (enable pf firewall):

sudo pfctl -e

STEP 3: (add NAT rule)

(echo "nat on en0 int from en5:network to any -> (en0) | sudo pftcl -f -

STEP 3 command will work only if en5 is already up, if you want to apply the rule before the USBArmory is plugged into the host you will have to specify the netwok with 

(echo "nat on en0 int from 10.0.0.0/8 to any -> (en0) | sudo pftcl -f -

assuming the standard configuration (with 10.0.0.1 the usbarmory and 10.0.0.2 the network interface).

hope this helps!!

Valerio

[Andrea Barisani]

On Saturday, April 18, 2015 at 11:08:28 PM UTC+2, valerio-click wrote:

Sure!!

Suppose that the external interface is en0 (that one that routes to Internet) and the USBarmory is active on en5 then it is sufficient to do the following steps:

STEP 1 (enable ipforwarding):

sudo sysctl -w net.inet.ip.forwarding=1

STEP 2: (enable pf firewall):

sudo pfctl -e

STEP 3: (add NAT rule)

(echo "nat on en0 int from en5:network to any -> (en0) | sudo pftcl -f -

STEP 3 command will work only if en5 is already up, if you want to apply the rule before the USBArmory is plugged into the host you will have to specify the netwok with 

(echo "nat on en0 int from 10.0.0.0/8 to any -> (en0) | sudo pftcl -f -

assuming the standard configuration (with 10.0.0.1 the usbarmory and 10.0.0.2 the network interface).

hope this helps!!

I just updated the wiki with this information.

Thanks!

[mr.ei...@gmail.com]

I'm adding "nat on $en int from 192.168.2.0/24 to any -> (en5)" to my pf.conf, but on enabling the rules, pf returns a syntax error. Macro's are correctly mapped. I'm on OSX.

Any clue what is going wrong?

Op zaterdag 18 april 2015 23:08:28 UTC+2 schreef valerio-click:

[Andrea Barisani]

On Monday, April 27, 2015 at 10:40:59 AM UTC+2, mr.ei...@gmail.com wrote:

I'm adding "nat on $en int from 192.168.2.0/24 to any -> (en5)" to my pf.conf, but on enabling the rules, pf returns a syntax error. Macro's are correctly mapped. I'm on OSX.

Any clue what is going wrong?

I am not an expert on PF configuration on OSX, however this is the contributed syntax:

nat on en0 from 10.0.0.0/8 to any -> (en0)

Which doesn't match the fact that you have "$en int", where $en I presumed is a variable that holds your relevant enX interface, however the "int" seems spurious maybe?

[j...@qibixx.com]

there is 2 typos in the string in the original post.

#1 it's missing the closing "

#2 the "int" should read inet

so the correct full statement is something like

echo "nat on en0 inet from en5:network to any -> (en0)" | sudo pfctl -f -