Ip Firewall

alternativi · January 7, 2008, 6:33pm

hello, i have made a web server and in Nat Firewall i have redirect ip client to this ip web server, but what is the different of the Protocol..for example what happen when i chose
1(icmp),2 igmp,6(tcp),17 udp etc..etc, dont forget something, im wanna redirect this client, and stop the internet working, No MSN , No Web Browser, Notething..

Thank YOU

SurferTim · January 7, 2008, 8:39pm

Greetings from Miramar Beach, Florida!

Port 80 tcp is the port/protocol to stop/redirect for internet access. And port 25 tcp if you want to stop outbound email (spammers).

alternativi · January 9, 2008, 5:30pm

ok man i understand you, but i mean in ip firewall i have selected Protocol 6 (tcp), and in Action the port is 0-65535

so what is different of tcp, icmp, udp..

butche · January 10, 2008, 12:20am

I don’t understand what you are wanting to do. If you want to redirect a customer’s web requests to another host, you can do (for example):

/ip firewall nat
add chain=dstnat src-address=x.x.x.x protocol=tcp dst-port=80 action=dst-nat to-addresses=y.y.y.y to-ports=80

In this example, any web requests from x.x.x.x will be sent to y.y.y.y.

If you are looking for a tutorial on how to do firewall, then I’d recommend attending a training class that covers firewalling (such as mine for example). Perhaps you can look at something like http://www.learntcpip.com/ for further understanding of what tcp vs udp vs icmp and so forth are all about. Perhaps I’m just not understanding your question.

alternativi · January 10, 2008, 2:55pm

it helped to me.. thank you verymuch

yudigadget · January 14, 2008, 6:56am

/ip firewall nat
add chain=dstnat src-address=x.x.x.x protocol=tcp dst-port=80 action=dst-nat to-addresses=y.y.y.y to-ports=80

I test your advice, but why doesn’t work:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat src-address=172.16.100.199 protocol=tcp dst-port=80 action=dst-nat
to-addresses=172.16.100.202 to-ports=80

I can open the website from the PC with IP address 172.16.100.199, but when i open google, it just got “The connection has timed out”, so not redirect to 172.16.100.202

butche · January 14, 2008, 7:50am

yudigadget:

/ip firewall nat
add chain=dstnat src-address=x.x.x.x protocol=tcp dst-port=80 action=dst-nat to-addresses=y.y.y.y to-ports=80
I test your advice, but why doesn’t work:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat src-address=172.16.100.199 protocol=tcp dst-port=80 action=dst-nat
to-addresses=172.16.100.202 to-ports=80

I can open the website from the PC with IP address 172.16.100.199, but when i open google, it just got “The connection has timed out”, so not redirect to 172.16.100.202

Ok, this is a different reason and setup. Mikrotik (and any linux router for that matter) cannot do a dst-nat where a packet enters and leaves on the same interface. You will need to set up a web server that exists on another interface on the router.

yancho · January 14, 2008, 1:00pm

Someting like

add chain=srcnat action=src-nat  src-address=172.16.100.0/24 dst-address=172.16.100.202  protocol=tcp to-addresses=gateway.ip to-ports=0-65535

should help.

alternativi · January 14, 2008, 4:13pm

my friend i have set up a Web server Linux..and i have a real Ip addres and i have redirect to me it works well…