Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Mikhailov2013-10-21 12:13:42
Mikrotik
Alexander Mikhailov, 2013-10-21 12:13:42

Redirecting traffic to MikroTik

Initial data:
Local network ( src-address ) : 172.16.66.0/24

Task: Redirect from
url : routerpwn.com/info.html to 172.16.66.200:80 74.208.139.97, I first select all packets for which dst-address == 74.208.139.97 (2) create a rule in L7 for url: routerpwn.com/info.html (3) mark packets by L7 (4) and redirect to NAT : What happens: 1-3 passes as expected, but (4) does not work ... I tried to redirect in (4) when




ip firewall mangle add action=jump jump-target=registry chain=prerouting dst-address=74.208.139.97 dst-port=80 protocol=tcp src-address=172.16.66.0/24


ip firewall layer7-protocol add name=routerpwn regexp="^.*(\/info\.html).*(routerpwn\.com).*$"


ip firewall mangle add action=mark-packet chain=registry dst-port=80 layer7-protocol=routerpwn new-packet-mark=registry passthrough=no protocol=tcp src-address=172.16.66.0/24


ip firewall nat add action=dst-nat chain=dstnat dst-port=80 packet-mark=registry protocol=tcp src-address=172.16.66.0/24 to-addresses=172.16.66.200 to-ports=80

dst-address = 74.208.139.97 turns out, it also turns out if in (1) marking packets with dst-address == 74.208.139.97 also happened, but after (3) point and marking the packet by L7 it doesn’t work.

Please help.

UDP: if you remove L7
at step (3) , then everything works out. L7 rule created correctly, checked through ip filter - packets are dropped

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Alexander Mikhailov, 2013-10-25
@chelaxe

As a result, I did the following:
1) Added the ip address to the registry list on which the routerpwn.com site is located
/ip firewall address-list add address=74.208.139.97 list=registry
2) If the packet for the ip address is from this list, then I redirect to port 8080 in the Web proxy
/ip firewall nat add action=redirect chain=dstnat comment=registry dst-address-list=registry dst-port=80 protocol=tcp src-address=172.16.66.0/24 to-ports=8080
3) I turn on the proxy on port 8080
/ip proxy set enabled =yes
4) Redirect if the call goes to routerpwn.com/info.html to 172.16.66.200
/ip proxy access add action=deny dst-host=routerpwn.com path=/info.html redirect-to="172.16.66.200\ ?host=routerpwn.com&get=info.html"
Minus: hostname and get request are not passed. For this reason, I pass them in the get parameters for 172.16.66.200 (172.16.66.200?host=routerpwn.com&get=info.html)

Report
A
alz, 2013-10-21
@alz

I suspect that the first packet (TCP SYN) passed through the nat table, where it was not redirected (because it hasn’t reached L7 yet), and all subsequent packets are already running past the nat table due to connection tracking. Try to disable connection tracking in the raw table for such connections

Similar questions
K
koltykov2015-11-08 11:11:42
Which Mikrotik router to choose for Free Wi-Fi and viewing ads? 3Reply
S
sergeyty2015-11-08 18:16:30
Mikrotik, ussd request via AT commands? 1Reply
V
VladislavVasiliev2021-07-12 15:39:08
Setting up WireGuard server on ubuntu, do I need to open a port on MikroTik? 2Reply
V
Vla2020-05-10 20:16:07
Which course on MikroTik to choose? 4Reply
R
Roman2015-11-13 23:01:23
Mikrotik port forwarding from LAN? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question