有些人为我们提供 Mikrotik 光纤连接,但后来合同转移到了另一家供应商,他们不想帮助我配置设备。我迫切需要帮助,我力不从心。
我们有一些公共 IP 154.117.185.242 - 所有正常流量、浏览、访客 wifi 都在此 IP 上 154.117.185.243 - 我们的 Web 服务器 :80 在此 IP 上 192.168.10.157 :80 154.117.185.244 154.117.185.245 - 另一个 Web 服务器 :80 在此 IP 上 192.168.10.9 :80 154.117.185.246
由于某种原因,154.117.185.243 已被列入黑名单,我认为有人感染了病毒。因此,我想将传出 SMTP(端口 25)从 154.117.185.242 移至 154.117.185.244,以便人们可以可靠地接收他们的交易邮件。
我尝试创建此规则:srcnat src.add:192.168.10.157 协议 tcp 端口 25 -> 操作 src-nat 到地址 154.117.185.244 端口 25(我希望可以附加屏幕截图)
但那并没有什么作用。
说实话,我甚至不知道从哪里开始制定这条规则。我真的需要帮助。
我假设来自网络的响应通信也必须有一个返回 192.168.10.157:25 的规则 - 但如果这是必要的,我认为我可以复制其中一个网络服务器规则并更改端口号。这是我真正困惑的传出内容的规则。
谢谢
史蒂夫
编辑-添加导出:
# dec/20/2016 21:15:40 by RouterOS 6.30.4
# software id = UUL8-1EL2
#
/ip firewall filter
add action=drop chain=forward src-address=192.168.10.54
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=154.117.185.243 dst-port=80 protocol=tcp \
to-addresses=192.168.10.157 to-ports=80
add action=dst-nat chain=dstnat dst-address=154.117.185.243 dst-port=81 protocol=tcp \
to-addresses=192.168.10.241 to-ports=81
add action=dst-nat chain=dstnat dst-address=154.117.185.243 dst-port=82 protocol=tcp \
to-addresses=192.168.10.242 to-ports=82
add action=dst-nat chain=dstnat dst-address=154.117.185.245 dst-port=21-80 protocol=tcp \
to-addresses=192.168.10.9 to-ports=21-80
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.10.157 src-port=25 \
to-addresses=154.117.185.245 to-ports=25
以及整个配置:
# dec/22/2016 12:53:00 by RouterOS 6.30.4
# software id = UUL8-1EL2
#
/interface ethernet
set [ find default-name=ether1 ] comment="Bitco Fibre"
set [ find default-name=ether2 ] comment=Internal
set [ find default-name=ether3 ] comment=unused
set [ find default-name=ether5 ] comment="Guests Wifi"
set [ find default-name=ether6 ] comment=unused
/ip neighbor discovery
set ether1 comment="Bitco Fibre"
set ether2 comment=Internal
set ether3 comment=unused
set ether5 comment="Guests Wifi"
set ether6 comment=unused
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.22.100-192.168.22.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether5 lease-time=1d10m \
name=dhcp1
/snmp community
set [ find default=yes ] addresses=154.66.208.0/24
/ip address
add address=154.117.185.243/22 interface=ether1 network=154.117.184.0
add address=192.168.22.2/24 interface=ether5 network=192.168.22.0
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
add address=154.117.185.245/22 interface=ether1 network=154.117.184.0
add address=154.117.185.242/22 interface=ether1 network=154.117.184.0
add address=154.117.185.244/22 interface=ether1 network=154.117.184.0
/ip dhcp-server network
add address=192.168.22.0/24 dns-server=41.79.80.34,8.8.8.8 gateway=\
192.168.22.2
/ip dns
set allow-remote-requests=yes servers=41.79.80.34,8.8.8.8
/ip firewall filter
add action=drop chain=forward disabled=yes src-address=192.168.10.109
add action=drop chain=forward disabled=yes src-address=192.168.10.28
add action=drop chain=forward src-address=192.168.10.54
add action=drop chain=forward disabled=yes src-address=192.168.22.116
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \
dst-port=25 protocol=tcp src-address-list=SPAMMER
add action=add-src-to-address-list address-list=SPAMMER address-list-timeout=\
23h59m59s chain=forward comment=\
"Detect and add-list SMTP virus or spammers" connection-limit=10,32 \
dst-port=25 limit=10,5 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=25 new-routing-mark=\
"Webserver SMTP" passthrough=no protocol=tcp src-address=192.168.10.157
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="webserver port 80" dst-address=\
154.117.185.243 dst-port=80 protocol=tcp to-addresses=192.168.10.157 \
to-ports=80
add action=dst-nat chain=dstnat comment=CCTV dst-address=154.117.185.243 \
dst-port=81 protocol=tcp to-addresses=192.168.10.241 to-ports=81
add action=dst-nat chain=dstnat comment="unused CCTV" dst-address=\
154.117.185.243 dst-port=82 protocol=tcp to-addresses=192.168.10.242 \
to-ports=82
add action=dst-nat chain=dstnat comment=xmpie dst-address=154.117.185.245 \
dst-port=80 protocol=tcp to-addresses=192.168.10.9 to-ports=21-80
/ip route
add comment="send web SMTP through 244" distance=1 gateway=154.117.185.244 \
routing-mark="Webserver SMTP" scope=255
add distance=1 gateway=154.117.185.217
/ip service
set telnet address=192.168.10.0/24
set ftp address=192.168.10.0/24 disabled=yes
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24
set www-ssl address=192.168.10.0/24
set api address=192.168.10.0/24
set winbox address=192.168.10.0/24
set api-ssl address=192.168.10.0/24
/lcd
set time-interval=hour
/snmp
set enabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Bowens
/system routerboard settings
set protected-routerboot=disabled
/system script
add name=SPAMMERS owner=admin source=":log error \\\"----------Users detected \
like \\\
\n SPAMMERS -------------\\\";\
\n\\n:foreach i in \\[/ip firewall address-list find \\\
\n list=spammer\\] do={:set usser \\[/ip firewall address-list get \\\$\
i \\\
\n address\\];\
\n\\n:foreach j in=\\[/ip hotspot active find address=\\\$usser\\] \\\
\n do={:set ip \\[/ip hotspot active get \\\$j user\\];\
\n\\n:log error \\\$ip;\
\n\\n:log \\\
\n error \\\$usser} };\" policy=ftp,read,write,policy,test,winbox "
/tool graphing interface
add allow-address=192.168.10.0/24
/tool romon port
add
答案1
如果你已经有邮件服务器,那么就必须有针对该 IP 的规则。 这里这表明你的路由器感染了病毒。你能发布路由器配置吗?/ip firewall export file=fwexport.txt
更改 IP 无法解决您的问题。您必须找到受感染的计算机。
编辑
您必须设置数据包标记并将具有特定标记的 SMTP 流量路由到特定网关。请参阅这里和这里。您必须仅标记来自 Web 服务器的流量。目前我没有多余的路由器来测试。但希望您能有所收获。同时阻止访客 wifi 中的 SMTP 流量。如何自动检测受感染或垃圾邮件发送者的用户并暂时阻止 SMTP 输出
/ip firewall filter add action=drop chain=forward disabled=yes dst-port=25 in-interface=wlan1 log=yes protocol=tcp
此规则将阻止来自wlan1
接口的 25 端口的所有 smtp 流量。当您更正规则时,请disabled=yes
在 GUI 中将其删除或启用。