how to NAT from a hostname

sergiom99 · Fri Sep 14, 2007 5:27 am

Hi there.
I am trying to write a firewall rule like these I have in an old linux with iptables, which handles requests send to a specific hostname. I didn't find a way to write names in RouterOS, it asks me for IPs.
How can I create something like this?

$IPTABLES -t nat -A PREROUTING -i $INTIF \
-p tcp -d host.domain.com.ar --dport 8333 -j DNAT --to 10.0.2.202:8333

Thanks for your help!!
Regards- Sergio

ashish · Fri Sep 14, 2007 9:51 am

Apply,

/ip firewall nat
add chain=dst-nat dst-address=host.domain.com.ar or Ip address of the Site
dst-port=8333 action=dst-nat to-address=10.0.2.202:8333.

ASHISH

sergiom99 · Fri Sep 14, 2007 4:43 pm

thanks ashish for your reply,
but when I tried to do this from the Winbox, it won't let me add a "non-IP" dst-address.
I will try this.

Regards!

sergiom99 · Fri Sep 14, 2007 6:31 pm

When I tiped the command line, i get this error msg.
Thanks for your help!

[admin@MikroTik] > /ip firewall nat add chain=dst-nat dst-address=name.me.com.ar dst-port=8333 action=dst-nat to-address=10.0.2.202:8333
value of range expects range of ip addresses
[admin@MikroTik] >

What I am trying to do, is forward the port of the VMWare console when I tried to access from http://host.me.com.ar:8333 to 10.0.2.202:8333

janisk · Mon Sep 17, 2007 10:12 am

you can use scripting to achieve what you want (if your ip address changes from time to time) so you run your scrpt that will resolve your host name and delete old rule (if address has been changed) and add new one.

see into scripting section of the forum and read manual about scripting:
http://www.mikrotik.com/testdocs/ros/2. ... ipting.php

sergiom99 · Mon Sep 17, 2007 3:43 pm

I see.
I will try to make something out of scripting.

Thanks!

sergiom99 · Mon Sep 17, 2007 9:21 pm

I cannot make any sense.
I made so far with this test scritp:

:global pub-ip [ /ip address get [/ip address find interface=Publica] address ]
:global tuero "me.host.com.ar"

:global tuero-ip [:resolve $tuero]

if
	($pub-ip = $tuero-ip)
do
	{:put son iguales}
else
	{:put son diferentes}

I always get these values:

tuero-ip=221.231.113.178
pub-ip=221.231.113.178/24

so they're always different b/c of the last "/24".
How can I trim that? And how do i continue the script to update a certan filter rule??

What I need to do is (perhaps theres no need to use a script?):
Now, inside my network, when I want to go to http://me.host.com.ar:9000 I get a no response page. If I put http://10.0.2.2:9000 I get the page.
And if from outside this network (ie: home) I write http://me.host.com.ar:9000 I get the right page.
me.host.com.ar = host.change-ip.net, because of my dynamic cable IP.

Thanks a lot for your help!

cmit · Tue Sep 18, 2007 9:23 am

Sounds like you have a DSL uplink with a dynamic name?
If yes, you could just scrap that scripting and use the in-interface value in the dst-nat rule instead. Then you would be independent of the ip address you currently have...

Best regards,
Christian Meis

sergiom99 · Tue Sep 18, 2007 5:16 pm

Yes I have cablemodem with non-static IP.
I made a rule like this one, but its not working:

;;; Transparent D-nat?
     chain=dstnat in-interface=Local protocol=tcp dst-port=2000 action=dst-nat to-addresses=10.0.2.200 to-ports=2000

In the old linux I am trying to replace, we had a rule like this one:

# Transparent Proxy / NAT
# LocalNet to me.host.com.ar
  echo tuero 2000
  $IPTABLES -t nat -A PREROUTING -i $INTIF \
            -p tcp -d me.host.com.ar --dport 2000 -j DNAT --to 10.0.2.200:2000

So everytime we tried to access http://me.host.com.ar:2000 I get to where I meant to go.
Now I cant.
But it works just fine from outside my network.

Thanks y'all for your help to this noob!

sergiom99 · Mon Sep 24, 2007 8:57 pm

I'd be glad to hear your suggestions.
Thanks y'all.

sergiom99 · Tue Oct 09, 2007 11:28 pm

Anyone please has any ideas?

I've tried a hundred different combinations of firewall and NAT rules, much to my despair, but none have worked.
I cant still resolve my own host name inside my network.

And old-time users are getting pissed!

What I need to do is (perhaps theres no need to use a script?):
Now, inside my network, when I want to go to http://me.host.com.ar:9000 I get a no response page. If I put http://10.0.2.2:9000 I get the page.
And if from outside this network (ie: home) I write http://me.host.com.ar:9000 I get the right page.
me.host.com.ar = host.change-ip.net, because of my dynamic cable IP.

Thanks for your help! Sergio

sergiom99 · Tue May 06, 2008 5:06 pm

please any tips?

changeip · Tue May 06, 2008 6:54 pm

Hello,

I believe this is called nat-on-a-stick. You are trying to access your public address from inside, which probably half way works, but the server is sending the traffic back to you directly and not back thru the router, ie:

1 - client send traffic to public ip.

