iptables to MikroTik

humanpicnic · September 23, 2015, 8:42pm

I need some assistance translating a firewall script from my Tomato(DD-WRT) based script to my new MikroTik setup.
I have 6 additional address on my cable modem. The script maps them to private IP addresses and enabled incoming/outgoing traffce to pass through the firewall.

Also is there a RouterOS command equivalence to iptables --list on Linux? It would be helpful to compare the rules on my MikroTik with how they look on the equivalent Tomato router.

Public ip addresses:

xx.xx.xx.121/29
xx.xx.xx.122/29
xx.xx.xx.123/29
xx.xx.xx.124/29
xx.xx.xx.126/29

Private internal ip addresses:

192.168.8.121/24
192.168.8.122/24
192.168.8.123/24
192.168.8.124/24
192.168.8.125/24
192.168.8.126/24

The script

#Define the IP Address
/usr/sbin/ip addr add xx.xx.xx.121/29 dev vlan1
...
/usr/sbin/ip addr add xx.xx.xx.126/29 dev vlan1

#Routing
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.161 -j SNAT --to xx.xx.xx.121/29
...
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.161 -j SNAT --to xx.xx.xx.126/29


#Forward all TCP on xx.xx.xx.121
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.121 -j DNAT --to-destination 192.168.1.164
/usr/sbin/iptables -I FORWARD -p tcp -j ACCEPT

#Forward all UDP  on xx.xx.xx.121
/usr/sbin/iptables -t nat -A PREROUTING -p udp -d xx.xx.xx.121 -j DNAT --to-destination 192.168.1.164
/usr/sbin/iptables -I FORWARD -p udp -j ACCEPT
...

#Forward all TCP on xx.xx.xx.126
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.126 -j DNAT --to-destination 192.168.1.164
/usr/sbin/iptables -I FORWARD -p tcp -j ACCEPT

#Forward all UDP  on xx.xx.xx.126
/usr/sbin/iptables -t nat -A PREROUTING -p udp -d xx.xx.xx.126 -j DNAT --to-destination 192.168.1.164
/usr/sbin/iptables -I FORWARD -p udp -j ACCEPT

I was able to add the ip address using
WinBox → IP → Addresses

Address: xx.xx.xx.121/29
Network: xx.xx.xx.120
Interface: ether1-gateway


I'm pretty sure these rules go under IP -> Firewall -> NAT, but not sure about translating the prerouting, postrouting, dnat snat to the appropriate RouterOS commands.

Any assistance is appreciated.

Thanks