Hi there,
I have these NAT rules set up:
2 ;;; KB
chain=dstnat in-interface=Publica protocol=tcp dst-port=9000 action=dst-nat to-addresses=10.0.2.2 to-ports=9000
3 ;;; Kb desde adentro
chain=dstnat in-interface=Local protocol=tcp dst-port=9000 dst-address-list=IP-locales action=dst-nat to-addresses=10.0.2.2
to-ports=9000
4 chain=srcnat out-interface=Local protocol=tcp dst-port=9000 action=src-nat to-addresses=10.0.2.209 to-ports=0-65535
#2 forwards port 9000 to a local server and #3 and 4 allow users in internal network to write dynhost.mydomain:9000 and get to the same place as writing 10.0.2.2:900 in their browsers. (They otherwise cannot resolve my own hostname from inside this network)
But the catch is that the Apache running in that box asks for authentication when the connection comes from outside my local network, but with these #3-4 rules active authentication is not required, even when accessing from outside the office, lets say my home for example.
And when I disable those 2 rules, authentication is enforced again.
Any ideas about how to keep the rules active and the security policies enforced when coming from outside my network?
Thanks alot – Sergio
sergiom99 -
First thing that comes to mind is - why don’t you have a static public IP if you are running services for users??
Aside from that…
Since your users appear to be using ‘dynhost.mydomain’ as their dns…you could simply remove the in-interface in rule #2 and that should do it…the other two rules would not be needed.
The reason there is no ‘internal’ authentication is because you have the src-addr of the client being src-nat’d to that of the router (rule #4), once someone authenticates once then the MAC /IP of the router is authenticated - every other user that uses your internal network will then be authenticated because the MAC and IP are still the same as the router MAC /IP…
R/
Thanks galaxynet for your reply!
Those rules (#3 and 4) came from this thread: http://forum.mikrotik.com/t/how-to-nat-from-a-hostname/15922/1
I tried removing the in-interface in #2 but didn’t work. I am not sure I explained this clear enough since I’m not english-speaker:
I need rule #2 to access this server from outside. And based on suggestions given in forementioned thread, I set up rules #3-4, to write “xxx.domain:9000” inside my network (as opposed to “10.0.2.2:9000” as I should do w/o those rules) as I do from outside it.
Now, the authentication is not supposed to be enforced by the ROS box, but by the 10.0.2.202 server’s Apache. When a petition comes from outside network, it asks for user/pass. when it comes from inside, no pass is required.
But with rules #3-4 enabled, this does not happens and no one is required authentication (neither from Inside or Outside)
I dont have a static IP, b/c this is only an internal tool, not a service we provide for customers or anything. We just need to check this pages from inside or outside, and we used to do it by using this URL “xxx.domain.com:9000” when Iptables was set up before Mikrotik. Once we switched to ROS, this setup stopped working.
Thanks a lot for reading this and replying in the first place!!
sergiom99 -
Ok - I see where you are going - let me think on this a little… I see you got ChangeIP’s script for dynamically updating your IP - that’s good!
I’ll get back to you.
R/
Sergiom99
This what I use and I can see my servers inside and out by the public name or IP.
12 XServer NAME comment
chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.xxx.xxx to-ports=0-65535 src-address=192.168.1.2
13 chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=0-65535 dst-address=xxx.xxx.xxx.xxx
So, using ChangeIP’s script, you should be able to use the above and make it work as expected…
I am not using any authentication on the web server - I do use SSH quite frequently and it does make me authenticate from each and every machine…
There is of course always the alternative - you could add a static entry in your /ip DNS that points to the webserver on it’s internal IP by it’s name - http://www.mydomain.com = 10.15.1.2 that way the ‘mydomain.com’ would have the correct IP from inside. As to outside and nat’ing - that should be fine via ChangeIPs script and NAT will take care of the rest… It will interesting to see how the script for DDNS and a static entry will work together…
R/
Thanks Thom for all your help! much appreciated.