2 - router dnat to the internal ip.

3 - server receives traffic and performs a response.

4 - server just sent the response to the original src address. Since this original source is on its local subnet the router never gets return traffic.

5 - client gets reply packet but DROPS because its not coming from original requested IP.

To fix this you have to dnat and src nat, this way when server sees the request it is coming from the router, not the client.

Post your rules and we'll fix it up.

Sam

sergiom99 · Tue May 06, 2008 7:28 pm

Thanks Sam!
Here are the rules for filter and nat.

[admin@LunaTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Drop invalid connections
     chain=input connection-state=invalid action=drop
 1   ;;; Allow established connections
     chain=input connection-state=established action=accept
 2   ;;; Allow related connections
     chain=input connection-state=related action=accept
 3   ;;; drop ssh brute forcers
     chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop
 4   ;;; ssh-brute to blacklist
     chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list
     address-list=black_list address-list-timeout=2w1d
 5   ;;; ssh-brute -stage 3
     chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list
     address-list=ssh_stage3 address-list-timeout=2m
 6   ;;; ssh-brute -stage 2
     chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list
     address-list=ssh_stage2 address-list-timeout=2m
 7   ;;; ssh-brute - stage 1
     chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1
     address-list-timeout=1m
 8   ;;; Allow UDP
     chain=input protocol=udp action=accept
 9   ;;; Allow ICMP Ping
     chain=input protocol=icmp action=accept
10   ;;; Allow access from our local network
     chain=input src-address=10.0.2.0/24 action=accept
11   ;;; Mikrotik Winbox
     chain=input in-interface=Publica dst-port=8291 action=accept
12   ;;; Mikrotik SSH
     chain=input in-interface=Publica dst-address=0.0.0.0/0 dst-port=22 action=accept
13   ;;; Indy SSH
     chain=input in-interface=Publica dst-address=0.0.0.0/0 dst-port=2222 action=accept
14   ;;; Uvnc
     chain=input in-interface=Publica protocol=tcp dst-port=4000-4001 action=accept
15   ;;; Uvnc a SERVER-MX
     chain=input in-interface=Publica protocol=tcp dst-port=4003-4004 action=accept
16   ;;; Terminal Server a SERVER-MX
     chain=input in-interface=Publica protocol=tcp dst-port=4005 action=accept
17   ;;; KB 9000
     chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=9000 action=accept
18   ;;; ? Copiada de Indy
     chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=8000 action=accept
19   ;;; VMWare Web
     chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=8333 action=accept
20   ;;; VMWare Consola
     chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=902 action=accept
21 X ;;; MSN Messenger
     chain=forward protocol=tcp dst-port=1863 action=drop
22 X ;;; MSN Messenger
     chain=forward dst-address=207.46.110.0/24 protocol=tcp action=drop
23 X ;;; MSN Messenger
     chain=forward protocol=tcp dst-port=5190 action=drop
24 X ;;; MSN Messenger
     chain=forward protocol=tcp dst-port=6901 action=drop
25 X ;;; MSN Messenger
     chain=forward protocol=tcp dst-port=6891-6900 action=drop
26   ;;; jump to chain ICMP
     chain=input protocol=icmp action=jump jump-target=ICMP
27   ;;; jump to chain services
     chain=input action=jump jump-target=services
28   ;;; Allow Broadcast Traffic
     chain=input dst-address-type=broadcast action=accept
29   ;;; Log and drop everything else
     chain=input action=log log-prefix="Filter:"
30   chain=input action=drop
31   ;;; 0:0 and limit for 5pac/s
     chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
32   ;;; 3:3 and limit for 5pac/s
     chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
33   ;;; 3:4 and limit for 5pac/s
     chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
34   ;;; 8:0 and limit for 5pac/s
     chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
35   ;;; 11:0 and limit for 5pac/s
     chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
36   ;;; Drop everything else
     chain=ICMP protocol=icmp action=drop

[admin@LunaTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 1   ;;; NAT internal network to go out
     chain=srcnat out-interface=Publica action=masquerade
 4   ;;; KB
     chain=dstnat in-interface=Publica protocol=tcp dst-port=9000 action=dst-nat to-addresses=10.0.2.2 to-ports=9000
 5   ;;; Webmail
     chain=dstnat in-interface=Publica protocol=tcp dst-port=2000 action=dst-nat to-addresses=10.0.2.200 to-ports=2000

I have other nat rules for emule, VNC, etc, forwarding certain ports.

However, as i said in my previous posts, these are the two relevant ones.
I need to be able to access "me.host.com:9000" and be the same as writing "10.0.2.2:9000"
with my local ip it works, but not with hostname.

Thanks for your help!

changeip · Tue May 06, 2008 8:40 pm

you need a dst-nat rule that matches traffic to your public IP coming from your internal interface. dst-nat that back to your private address.

you also need a src-nat rule that matches traffic to that servers private IP coming from your internal interface. src-nat it to your routers internal ip, dont use masq.

