collectivity

Parallels for Mac, unlike VMWare, does not offer NAT networking for guest operating systems. There is a relatively easy way around this, though the way I’ve implemented it requires use of the command line…

First, set the DHCP Options as you desire for the private network. I use the default of 10.37.129.0/24:

Then configure the networking for the Virtual Machine to be Host Only Networking:

Finally, boot the VM and configure it to use a static network configuration:

ip: 10.37.129.x

netmask: 255.255.255.0

default router: 10.37.129.1

dns: whatever it’s set to on your Mac’s /etc/resolv.conf

For dns, I run a copy of dnscache on my Mac with options that allow for it to serve requests on 10.37.129.0/24, and specify 10.37.129.1 as the dns server to my VMs.

Create a directory /Library/StartupItems/Firewall and create a file in it called StartupParameters.plist with the following contents:

{
Description     = "Firewall";
Provides        = ("Firewall");
Requires        = ("NetworkExtensions","Resolver");
OrderPreference = "Late";
Messages =
{
start = "Starting firewall";
stop  = "Stopping firewall";
};
}

Create a file in the same directory called FirewallManual:

#!/bin/sh

##
# Firewall
##

. /etc/rc.common

StartService ()
{
ConsoleMessage "Starting Firewall"
sh /etc/rc.firewall > /dev/null
}

StopService ()
{
ConsoleMessage "Stopping Firewall"
/sbin/ipfw -f -q flush
/usr/bin/killall natd >/dev/null     2>&1
/usr/sbin/sysctl -w     net.inet.ip.forwarding=0
}

RestartService ()
{
StopService
StartService
}

RunService "$1"

Finally, create /etc/rc.firewall with the following contents:

#!/bin/sh

DEFROUTE_IF=`/usr/sbin/netstat -rn | /usr/bin/awk '/^default/ {print $6;}'`
NATD=/usr/sbin/natd
NATD_OPTIONS="-log -log_denied -use_sockets -same_ports -interface $DEFROUTE_IF"
IPFW=/sbin/ipfw

LOOPBACK="lo*"
PUBLIC_IF="$DEFROUTE_IF"
PARALLELS_IF=en2

PARALLELS_NET="10.37.129.0/24"

# start natd
$NATD $NATD_OPTIONS

# divert traffic before anything else
$IPFW add 01000 divert natd all from $PARALLELS_NET to any out via $PUBLIC_IF
$IPFW add 01010 divert natd all from any to any in via $PUBLIC_IF

# standard mac os x firewall stuff
$IPFW add 02000 allow ip from any to any via $LOOPBACK
$IPFW add 02010 deny ip from 127.0.0.0/8 to any in
$IPFW add 02020 deny ip from any to 127.0.0.0/8 in
$IPFW add 02030 deny ip from 224.0.0.0/3 to any in
$IPFW add 02040 deny tcp from any to 224.0.0.0/3 in
$IPFW add 02050 allow tcp from any to any out
$IPFW add 02060 allow tcp from any to any established
$IPFW add 02070 allow tcp from any to any dst-port 22 in
$IPFW add 02070 allow ip from any to any dst-port 53 in
$IPFW add 02080 allow tcp from any to any dst-port 80 in
$IPFW add 02090 allow tcp from any to any dst-port 427 in
$IPFW add 02100 allow tcp from any to any dst-port 443 in
$IPFW add 02110 allow tcp from any to any dst-port 5297 in
$IPFW add 02120 allow tcp from any to any dst-port 5298 in

#$IPFW add 03000 allow all from $PARALLELS_NET to any via $PARALLELS_IF in
#$IPFW add 03010 allow all from any to $PARALLELS_NET via $PARALLELS_IF out

$IPFW add 12190 deny tcp from any to any
$IPFW add 65535 allow all from any to any

sysctl -w net.inet.ip.forwarding=1

Make both /Library/StartupItems/FirewallManual and /etc/rc.firewall mode 755.

Now all the pieces are in place…

In order to use this, you need to start Parallels and bring up the VM you’ve setup above. Once that is done, open System Preferences, Sharing, Firewall and stop the firewall. Then from the command line, run:

sudo /Library/StartupItems/Firewall/FirewallManual start

Your guest VM should now have NAT’d internet access via the default route in place on your Mac.

To tear things down, run

sudo /Library/StartupItems/Firewall/FirewallManual stop

Then start the firewall in the Sharing pane of System Preferences, and all is normal.

Please note that there are a number of rules that open specific ports in the above. You should ensure those ports are what you’d like to have open if you intend to use this script.

Use how you like at your own risk, there is no warranty provided. If you’d like to use this as source material to make a nice GUI on top of this, please let me know so I can grab it and use it. For now this works very efficiently for me, though an on off button that automates most of this and an installer would be cool. If I were doing it I would:

• Collect the set of firewall rules in place after starting the Mac OS X default firewall via AppleScript.
• Wrap those rules with the rules necessary to allow Guest VM <-> Mac communication, NAT diversion and packet flow.
• Perform a similar start process to above when a button was pressed.
• Perform a similar stop process to above when a button was pressed (including restart of Mac OS X default firewall via AppleScript).

I have not researched to see how much of this is possible, but my guess is most of it is, or the information to implement the same thing can be gleaned by reading plist files that contain the firewall settings.

This entry was posted on Monday, October 23rd, 2006 at 10:41 pm and is filed under Mac OS X, Open Source, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.