With these rules you posted, I have all ports forwarded to one server. Thing is I have several different ports for different machines (ie: 3000 for webmail, 8330 for VmWare, 400x for Vnc(s), and so on)
How would this work then?
sergiom99 -
You would just use the dst-port portion of the nat rules;
chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=0-65535 dst-address=xxx.xxx.xxx.xxx
should look similiar to this;
chain=dstnat protocol=tcp dst-port=9000 action=dst-nat to-addresses=192.168.1.2 to-ports=9000 dst-address=xxx.xxx.xxx.xxx
As you can see from the above example - the dst-address AND the dst-port are going to ‘trigger’ where the packet is going to end up at. Different port numbers with the same dst-IP address can go to different places. Same goes for a different dst-IP with the same port number - it can go to a different server as well.
Hope this helps.
R/
Hi Thom, I’ve set up these rules (one version at a time) but neither succeeded in letting me write kb.domain.com:9000 from inside my network and be equal as writing 10.0.2.2:9000.
5 ;;; el KB desde adentro?
chain=dstnat dst-address=200.235.6.240 protocol=tcp dst-port=9000
action=dst-nat to-addresses=10.0.2.2 to-ports=9000
where 200.xxxx is my Public IP.
or
5 ;;; el KB desde adentro?
chain=dstnat protocol=tcp dst-port=9000 dst-address-list=IP-locales
action=dst-nat to-addresses=10.0.2.2 to-ports=9000
Where IP-locales is an IP list updated by a DynDNS script with my Public IP.
The other relevant Rule for this port is
5 ;;; KB desde afuera
chain=dstnat protocol=tcp dst-port=9000 action=dst-nat
to-addresses=10.0.2.2 to-ports=9000
to NAT the external requests.
Thanks a lot for all your patience and for guiding me.
Cheers- Sergio
Update: If I write “http://200.235.6.240:9000” i also get nowhere from inside my network.
I tried with /ip dns static print:
3 kb.domain.com.ar 200.235.6.240 14w1d
or
3 kb.domain.com.ar 10.0.2.2 14w1d
to no avail
sergiom99 -
I see your rules above - question - when you added these rules - what about the other rules before them? Rule order is critical in achieving your goal - so how about posting your rules (nat rules) from 0 to say 10, and let’s see what you have and we’ll figure out how to get your rules in the right order with the right info in them.
Hey Thom here are my NAT Rules:
1 ;;; NATear la red interna para salir
chain=srcnat out-interface=Publica action=masquerade
2 X ;;; Oracle a Indy
chain=dstnat in-interface=Publica protocol=tcp dst-port=1528
action=dst-nat to-addresses=10.0.2.2 to-ports=1528
3 ;;; VMWare Web
chain=dstnat in-interface=Publica protocol=tcp dst-port=8323
action=dst-nat to-addresses=10.0.2.202 to-ports=8323
4 ;;; VMWare Consola
chain=dstnat in-interface=Publica protocol=tcp dst-port=9002
action=dst-nat to-addresses=10.0.2.202 to-ports=9002
5 ;;; KB from outside
chain=dstnat protocol=tcp dst-port=9000 action=dst-nat
to-addresses=10.0.2.2 to-ports=9000
6 X ;;; Kb from inside (?1)
chain=dstnat dst-address=200.235.6.240 protocol=tcp dst-port=9000
action=dst-nat to-addresses=10.0.2.2 to-ports=9000
7 X ;;; Kb from inside (?2)
chain=dstnat in-interface=Local protocol=tcp dst-port=9000
dst-address-list=IP-locales action=dst-nat to-addresses=10.0.2.2
to-ports=9000
8 X chain=srcnat out-interface=Local protocol=tcp dst-port=9000 action=src-na>
to-addresses=10.0.2.209 to-ports=0-65535
9 ;;; Webmail from inside
chain=dstnat in-interface=Local protocol=tcp dst-port=2000
dst-address-list=IP-locales action=dst-nat to-addresses=10.0.2.200
to-ports=2000
10 chain=srcnat out-interface=Local protocol=tcp dst-port=2000 action=src-na>
to-addresses=10.0.2.209 to-ports=0-65535
11 ;;; Webmail
chain=dstnat in-interface=Publica protocol=tcp dst-port=2000
remember that enabling rules # 7 &8 the apache’s authentication from outside my network is not enforced.
