blob: 20bd43282f65a82e90a6af9043608bbc1195e859 (
plain) (
tree)
|
|
#!/bin/sh
#
# Adds TCP/UDP port forwarding rules to the pf firewall (MacOS/BSD).
#
# Adds rules for both TCP and UDP in addition to those from /etc/pf.conf.
# Requires an existing rdr-anchor entry in /etc/pf.conf.
# Only adds rules temporarily, without changing any files.
#
# Usage: ./forward-ports.sh [[nic:]port=[ip:]port [...]]
#
# If no network interface is given, forwards from all interfaces.
# If no IP is given, forwards to 127.0.0.1.
# If no port forwarding rule is given, resets to the rules from /etc/pf.conf.
#
# e.g. forwarding ports 80 and 443 on network interface en0 to ports 8080 and
# 8443 on localhost respectively:
# ./forward-ports.sh en0:80=8080 en0:443=8443
#
# Copyright 2019, Sebastian Tschan
# https://blueimp.net
#
# Licensed under the MIT license:
# https://opensource.org/licenses/MIT
#
set -e
RULES=
NEWLINE='
'
print_usage_exit() {
if [ -n "$RULES" ]; then
printf '\nError in custom rules:\n%s\n' "$RULES" >&2
fi
echo "Usage: $0 [[nic:]port=[ip:]port [...]]" >&2
exit 1
}
print_nat_rules() {
echo
echo 'Loaded NAT rules:'
sudo pfctl -s nat 2>/dev/null
echo
}
# Print usage and exit if option arguments like "-h" are used:
if [ "${1#-}" != "$1" ]; then print_usage_exit; fi
while test $# -gt 0; do
# Separate the from=to parts:
from=${1%=*}
to=${1#*=}
# If from part has a nic defined, extract it, else forward from all:
case "$from" in
*:*) nic="on ${from%:*}";;
*) nic=;;
esac
# Extract the port to forward from:
from_port=${from##*:}
# If to part has an IP defined, extract it, else forward to 127.0.0.1:
case "$to" in
*:*) to_ip=${to%:*};;
*) to_ip=127.0.0.1;;
esac
# Extract the port to forward to:
to_port=${to##*:}
# Create the packet filter (pf) forwarding rule for both TCP and UDP:
rule=$(
printf \
'rdr pass %s inet proto %s from any to any port %s -> %s port %s' \
"$nic" '{tcp udp}' "$from_port" "$to_ip" "$to_port"
)
# Add it to the list of rules:
RULES="$RULES$rule$NEWLINE"
shift
done
# Add the rules after the line matching "rdr-anchor" in /etc/pf.conf, print the
# combined rules to STDOUT and load the rules into pf from STDIN.
# Finally, display the loaded NAT rules or print the script usage on failure:
# shellcheck disable=SC2015
printf %s "$RULES" | sed -e '/rdr-anchor/r /dev/stdin' /etc/pf.conf |
sudo pfctl -Ef - 2>/dev/null && print_nat_rules || print_usage_exit
|