Community discussions

MikroTik App
 
dalami
newbie
Topic Author
Posts: 43
Joined: Mon Dec 12, 2011 9:18 am

Redirect vs Dst-Nat - or port obfuscation

Fri Jun 26, 2020 9:09 pm

I *think* I understand the difference between dst-nat vs redirect: dst-nat forwards incoming requests to an external location while redirect is a special case for the localhost. Assuming that's the case, I again believe that if I want to expose a local service from the router on an alternate port the correct method is via redirect.

Please correct me if the above is false. However, from there - what is the method I should use for specifically exposing the router's ssh service via a non-standard port? The intent is to allow connection via public internet to the non-standard port. My concerns/questions - some of which are probably self-answering:

1. I assume the first step is a NAT rule, "/ip firewall nat add chain=dstnat action=redirect to-ports=22 protocol=tcp dst-port=2220"
2. Now what do I need to open in the filter? Port 2220, port 22, or both?
3. Does this mean the ssh service cannot be IP limited? Sounds stupid as I type it but if nothing else spells out the obvious for the archives...
3a. Is it possible to define a second listener for an internal service - so port 22 has limited IP's while 2220 is open in the service definition?
 
Sob
Forum Guru
Forum Guru
Posts: 5590
Joined: Mon Apr 20, 2009 9:11 pm

Re: Redirect vs Dst-Nat - or port obfuscation

Fri Jun 26, 2020 10:11 pm

1) Yes, but you also want to limit destination address. This rule you posted would redirect all connections with destination port 2220 (even outgoing ones). It may not seem as big deal, because you're probably not connecting to this port very often, but it can happen. Simplest way is to add dst-address-type=local.

2) It's 22 (where the service is listening), because filter happens after dstnat.

3) You can limit source in both dstnat and input rules (src-address, src-address-list).

3a) No, but if you choose to limit source in dstnat rule, you'll have what you need.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
dalami
newbie
Topic Author
Posts: 43
Joined: Mon Dec 12, 2011 9:18 am

Re: Redirect vs Dst-Nat - or port obfuscation

Fri Jun 26, 2020 10:56 pm

That...doesn't make sense. It may be right - but it still doesn't make sense.

1) Isn't redirect by definition for a local destination only?

2) If I open port 22 in the filters - then port 22 is open to the internet which is exactly what I don't want to happen. Hmm...would the better choice be to have the redirect not only specify the port but also either the localhost or internal LAN IP? Then the only opened port to the internet would be the example 2220.

3/3a - I understand the src-address options, and I'll probably implement that at least on a country level. Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 5590
Joined: Mon Apr 20, 2009 9:11 pm

Re: Redirect vs Dst-Nat - or port obfuscation

Fri Jun 26, 2020 11:22 pm

1) There are two things, conditions and action. Redirect is action, I'm talking about conditions. Yours are only protocol=tcp and dst-port=2220. So if some device in LAN tries to connect to <some random internet address>:2220, will this rule match? The answer is yes, and you don't want that. If you add dst-address-type=local as another condition, then this won't match any longer, but connections from internet to <your router>:2220 will.

2) That would be the case if you opened port 22 unconditionally, but you can accept only redirected packets:
/ip firewall filter
add chain=input connection-nat-state=dstnat action=accept
And since you asked about limiting source addresses, I assumed that it would be part of it. If you do:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=<allowed addresses> action=accept
it will be ok. Or you can combine previous rule with:
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=2220 src-address-list=<allowed addresses> action=redirect to-ports=22
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: eworm, Google [Bot], ochaconm, prozak and 55 guests