Hi, is it possible to apply firewall rule to Mikrotik’s own outbound connection?
My goal is to redirect the DNS port to another port, the DNS will be set in IP/DNS to use Mikrotik’s DNS proxy/cache
So
Mikrotik IP/DNS -> DNS:53 -> some rule -> DNS:5353
Thank you for your help.
Hey, yes it’s possible, you can do it in NAT table chain=dst-nat where you can rewrite the ip AND port
Indeed, was a bit too fast. Thanks for the correction @Sob
Not for router’s own connections, unfortunately:
I mean using any sane way, what you can see in that thread doesn’t qualify.
That has a perfect good reason: DST-NAT is a prerouting feature, which is located on the ingress path of the router (because the redirected packets need to be properly routed to the correct destinations). It is impossible to apply it on an an output, postrouting or forward chain, which have their routing destinations already defined.
A mangle rewrite rule would be needed, but rewriting a destination is not an available option in ROS. And even if that would be possible, no routing would be performed on those IP packets since they are already on their outgoing interface, and there is no turning back.
Works in Linux, example:
Default route is via eth0 and route to another network is via eth1:
# ip route
10.0.0.0/24 via 10.0.1.1 dev eth1
default via x.y.z.129 dev eth0
...
Initial test with ping:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=3.64 ms
In other window on eth0:
# tcpdump -n -i eth0 icmp
...
01:39:36.319944 IP x.y.z.131 > 8.8.8.8: ICMP echo request, id 28722, seq 1, length 64
01:39:36.323559 IP 8.8.8.8 > x.y.z.131: ICMP echo reply, id 28722, seq 1, length 64
Now little magic (RouterOS only wishes it could do this):
# iptables -t nat -A OUTPUT --dst 8.8.8.8 -j DNAT --to-destination 10.0.0.1
# iptables -t nat -A POSTROUTING --src x.y.z.131 --dst 10.0.0.1 -j MASQUERADE
Same ping as before:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=3.74 ms
And tcpdump in other window again, but this time on eth1:
# tcpdump -i eth1 icmp
...
01:42:52.129374 IP 10.0.1.10 > 10.0.0.1: ICMP echo request, id 1586, seq 1, length 64
01:42:52.135399 IP 10.0.0.1 > 10.0.1.10: ICMP echo reply, id 1586, seq 1, length 64
I see.. so whole magic is, that iptables allow DST-NAT/REDIRECT action in OUTPUT chain which is apparently missing in RouterOS.
I must admit that it sounds useful. Unfortunately, according to RouterOS’ packet-flow diagram, OUTPUT chain happens straight before POSTROUTING, therefore after routing decision, while IpTables’ packet-flow shows that routing decision occurs within OUTPUT chain, after NAT and before FILTER.
So who is gonna start the +1 spam which will lead nowhere? 
RouterOS is (or at least started as) Linux with standard netfilter. So my guess is that it’s probably still in there, just not exposed to us. Because usually it’s not needed, so to leave it out didn’t seem as a big deal.
And actually, when you check this image:
The “routing adjustment” is there, which is used for policy routing, where you can route output packets somewhere else than they were supposed to go. So only the NAT part missing.
I checked it (hey, I practically memorized the whole thing) but dismissed it because it says “This is a workaround that allows to set-up policy routing in mangle chain output”.
If it is just a workaround, I guess it won’t do proper routing decision. I mean - why would they run the same code twice, right? That would be waste of CPU cycles.
Maybe they will fix this in ROS 7? that would be pretty sweet 
rerouting on output works just fine: either by mangling or routing rule. But dst-nat isn’t available.
