Iptables -> Mikrotik

Meganitrospeed · April 5, 2022, 2:33pm

Hello,

I’ve been recently tasked to change some system we were handling with linux to change them over to Mikrotik, have broken my head around this for two days now, but this is our Iptables save

Generated by iptables-save v1.8.7 on Mon Apr 4 19:26:03 2022

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:TUNINP - [0:0]
:TUNOUT - [0:0]
:TUNPRE - [0:0]
-A PREROUTING -j TUNPRE
-A INPUT -i gre+ -j TUNINP
-A FORWARD -j TUNOUT
-A OUTPUT -j TUNOUT
-A TUNINP -i gre1 -j CONNMARK --set-xmark 0x1000000/0xff000000
-A TUNINP -i gre2 -j CONNMARK --set-xmark 0x2000000/0xff000000
-A TUNINP -i gre3 -j CONNMARK --set-xmark 0x3000000/0xff000000
-A TUNINP -i gre4 -j CONNMARK --set-xmark 0x4000000/0xff000000
-A TUNINP -i gre5 -j CONNMARK --set-xmark 0x5000000/0xff000000
-A TUNINP -i gre6 -j CONNMARK --set-xmark 0x6000000/0xff000000
-A TUNINP -i gre7 -j CONNMARK --set-xmark 0x7000000/0xff000000
-A TUNOUT -s 10.16.1.224/30 -j CONNMARK --restore-mark --nfmask 0xffffff --ctmask 0xff000000
-A TUNOUT -s 103.259.71.74/32 -j CONNMARK --restore-mark --nfmask 0xffffff --ctmask 0xff000000
-A TUNPRE -i gre+ -j TUNINP
-A TUNPRE -i gre+ -j TUNOUT
-A TUNPRE -m conntrack --ctorigdst 10.16.1.226/30 --ctdir REPLY -j CONNMARK --restore-mark --nfmask 0xffffff --ctmask 0xff000000
-A TUNPRE -m conntrack --ctorigdst 103.259.71.74 --ctdir REPLY -j CONNMARK --restore-mark --nfmask 0xffffff --ctmask 0xff000000
COMMIT

Completed on Mon Apr 4 19:26:03 2022

Generated by iptables-save v1.8.7 on Mon Apr 4 19:26:03 2022

What would the equivalent be in Mikrotik rules? Also, is stuff like “gre+” (which reffers to all interfaces with gre and a number) supported in some way ?

Any help is greatly appreciated

anav · April 5, 2022, 3:19pm

Sorry I deal in english, could care less about linux speak. Others with linux experience will hopefully chime in.

State the requirements and a config will pop out naturally.
Identify users/devices or groups of
Identify what traffic they can and cannot conduct.
etc…

Meganitrospeed · April 5, 2022, 6:43pm

We have several GRE tunnels from which we recieve traffic, we mark those packets on arrival and route them off, to another server for example, then when they return we route the traffic to the same GRE tunnel we originally recieved them, since thats the shortest route back to the user

Sob · April 5, 2022, 10:18pm

I’m not familiar with all these iptables parameters, and RouterOS doesn’t have all of them (too bad they look useful), but you probably want something like (for RouterOS v6):

/ip route
add dst-address=0.0.0.0/0 gateway=gre1 routing-mark=gre1gw
add dst-address=0.0.0.0/0 gateway=gre2 routing-mark=gre2gw
...
/ip firewall address-list
add list=somename address=10.16.1.226/30
add list=somename address=103.259.71.74/32
/ip firewall mangle
add chain=prerouting in-interface=gre1 connection-state=new action=mark-connection new-connection-mark=gre1conn
add chain=prerouting in-interface=gre2 connection-state=new action=mark-connection new-connection-mark=gre2conn
...
add chain=prerouting src-address-list=somename connection-mark=gre1conn action=mark-routing new-routing-mark=gre1gw
add chain=prerouting src-address-list=somename connection-mark=gre2conn action=mark-routing new-routing-mark=gre2gw
...
add chain=output connection-mark=gre1conn action=mark-routing new-routing-mark=gre1gw
add chain=output connection-mark=gre2conn action=mark-routing new-routing-mark=gre2gw
...