Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
akelsey2015-07-08 21:27:39
Mikrotik
akelsey, 2015-07-08 21:27:39

How to filter dnat/forward in mikrotik/mikrotik/iptables?

Always set up filtering in the NAT table.
I read that it's better not to. And then, hung.
Tell me how it is right, or why the following construction is not viable for me:
1. I want to make MASQUERADE for the entire LAN, let's take the usual 192.168.0.24 right here - we do MASQUERADE - everything works fine from the inside out, but we don't need it.
2. We drop all packets from Source LAN to All PPP - in the FORWARD chain - fine, nothing works - as it should.
3. Add rules Filter/Forward/Established - accept, Filter/Forward/Related - accept, Filter/Forward/Invalid - drop (drive under the previous rule)
4. Create a DNAT rule - src.address=Allowed, dst.port:22 - dnat 192.168.0.100:22 (place it above all), I think it will work - and oops bummer.
Syn goes to the router, Syn / Ack does not come to the router.
I want to figure it out, I'm trying to figure it out, but so far it's not working out very well (somewhere I have a misunderstanding with contrack states - but when I try to resolve new packets from the LAN, they get full Internet). I ask for the help of the community and the iptables / mikrotik gurus. Maybe my system is not realizable at all? (allow what you need, deny everything)
Links to useful documentation with examples of best practices for implementing filtering of transit requests are welcome. And it's easier to return everything to the NAT table ...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
akelsey, 2015-07-08
@akelsey

thanks, you just have to ask a question, in any case, my task was cunningly formulated)
I fought on port conditionally 5505 - and it DNATed at 22 :-) I
looked at Wireshark and was stunned by my inattention, because the port has already been substituted, and I'm trying to FORWARD table allow connection to the old port.
The whole scheme is viable, not 100% sure yet, but it looks like I'm close. Thanks for the link, I'll take a look.
PS
Yes, I confirm that the error was that the DNAT port was changed to another, and in the Filter table (forward chain), an attempt was made to filter by the old port, although it had already been replaced in DNAT (which is logical). Problem solved, thanks everyone.

Report
E
efkot, 2015-07-08
@efkot

to begin with, how does Mikrotik process packets
wiki.mikrotik.com/images/b/bf/Whats_New_in_MikroTi...
in short, first mangle (put tags) --> then filter --> then nat
your case, mark all traffic except the one you need (through exclamation points) then we drop everything that is tagged, then our useful traffic goes to nat, or vice versa we tag the necessary traffic, drop everything that is not tagged, and in nat

Report
E
EvilMan, 2015-08-20
@EvilMan

Use -m conntrack --ctstate DNAT (you can also optionally use additional switches - complete list on iptables -m conntrack --help).

Similar questions
R
Reineke2016-10-27 22:28:45
How to properly set up a separate subnet for wi-fi? 1Reply
P
PrAw2016-10-28 07:46:51
How to release IP cameras to the Internet through 2 Wi-Fi routers and provide everyone with a single address space? 2Reply
G
gsg6132019-03-27 08:04:32
Why doesn't ya.ru ping from the router? 2Reply
L
leoders2019-03-28 18:41:18
L2tp: centos-server + mikrotik-client. How to set up routing? 0Reply
V
Vladimir2016-11-02 22:46:41
How to set up a mikrotik router to work correctly with apple tv? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question