Answer the question
In order to leave comments, you need to log in
Redirecting traffic to MikroTik
Initial data:
Local network ( src-address ) : 172.16.66.0/24
Task: Redirect
from
url
: routerpwn.com/info.html to 172.16.66.200:80 74.208.139.97,
I first select all packets for which dst-address == 74.208.139.97
(2) create a rule in L7 for url: routerpwn.com/info.html
(3) mark packets by L7
(4) and redirect to NAT :
What happens: 1-3 passes as expected, but (4) does not work ... I tried to redirect in (4) when
ip firewall mangle add action=jump jump-target=registry chain=prerouting dst-address=74.208.139.97 dst-port=80 protocol=tcp src-address=172.16.66.0/24
ip firewall layer7-protocol add name=routerpwn regexp="^.*(\/info\.html).*(routerpwn\.com).*$"
ip firewall mangle add action=mark-packet chain=registry dst-port=80 layer7-protocol=routerpwn new-packet-mark=registry passthrough=no protocol=tcp src-address=172.16.66.0/24
ip firewall nat add action=dst-nat chain=dstnat dst-port=80 packet-mark=registry protocol=tcp src-address=172.16.66.0/24 to-addresses=172.16.66.200 to-ports=80
dst-address = 74.208.139.97 turns out, it also turns out if in (1) marking packets with dst-address == 74.208.139.97 also happened, but after (3) point and marking the packet by L7 it doesn’t work.
Please help.
UDP: if you remove L7
at step (3) , then everything works out. L7 rule created correctly, checked through ip filter - packets are dropped
Answer the question
In order to leave comments, you need to log in
As a result, I did the following:
1) Added the ip address to the registry list on which the routerpwn.com site is located
/ip firewall address-list add address=74.208.139.97 list=registry
2) If the packet for the ip address is from this list, then I redirect to port 8080 in the Web proxy
/ip firewall nat add action=redirect chain=dstnat comment=registry dst-address-list=registry dst-port=80 protocol=tcp src-address=172.16.66.0/24 to-ports=8080
3) I turn on the proxy on port 8080
/ip proxy set enabled =yes
4) Redirect if the call goes to routerpwn.com/info.html to 172.16.66.200
/ip proxy access add action=deny dst-host=routerpwn.com path=/info.html redirect-to="172.16.66.200\ ?host=routerpwn.com&get=info.html"
Minus: hostname and get request are not passed. For this reason, I pass them in the get parameters for 172.16.66.200 (172.16.66.200?host=routerpwn.com&get=info.html)
I suspect that the first packet (TCP SYN) passed through the nat table, where it was not redirected (because it hasn’t reached L7 yet), and all subsequent packets are already running past the nat table due to connection tracking. Try to disable connection tracking in the raw table for such connections
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question