Forward source port to another port number

keshavB92 · October 31, 2022, 2:30pm

Hello,

Actually I have a router which have a pool of public ip addresses, and we have linux servers where port 22 is open and fixed public ip address is directly configured on the servers.

My requirement is that I wanted to connect to the server from the outside using port 10222 which will then forward it to port 22. And I’ll close port 22 on mikrotik and open 10222 instead.

I tried below, my it’s not working.

chain=dstnat action=dst-nat to-addresses=11.22.33.44 to-ports=6922 protocol=tcp 
      dst-address=11.22.33.44 src-port=22 log=yes log-prefix=""

Any idea how this can be implemented on MikroTik ?

Thanks

erlinden · October 31, 2022, 3:04pm

add action=dst-nat chain=dstnat dst-address=[public IP address] dst-port=10222 protocol=tcp to-addresses=[private IP address] to-ports=22 log=yes

Be aware that this is security through obscurity…which is not secure. Is it absolutely necessary to makes this service publically available?

keshavB92 · October 31, 2022, 3:47pm

Hi Erlinden,

Yes i agree, but the requirement is like this and i have to follow it. In fact, i’m not an expert in security but it was always a debate if servers should be NAT or assigned public ip address directly on DMZ environments.

By the way, there is no internal IP address configured on the server. Will it work like this or can i put the public ip address again like below.

add action=dst-nat chain=dstnat dst-address-list=11.22.33.44 dst-port=10222 protocol=tcp to-addresses=11.22.33.44 to-ports=22 log=yes

erlinden · October 31, 2022, 4:03pm

Sorry, then I misunderstood your requirement. You only want to “translate” the port…correct?
Then I think you have to add a source nat rule together with masquerade. But no clue if there can be some sort of port translation.

keshavB92 · October 31, 2022, 4:35pm

Yes I already tried that but with no solution and I have not come across any such setup on mikrotik forum.

But I did tried it on Sophos FW, but devices were behind NAT. We had a requirement where RDP had to be open, and I had to used PAT.

However, I can connect via 10222 using below.

chain=dstnat action=dst-nat to-ports=22 protocol=tcp dst-address=11.22.33.44 dst-port=10022 log=yes log-prefix=""

But with this configuration, port 22 should be open on the ip address, which makes no difference. I think the best option will be to change the SSH port on the server and try some scripts to block attacks.

Sob · October 31, 2022, 5:24pm

There’s no problem, this works:

/ip firewall nat
add chain=dstnat dst-address=11.22.33.44 protocol=tcp dst-port=10022 action=dst-nat to-ports=22

But direct access to port 22 will work too, you’ll need to block that, e.g. using this (in case everything is allowed by default):

/ip firewall filter
add chain=forward dst-address=11.22.33.44 protocol=tcp dst-port=22 connection-nat-state=!dstnat action=drop

keshavB92 · November 1, 2022, 8:40am

Hi Sob,

Yes this one works, but i had to place the drop rule on top.

Thanks for the help.