Community discussions

 
User avatar
bobr
just joined
Topic Author
Posts: 14
Joined: Fri Feb 13, 2015 4:27 pm

Help with IP-> Filter needed

Tue Jul 09, 2019 7:05 pm

Hello!
I'm running RouterOS 6.43.8 on x86. Now I'll try to explain my problem:
Let's say we have an IP address 10.10.10.1 in an address-list NO_ACCESS and for this address-list we have a blocking rule and NAT rule which try to redirect blocked users to personal page, like this:
chain=forward action=drop src-address-list=NO_ACCESS out-interface=ether-OUT log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=192.168.20.240 to-ports=80 protocol=tcp src-address-list=NO_ACCESS dst-port=80,443 log=no log-prefix=""
As you may already understood there is a web-server with IP 192.168.20.240 which hosts the personal page. And on that personal page user can go to the payment page, which lays under other IP and Port, like: 192.168.20.245:8080. And on that payment page there is a link which leads to the www.some.paymentsystem.com with public IP, let's say, 2.2.2.2.
And here is what I need: I need user behind 10.10.10.1 to be able to go to www.some.paymentsystem.com, but not all over the least Internet.

I thought that adding a filter rule which will temporary add the 10.10.10.1 to an address-list, say, PAY_NO_ACCESS when that user tries to reach 192.168.20.245:8080 and creating some accept filter rule for dst-address 2.2.2.2 and PAY_NO_ACCESS address-list, and masquerade NAT rule for that PAY_NO_ACCESS address-list, and placing those rules above the apropriate rejecting rules will solve the problem. But it didn't. Seems, that an IP can not be at 2 address-list for which opposite filter and NAT rules are specified and despite that rules for PAY_NO_ACCESS were placed almost at the top of the filter and NAT list - that didn't help at all. Although I thought the packet will never reach those prohibitive rules.

Any thoughts and suggestions will be greately appreciated.
 
2frogs
Long time Member
Long time Member
Posts: 501
Joined: Fri Dec 03, 2010 1:38 am

Re: Help with IP-> Filter needed

Wed Jul 10, 2019 5:38 am

Create a address-list name=payment_gateway and add www.some.paymentsystem.com and dns ip to it.
Now add dst-address-list!=payment_gateway to both of your rules. The "!" means "not".

This should work for http, but I don't think it will for https...
 
User avatar
bobr
just joined
Topic Author
Posts: 14
Joined: Fri Feb 13, 2015 4:27 pm

Re: Help with IP-> Filter needed

Wed Jul 10, 2019 8:43 am

Hmmm - that's quite an option to check if the traffic is not going to www.some.paymentsystem.com in prohibitive rules...
Thanks alot for advise!

Who is online

Users browsing this forum: No registered users and 74 guests