opening port on firewall - nat

David1234 · June 30, 2014, 12:31pm

I want to know if I can know which port I’m using (so I will be able to close all others)
let say I have this NAT rule :

chain=dstnat action=dst-nat to-addresses=10.0.0.100 to-ports=30-8000 protocol=tcp dst-address=91.139.1.1/0 in-interface=ppp-out1 dst-port=30-8000

is there any way to know which port is listening in the 10.0.0.100 computer ?
that way I could make a more dedicated rule (just port 1234 and not 30-8000)
can it be done?

eltoozero · June 30, 2014, 5:36pm

is there any way to know which port is listening in the 10.0.0.100 computer ?

What servers are you running on the 10.0.0.100 computer?

If you’re talking about inbound connections made in response to outbound requests to say: request a web-page from a server at port 80, the inbound connection is made on a high numbered port: those are tracked in releated connections by the firewall, if you have connection tracking enabled (it is enabled by default), at least that is my understanding.

That is why the default firewall rules include established and related connections, not just pin-hole ports.

The rule you’re posting looks like you’re trying to send a bunch of traffic to an internal host, like a DMZ, why not just pin-hole the ports/protocols via NAT and firewall filter instead of letting the world through to that host?

David1234 · July 30, 2014, 6:36am

I don’t understand what you are trying to explain to me

I have open a range of port just to be sure - and after it will work I will narrow it to the one I need.
but is there a way to know which ports are open in this computer?
something like netstat?
so I will see if the the software is listening on port 556 or port 555 - for example ?

jkarras · August 1, 2014, 2:43am

It sounds like your trying to forward unknown thing. Do you know the service you want available behind the NAT is it HTTP, SMTP, or something else?

netstat will tell you what is listening but the typical computer these days is listening to a lot of things.

David1234 · August 4, 2014, 1:47pm

I will explain my problem
sometime I want to use NAT to forward port
I’m opening all the port in the router 0-653422 ,but I still don’t get to the connected computer .
so I thought maybe there is a way to know what port are open in the computer
for example to use a DVR that is port is 12343 - so I will know this port is open and forward all the traffic to it

CyberTod · August 4, 2014, 1:54pm

The total ports are 65536, from 0 to 65535. so your port range is odd and also invalid.
For security reasons it is best to forward only those ports that are really needed. For the DVR the needed ports should be written in some manual or adjustable in the DVR’s settings.
You can use a port scanner (for example : nmap) to find open ports on some device.
If you really need to open all ports in mikrotik you can use ‘netmap’ to the internal ip.

David1234 · August 5, 2014, 6:01am

I meant 65536…
can you show me how to run netmap or nmap?so I can see it result?
let say I have a router with 10.0.0.1 (Ethernet) and computer connected to it with IP:10.0.0.100
now what I need to do?

CyberTod · August 5, 2014, 6:14am

For nmap you need a server with linux (there is a windows version too), here is an example :

root@clients:/# nmap 192.168.8.2

Starting Nmap 5.00 ( http://nmap.org ) at 2014-08-05 09:10 EEST
Interesting ports on 192.168.8.2:
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
2000/tcp open  callbook
8291/tcp open  unknown
MAC Address: D4:CA:6D:F9:C8:DD (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

And here is an example if you really want to redirect all ports :
/ip firewall nat add chain=dstnat dst-address=1.1.1.1 action=netmap to-addresses=2.2.2.2In this example 1.1.1.1 is your public ip, 2.2.2.2 is ip of DVR

David1234 · August 5, 2014, 8:14am

o.k-thanks

can I run this on the terminal inside the mikrotik router?