Thanks for all your help dude.
sergiom99 -
Well I can see what the issue is - your src-nat rule - masquerade.
While using masq does save you a lot of trouble in keeping track of your ‘public’ IP it is not helping you with your current issue…
Perhaps we could use the script that ChangeIP gave you and set the IP and use src-nat , to-addresses= ‘script output IP address’
So bacsically it would look like this;
chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.xxx.xxx to-ports=0-65535 src-address=10.0.2.2
Where xxx.xxx.xxx.xxx would be the address provided by ChangeIP’s script for detecting your current public IP address. This would create an entry in the routing / nat’ing table to correctly nat the connection for that IP - your public IP on port 9000 only to 10.0.2.2 port 9000. We are not concerned with the ’ to-port= ’ parameter as the dst-nat rule makes sure only port 9000 gets dst-nat’d to 10.0.2.2 - the reply port is set to whatever the requesting CPU came in on (port number greater than 1024).
Then place rule #1, your src / masq rule after this ‘new’ src-nat rule.
As a point, src-nat and dst-nat are two different tables - so the rules just have to be in the correct order in their group - src or dst nat - just thought I’d throw that in as a reminder…
R/
With this rules
0 chain=srcnat action=src-nat to-addresses=200.235.6.240 to-ports=0-65535 src-address=10.0.2.2
1 ;;; NATear la red interna para salir
chain=srcnat out-interface=Publica action=masquerade
2 X ;;; Oracle a Indy
chain=dstnat in-interface=Publica protocol=tcp dst-port=1528
action=dst-nat to-addresses=10.0.2.2 to-ports=1528
3 ;;; VMWare Web
chain=dstnat in-interface=Publica protocol=tcp dst-port=8323
action=dst-nat to-addresses=10.0.2.202 to-ports=8323
4 ;;; VMWare Consola
chain=dstnat in-interface=Publica protocol=tcp dst-port=9002
action=dst-nat to-addresses=10.0.2.202 to-ports=9002
5 ;;; KB from outside
chain=dstnat protocol=tcp dst-port=9000 action=dst-nat
to-addresses=10.0.2.2 to-ports=9000
6 X ;;; Kb from inside (?1)
chain=dstnat dst-address=200.235.6.240 protocol=tcp dst-port=9000
action=dst-nat to-addresses=10.0.2.2 to-ports=9000
7 X ;;; Kb from inside (?2)
chain=dstnat in-interface=Local protocol=tcp dst-port=9000
dst-address-list=IP-locales action=dst-nat to-addresses=10.0.2.2
to-ports=9000
8 X chain=srcnat out-interface=Local protocol=tcp dst-port=9000 action=src-na>
to-addresses=10.0.2.209 to-ports=0-65535
9 ;;; Webmail from inside
chain=dstnat in-interface=Local protocol=tcp dst-port=2000
dst-address-list=IP-locales action=dst-nat to-addresses=10.0.2.200
to-ports=2000
10 chain=srcnat out-interface=Local protocol=tcp dst-port=2000 action=src-na>
to-addresses=10.0.2.209 to-ports=0-65535
11 ;;; Webmail
chain=dstnat in-interface=Publica protocol=tcp dst-port=2000
and then trying to enable 7 & 8 rules I am not getting there. I also tried w/o enabling 7-8.
Thanks Thom.
Regards- Sergio
sergiom99 -
Are your servers and cpus’ using this device (the router) for their gateway?
Thom
yes, its the only gateway in the net.
I have a W2k domain/dhcp/dns server though, but I guess its not involved in this issue.