destination rule - src address list

onlineuser · January 14, 2017, 7:03pm

Hello,

I have more address lists which should be ignored for my destination NAT rules.

It would be fine if there could be specified more than one address list - it also should be possible to negate some of the address lists.

Or can I create dynamically a new address list which contains the IP addresses of two or three other adress lists (but this would be a waste of memory). It would be better when the rule checks more address lists.

Or can I add two identically destination NAT rules but only the address list is different?

teamer · January 14, 2017, 10:52pm

Sure.

onlineuser · January 15, 2017, 8:48am

No, it’s not possible.

example:
address list 1: block_scanner
address list 2: block_permanent_blacklisted

When there are two rules (first one only allows IP addresses which are not in block_scanner, this rule will be taken without checking the second one if the IP is maybe on the block_permanent_blacklisted address list.

I think there is the only way to generate a third address list which includes all the IP addresses from block_scanner and block_permanent_blacklisted address lists.
Or the feature from my first post will be implemented which would not waste memory.

teamer · January 15, 2017, 12:54pm

Instead of allow ip addresses not in list just block those in list.

onlineuser · January 15, 2017, 7:42pm

Yeah, in meantime I solved it in this way - but it would be also nice if a rule (firewall or NAT) could consider more than one address list.

Sob · January 15, 2017, 10:04pm

Or you can do pretty much anything using chains:

/ip firewall nat
add action=jump chain=srcnat jump-target=test
add action=masquerade chain=srcnat
add action=accept chain=test src-address-list=test1
add action=return chain=test src-address-list=test2
add action=accept chain=test dst-address-list=!test4 src-address-list=test3

onlineuser · January 16, 2017, 6:32am

Cool, thanks - why do not use the same schema like on firewall rules - good idea.

onlineuser · January 16, 2017, 3:25pm

For NAT rules there is no DROP available.
A RETURN jumps back where the jump came from.
Why there is no DROP for NAT rules available?

Is a return equivalent to a drop?

BartoszP · January 16, 2017, 3:29pm

NAT is not for filtering packets but for substituting SRC/DST/PORTS part of packet.
Use firewall rules to drop them. Why do you want NAT do do this ?

onlineuser · January 16, 2017, 4:18pm

Ok, thanks. I thought when the NAT rule could drop the packet then the firewall rules get a little bit more clearly to read because then there would be less rules in it.