How to forward ports to a Windows running in shared networking mode

Discussion in 'Installation and Configuration of Parallels Desktop' started by jwiegley, Jul 16, 2007.

  1. jwiegley

    jwiegley Junior Member

    Messages:
    19
    Ok, this may sound strange, but here's what I want to do:

    I have Windows running in shared networking mode. This is so that 1) no one on my network can see it, and 2) it can share the VPN connection my Mac is using.

    However, I want people from within the VPN to access certain ports on the Windows machine, such as VNC.

    My question is, can I setup TCP port forwarding so that users within my VNC network (interface tap0) can connect to my Mac using my VNC IP address, yet the service get forwarded to my Windows using shared networking (on interface en3)?

    Here's the picture:

    VNC machine -> VNC -> Mac -> Windows guest

    This way, somebody inside my VNC network could operate my guest Windows remotely over VNC (so I can show them something I've cooked up, for example) and yet I get all the other security and ease of use benefits that come with shared networking.

    Without shared networking, the only way VPN users could see my Windows guest machine if I used bridged networking and then installed the VPN client and established a second, independent connection to the VPN from within Windows. But that seems like a waste if all I need to forward is a single port or two.

    John
     
  2. jwiegley

    jwiegley Junior Member

    Messages:
    19
    I've been trying a ton of things, but here's what I have now:

    First, I turn off my firewall, to avoid complications. Then I run a natd process to redirect packets inbound from tap0 to port 8080, to port 8080 on my Windows box in shared networking mode. That command looks like this:

    natd -m -n tap0 -redirect_port tcp 10.211.55.9:8080 8080

    Then, I add the following divert rule to my firewall so that natd has a chance to rewrite the packets:

    ipfw add 100 divert natd ip from any to any via tap0

    Lastly, I turn on IP forwarding:

    sysctl -w net.inet.ip.forwarding=1

    Sure enough, when a VPN machine tries to connect to my machine at port 8080, natd shows the redirection to the Windows box:

    In [TCP] [TCP] 10.9.19.145:4138 -> 10.9.19.82:8080 aliased to
    [TCP] 10.9.19.145:4138 -> 10.211.55.9:8080

    And lastly, I have the firewall on my virtual Windows XP configured to allow connections from anywhere to port 8080.

    It seems at this point that it's the shared networking driver for Parallels itself which is dropping the packets because they don't originate from localhost (10.211.55.10 in this case, via en3). I cannot find any way to get Parallels to "accept" the inbound packet, even though I've rewritten the IP destination address and done everything else that "normal" TCP/IP would require of me.

    So does the Parallels networking driver for en3 have special rules that allow connections only from the other side of the network interface?

    What I'm going to try now is a double-redirect: redirect port 8080 traffic to 10.211.55.10:8080 (my side of en3), and then redirect from there to 10.211.55.9:8080. But who knows.

    Any ideas?

    John
     
  3. jwiegley

    jwiegley Junior Member

    Messages:
    19
    SOLVED!

    Well, unless I'm missing something, it can't be done with natd and ipfw. However, it CAN be done with tcpserver and netcat.

    What tcpserver does is listen to port connection on my Mac. It then uses netcat to redirect layer 5 traffic (e.g., HTTP) back and forth between the client who initiated the connection, and my virtual Windows XP box who is serving the connection.

    The reason this works is that because, to Windows XP, it looks like the traffic is coming locally from my Mac. And to the VPN client, it looks like they are talking to my Mac. Netcat is silently shuttling the HTTP data back and forth between the two, which takes all of the TCP/IP addressing issues out of the loop.

    Here's how I'm redirecting VPN connections to 10.9.19.82:8080 into my virtual machine at 10.211.55.9:8080:

    tcpserver 10.9.19.82 8080 nc 10.211.55.9 8080

    If you have MacPorts, you'll need to install ucspi-tcp (for tcpserver) and netcat (for nc).

    John
     

Share This Page