[ninux-not-wireless] [IuliiNet] port forwarding su mikrotik

Luca Postregna luca.postregna at gmail.com
Thu Jun 5 12:31:21 CEST 2014 

non funziona ancora, questa la situazione sul mikrotik:

[admin at mikrotik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE


 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    ether2-master-local


 1 D 192.168.0.25/24    192.168.0.0     ether1-gateway


[admin at mikrotik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=81
protocol=tcp in-interface=ether1-gateway dst-port=81
[admin at mikrotik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   ;;; default configuration
     chain=forward action=accept connection-state=established

 4   ;;; default configuration
     chain=forward action=accept connection-state=related

 5   chain=forward action=accept connection-state=new

 6   chain=input action=accept protocol=tcp dst-port=81


questo รจ l'nmap da 192.168.0.0/24:

> nmap -sT 192.168.0.25

Starting Nmap 6.00 ( http://nmap.org ) at 2014-06-05 12:21 CEST
Nmap scan report for MikroTik (192.168.0.25)
Host is up (0.016s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
80/tcp   open     http
81/tcp   filtered hosts2-ns
2000/tcp open     cisco-sccp
MAC Address: D4:CA:6D:E2:95:B9 (Routerboard.com)

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds


se da 192.168.88.0/24 faccio un nmap sull'ip del servizio, ottengo:

> nmap -sT 192.168.88.20

Starting Nmap 6.00 ( http://nmap.org ) at 2014-06-05 12:30 CEST
Nmap scan report for 192.168.88.20
Host is up (0.044s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
81/tcp   open  hosts2-ns
2000/tcp open  cisco-sccp
5000/tcp open  upnp
MAC Address: 00:4A:20:A9:4B:2E (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

dove sbaglio?



On Wed, Jun 4, 2014 at 12:15 PM, Filippo Madaro <filippo.madaro at gmail.com>
wrote:

>  Destination NAT
>
> If you want to link Public IP 10.5.8.200 address to Local one
> 192.168.0.109, you should use destination address translation feature of
> the MikroTik router. Also if you want allow Local server to talk with
> outside with given Public IP you should use source address translation, too.
>
> Add Public IP to Public interface:
>
> /ip address add address=10.5.8.200/32 interface=Public
>
> Add rule allowing access to the internal server from external networks:
>
> /ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
> 	to-addresses=192.168.0.109
>
> Add rule allowing the internal server to talk to the outer networks having
> its source address translated to 10.5.8.200:
>
> /ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
> 	to-addresses=10.5.8.200
>
> 1:1 mapping
>
> If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24,
> you should use destination address translation and source address
> translation features with action=netmap.
>
> /ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
> 	action=netmap to-addresses=2.2.2.0/24
>
> /ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
> 	action=netmap to-addresses=11.11.11.0/24
>
> Same can be written using different address notation, that still have to
> match with the described network
>
> /ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
> 	action=netmap to-addresses=2.2.2.0-2.2.2.255
>
> /ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
> 	action=netmap to-addresses=11.11.11.0-11.11.11.255
>
>
>  Port mapping
>
> If you would like to direct requests for a certain port to an internal
> machine (sometimes called opening a port, port mapping), you can do it like
> this:
>
> /ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
>
>
> This rule translates to:
>
> *when an incoming connection requests TCP port 1234, use the DST-NAT
> action and redirect it to local address 192.168.1.1 and the port 1234 *
>
>
>


-- 
luca.postregna.name
twitter.com/lucapost
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/not-wireless/attachments/20140605/d15cda49/attachment-0001.html>

More information about the Not-wireless mailing list