Hi,
I want to establish an listening TCP port on my mikrotik that will be forwarded to an other target.
iptables -t nat -A PREROUTING -p tcp -i lan --dport 8001 -j DNAT --to-destination 1.2.3.4:8080
iptables -A FORWARD -p tcp -d 1.2.3.4 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I created a mangle rule with prerouting but there I can’t find the DNAT option.
Is there any example how it works on Mikrotik?
Thanks, very much.
On Mikrotik, the PREROUTING and POSTROUTING chains in table nat have been renamed to dstnat and srcnat, respectively. So using the Mikrotik syntax, your iptables commands look as follows:
/ip firewall nat add chain=dstnat in-interface=lan protocol=tcp dst-port=8001 action=dst-nat to-addresses=1.2.3.4 to-ports=8080
/ip firewall filter add chain=forward dst-address=1.2.3.4 dst-port=8080 connection-state=new,established,related action=accept
However, since both the dst-nat rule and the accept rule match on just destination address and port, you can simplify the filter rule:
/ip firewall filter add chain=forward connection-nat-state=dstnat action=accept
Thanks, it works 
But it is strange, that I can see an established connection only from 192.168.1.10 to 192.168.1.1:8001 but not the TCP connection to the target 1.2.3.4:8080.
Update: Ok, but the log of the firewall filter shows the correct source-destination IP addresses.