Squeezing NAT Out of Panther Serverby Glenn Fleishman
What I wanted was very simple and very routine—so routine and simple that it's enabled with a single checkbox in Mac OS X 10.2 and 10.3.
But I wasn't working with the client versions of Mac OS X. No, I was in server land. And I wanted Panther Server (Mac OS X Server 10.3) to hand out private Network Address Translation (NAT) managed addresses over DHCP (Dynamic Host Configuration Protocol).
Instead of simply checking a box in the client-side version of Panther,
I spent hours pouring over Apple's obtuse documentation and reading
detailed configuration information about
dhcpd. I finally
mastered it with a little persistence.
But Why? (You May Be Thinking)
Part of my motivation in setting up private addresses is that even though this feature is built into the AirPort Extreme Base Station as the Distribute Addresses option, I've been unable to get it to create private addresses correctly because I use the base station on my LAN, and not as the gateway between my DSL modem and the rest of our shared office LAN. Recently, it even stopped feeding out wired DHCP addresses, for reasons that are unclear.
The motivation for feeding out private addresses that are non-routable from the rest of the Internet has two components:
- First, they offer firewall by obscurity. While NAT doesn't entirely prevent outside cracking, it does offer obscurity. Unless you specifically punch a port from a NAT-addressed computer through to a public, routable IP address, that computer is entirely unreachable until it initiates a connection.
- Second, if you have a small pool or just a single static IP address, or receive a dynamically assigned private or public IP address, NAT allows you to create a pool of addresses to share a connection.
In plain old Panther, you bring up the Sharing preference pane in System Preferences, click the Internet tab, and choose the interface you want to share the connection from, such as Ethernet or AirPort (see Figure 1). Apple requires you have at least one active network connection.
You then check boxes corresponding to the interfaces to which you want to serve NAT via DHCP. In a small network that has both AirPort and Ethernet users, you could send NAT back to both networks and disable Distribute Addresses in an AirPort or AirPort Extreme Base Station or disable DHCP in another wireless gateway.
Click Start and you're done. Couldn't be more straightforward.
Panther Server Set Up Is Another Animal
So, you'd think that Panther Server would have more sophisticated options, but be relatively as easy? No, no, how could that be the case.
Instead, you must configure and enable three separate services, add a duplicate network interface, and edit a configuration file manually to get what you want. Let's walk through this.
In the rest of the FreeBSD and Linux world,
ipfw (or its
iptables equivalents) work together to assign
ifconfig to create a fake address on a new network, like the
address 192.168.3.1 on the network 192.168.3.0/24. (The /24 means the
first 24 bits are significant, equivalent to a network mask of 255.255.255.0.)
natd is configured to rewrite addresses for the 192.168.3.0 network;
ipfw diverts traffic to
natd for it to rewrite. Finally,
dhcpd is set
up to manage a range of addresses in that network, such as 192.168.3.10
through 192.168.3.250 and hand out nice items like a router address
and DNS server addresses.
Panther Server packages all
natd as NAT;
dhcpd as DHCP; and
ipfw as Firewall
within its nifty new Server Admin program, a portmanteau program that
replaces the horrible interface found in the previous server release with
a coherent, consistent graphical approach.
From hard experience, here's the set of steps to carry out our complicated command-line configuration, mostly through Server Admin.
1. Add a private address to a duplicate network configuration in the Network preference pane. Open System Preferences, click Network, and from the Show menu choose Network Port Configurations (see Figure 2). Select Built-in Ethernet and click Duplicate. Name the duplicate interface Private Network.
From the Show menu now choose Private Network. In the TCP/IP tab, select Manually from the Configure IPv4 menu. Enter 192.168.3.1 as the IP address and 255.255.255.0 as the subnet mask. You can enter DNS values for DNS, but leave other settings blank.
2. Open /etc/hostconfig in
vi. Find the line
Change NO to YES, leaving everything else the same. Save that file and exit the text editor.
3. Run Server Admin. Click the DHCP service. Click the Settings tab. You may already see an IP network for 192.168.3.0/24. If not, click the + sign (see Figure 3). Give the Subnet Name as 192.168.3.0/24 (it's just text, but it's a good identifier). In Starting IP Address, enter 192.168.3.2; in Ending IP Address, enter 192.168.3.254. Set the subnet mask to 255.255.255.0 and the router to your private interface address: 192.168.3.1. You can choose any lease time you wish. Click Save. Click Start Service.
4. Click the Firewall service. You should see a listing under Address Group for 192.168-net. This is the superset of 192.168.0.0/16, or the full private address range reserved for uses like these (see Figure 4). I haven't yet figured out how to bypass this tedious next step. For each service you want accessible to machines on the private network, you need to check a box to allow it. If none of these machines are working as servers, you might need to check relatively few boxes. But if you need to use Timbuktu, Retrospect, and other offerings, make sure and check those pages.
You could also add an advanced rule. Click the Advanced tab. Click the + sign (see Figure 5). Under the Source area, choose Any from the Address pop-up menu (see Figure 6). From the Destination area, choose 192.168-net from the Address menu. Click OK. Drag this rule to the top of the list so it's invoked first. This is a dangerous option because it allows all traffic through, but because these are private addresses, this is probably an issue only for locally discoverable services that use Rendezvous.
Click Save and wait a while. A long while. For some reason, on the 450 MHz G4 Cube that I have Panther Server installed on, the firewall settings can take minutes to save. They often fail, requiring me to check the boxes again (the settings aren't saved when it fails) and clicking Save again, and waiting... again.
When it's finally saved, click Start.
5. Click the NAT service. NAT has, fortunately, very few options (see Figure 7). In the Settings tab, make sure Built-in Ethernet is selected. Click Start.
You should now be able to serve DHCP-fed private addresses over the LAN. I've found that when this doesn't work, if I restart NAT, DHCP, and Firewall, the trouble goes away.
It's quite amazing to me that such a common task isn't streamlined in the server as it is in the plain Panther system. But now that you have the secrets, you should be able to set this up with none of the hassle I faced.
Glenn Fleishman is a freelance technology journalist contributing regularly to The New York Times, The Seattle Times, Macworld magazine, and InfoWorld. He maintains a wireless weblog at wifinetnews.com.
Return to the Wireless DevCenter