Community discussions

 
nop
just joined
Topic Author
Posts: 4
Joined: Wed Feb 06, 2019 10:36 am

how can i do iptables command in routeros?

Wed Feb 06, 2019 10:40 am

i found a linux command line

iptables -A PREROUTING -p tcp -m tcp -j DNAT -s 10.0.0.0/8 -d 211.65.64.43 --match multiport --dports 80,443,44449 --to-destination 219.230.144.123:80 -t nat

now ,how can i do it in routeros can change dst ip 211.61.64.43 to 219.230.144.123
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1373
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: how can i do iptables command in routeros?

Wed Feb 06, 2019 12:09 pm

# iptables -A PREROUTING -p tcp -m tcp -j DNAT -s 10.0.0.0/8 -d 211.65.64.43 --match multiport --dports 80,443,44449 --to-destination 219.230.144.123:80 -t nat

/ip firewall nat add chain=dstnat protocol=tcp action=dst-nat src-address=10.0.0.0/8 dst-address=211.65.64.43 dst
-port=80,443,44449 to-addresses=219.230.144.123 to-ports=80
 
nop
just joined
Topic Author
Posts: 4
Joined: Wed Feb 06, 2019 10:36 am

Re: how can i do iptables command in routeros?

Sun Feb 10, 2019 7:59 am

# iptables -A PREROUTING -p tcp -m tcp -j DNAT -s 10.0.0.0/8 -d 211.65.64.43 --match multiport --dports 80,443,44449 --to-destination 219.230.144.123:80 -t nat

/ip firewall nat add chain=dstnat protocol=tcp action=dst-nat src-address=10.0.0.0/8 dst-address=211.65.64.43 dst
-port=80,443,44449 to-addresses=219.230.144.123 to-ports=80
i do this /ip firewall nat add chain=dstnat protocol=tcp action=dst-nat src-address=192.168.0.0/24 dst-port=80,443 to-addresses=123.125.115.110 to-ports=80
but i can't access 123.125.115.110 。123.125.115.110 is baidu's ip
 
mkx
Forum Guru
Forum Guru
Posts: 1949
Joined: Thu Mar 03, 2016 10:23 pm

Re: how can i do iptables command in routeros?

Sun Feb 10, 2019 11:24 am

If baidu is on the internet side of routerboard, then you need src-nat rule, not dst-nat. Appropriate (for most users) rule is there by default (on most routerboard units), so if it's not working, you're messing config. To help you find the way out, you'll have to explain your topology, what you want to achieve and your current settings ... until then this would be conversation of the def ...
BR,
Metod
 
nop
just joined
Topic Author
Posts: 4
Joined: Wed Feb 06, 2019 10:36 am

Re: how can i do iptables command in routeros?

Mon Feb 11, 2019 4:27 am

# iptables -A PREROUTING -p tcp -m tcp -j DNAT -s 10.0.0.0/8 -d 211.65.64.43 --match multiport --dports 80,443,44449 --to-destination 219.230.144.123:80 -t nat

/ip firewall nat add chain=dstnat protocol=tcp action=dst-nat src-address=10.0.0.0/8 dst-address=211.65.64.43 dst
-port=80,443,44449 to-addresses=219.230.144.123 to-ports=80
i do this /ip firewall nat add chain=dstnat protocol=tcp action=dst-nat src-address=192.168.0.0/24 dst-port=80,443 to-addresses=123.125.115.110 to-ports=80
but i can't access 123.125.115.110 。123.125.115.110 is baidu's ip

my router lan ip 192.168.0.111
my router wan pppoe
my computer ip 192.168.0.33 gateway 192.168.0.111

this is the router nat set
/ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=dstnat action=dst-nat to-addresses=123.125.115.110 to-ports=80
protocol=tcp src-address=192.168.0.0/24 dst-port=80,443 log=no
log-prefix=""

1 chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=!bridge log=no log-prefix=""

123.125.115.110 is internet site.


i need when my computer access all internet 80 or 443 port can jump to 123.125.115.110.

for example, when my computer access google 443, the result I want is access 123.125.115.110.

This means that when I access the 80 443 port of any ip on the Internet, the result I visited site ip is 123.125.115.110 .
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 940
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: how can i do iptables command in routeros?

Mon Feb 11, 2019 8:27 am

So you want a proxy?

When your inside computer tires to reach anything on the public internet on port tcp/80 and tcp/443 they should be redirected to public IP 123.125.115.110 and not the IP they get for the DNS server?

PS this may give your problems with https, since it does not work with proxy serveres. (not in any simple way at least)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 33 guests