Esentially this will change the src and destination packets and everything communicating locally will go thru the router. You will no longer be connecting directly to the server. This is mainly okay if its just web traffic, etc.

An even better solution is to put your servers on a different subnet / interface (dmz?). This way return traffic automatically comes back to you since you need to be routed to it.

Sam

sergiom99 · Tue May 06, 2008 9:30 pm

A BIG THANKS SAM!

That was what I was needing!
I added rules like:

;;; Webmail desde adentro
8    chain=dstnat in-interface=Local dst-address=201.200.3.21 protocol=tcp dst-port=2000 action=dst-nat to-addresses=10.0.2.200 to-ports=2000

 7   chain=srcnat out-interface=Local protocol=tcp dst-port=2000 action=src-nat to-addresses=10.0.2.209 to-ports=0-65535

and now I can type http://host.me.com:2000/ and get to my internal server.

Just to make it perfect: how can I script-change the value in dst-address to get updated when my public ip changes?

glad you stopped by and solved it with a few replies.

PS: How do I change the title to [Solved]??

dssmiktik · Mon Jun 02, 2008 11:21 pm

Here is my script to just add the dymanically assigned IP address to a specific address list. Any reference to that address list in any firewall / NAT rule can always stay the same. Each time the IP changes it will update the address list entry.

Hope this helps, please critique and let me know how this works? Tested and works for me; handles reboots and non-existent list entries too.

Thanks
---------------------------------------

:local WAN-INTERFACE-NAME ether4
:local WAN-LIST-NAME list2

# Set variable to current WAN IP
:local DDNSCURWANIP [/ip dhcp-client get $WAN-INTERFACE-NAME address]

# modify the IP retrived to strip of trailing netmask value
:set tmpDDNSCURWANIP ""
:set LENGTH [:len $DDNSCURWANIP]
:set x 0
:while ($x >= 0) do={
:set tmpChar [:pick $DDNSCURWANIP $x]
:if ($tmpChar = "/") do={
:set x -1
}else={
:set tmpDDNSCURWANIP ($tmpDDNSCURWANIP . $tmpChar)
:set x ($x + 1)
}
}
# Check if we got back something. If not output error only
:if ([:len $tmpDDNSCURWANIP] = 0) do={
:log error "No IP returned. Cannot add IP to list Aborting"
}else={

:local DDNSCURWANIP $tmpDDNSCURWANIP

# Check for global variable is set If it's not, set to 0.0.0.0
# Unset local var (only global var should be checked)
:local DDNSWANIP
:if ([:len $DDNSWANIP] = 0) do={
:global DDNSWANIP 0.0.0.0
}

# Check if there's an entry in the address list. If not create one with old IP
:set CURITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSWANIP]
:if ([:len $CURITEM] = 0) do={
:if ($DDNSWANIP = 0.0.0.0) do={
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSWANIP disabled=yes
}else={
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSWANIP disabled=no
}
:log warning ($WAN-LIST-NAME . " list created")
}

# -- If WAN IP changes, here's where changes occur. --
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

# Check if past WAN IP matches current WAN IP. If they don't,
# do any other action necessary if WAN IP has changed
# then set past IP to current IP

:if ($DDNSCURWANIP != $DDNSWANIP) do={
:log warning ($WAN-INTERFACE-NAME . " IP changed from " . $DDNSWANIP . " to " . $DDNSCURWANIP)

:set NEWITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSCURWANIP]
:set CURITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSWANIP]

:if ([:len $NEWITEM] > 0) do={
:log warning ($WAN-LIST-NAME . " already contains " . $DDNSCURWANIP)
}

:if (([:len $CURITEM] = 1) && ([:len $NEWITEM] = 0)) do={
:log warning "Found old WAN IP in list"
/ip firewall address-list set $CURITEM address=$DDNSCURWANIP disabled=no
}

:if (([:len $CURITEM] = 0) && ([:len $NEWITEM] = 0)) do={
:log warning "Not found old WAN IP in list"
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSCURWANIP disabled=no
}

:if (([:len $CURITEM] > 0) && ([:len $NEWITEM] > 0)) do={
:log warning ("Removing old entry " . $DDNSWANIP); /ip firewall address-list remove $CURITEM
}

:log warning ($WAN-LIST-NAME . " list updated")
:global DDNSWANIP $DDNSCURWANIP
}
}

# Unset all unneeded variables
:set CURITEM
:set NEWITEM
:set DDNSCURWANIP
:set LENGTH
:set tmpChar
:set tmpDDNSWANIP

sergiom99 · Tue Jun 03, 2008 3:59 pm

great dssmiktik!
Thanks for your script.

How do you create filter rules to be updated by this script?
Could you please post an example?

sergiom99 · Tue Jun 03, 2008 5:12 pm

Thanks I already figured it out. I used the Dst-Adrress-list.

Great script, glad you posted it.

how to NAT from a hostname

how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

[Solved]how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Re: how to NAT from a hostname

Who is online