Mikrotik + VPN/iptables: how to forward a port to an external IP?

@

@antoo2018-08-08 21:52:39

VPN

@antoo, 2018-08-08 21:52:39

My provider uses gray addresses + NAT, which does not make it possible to forward the port to the external Internet, so I want to forward the port through the VPN with a white external IP.
Port forwarding is configured on Mikrotik as follows:

/ip firewall nat add action=masquerade chain=srcnat out-interface=my-vpn
/ip firewall add action=dst-nat chain=dstnat in-interface=my-vpn log=yes protocol=tcp to-addresses=169.254.1.251 to-ports=5000

where 169.254.1.251:5000 is the address of my local server that needs to be forwarded.
The VPN server is configured with a static IP (10.201.0.6) for the router, and by command in the VPN console: curl http://10.201.0.6:5000the content I need is shown.
It remains to add a rule for redirecting traffic on the VPN server, I'm trying to do this:

iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 5000 -j DNAT --to-dest 10.201.0.6:5000

, where xxxx is the external IP of the VPN, but the site does not open via the external IP, although I see that a request is coming to the router and the dst-nat rule is triggered. What am I doing wrong? Thanks in advance.
UPD: It turned out to be done through nginx-based proxying, but can it be done directly without it?

server {
  listen 5000;
  location / {
    proxy_pass http://10.201.0.6:5000;
  }
}

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

T

TyzhSysAdmin, 2018-08-08
_

1. subnet 169.254.0.0/16 is not needed for that.
2. use 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8
3. Nginx is a good solution.
4.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:8080
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8080 -j ACCEPT

and do not forget about the fact that you need to cut the forward in sysctl
Next.
You receive a packet from the "external" server in which the client's address is indicated and as a result, Mikrotik kicks it off to the "default route", that is, not back to the VPN connection, but to the WAN port of the router (well, if it is configured this way, you did not give the routing table).
In order for the answers to go where you need, you need to mark the routes on Mikrotik, mangle and indicate in the route table where to send it all
. For example

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!169.254.1.0/24 \
    new-routing-mark=WEB-SERVER passthrough=yes protocol=tcp src-address=169.254.1.251 \
    src-port=80

and all external connections will go strictly to the vpn interface.
But!
1. Set network addressing in accordance with p.1/
p.2 2. Remove nafig all nats
3. prescribe route on vpn server to your network (/32 is possible)
4. leave nginx on vpn server.

Z

Zzzz9, 2018-08-08
@Zzzz9

IP 169.254.xx normal DHCP will not issue, you need a good address.
About iptables, of course, routing of transit IP packets is already enabled on the router?
after the packet was met on PREROUTING, by the way, you need to specify the address of the computer with the listening service, then
it needs to be routed from one interface to another, such as
iptables -A FORWARD -i eth0 /* the one that looks in i-net */ -o eth1 / * to the local network */ -j ACCEPT,
if you need to access the service from the local network or from the router, you need a couple more rules.