Mikrotik 路由器上 tcp/80 端口的 DST-NAT

Mikrotik 路由器上 tcp/80 端口的 DST-NAT

我正在尝试将传入流量重定向到 Mikrotik 路由器公共 IP 接口的 tcp/80 到具有反向代理的内部服务器。

无论我做什么,NAT 规则都无法在 tcp/80 作为目标端口的情况下工作。如果我将其更改为 tcp/8080 或任何其他端口,它就会开始工作。

使用 tcp/80 作为目标端口,看起来数据包可以到达目标机器,但回复却无法返回。

/ip firewall filter print

Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1 X  ;;; vacuum-logging
      chain=forward action=log src-address=192.168.1.32 log=yes log-prefix="VACUUM"

 2    ;;; Allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194

 3    ;;; Allow HTTP
      chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=80 log=yes log-prefix="IN_HTTP_ALLOW"

 4    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 5    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 6    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 7    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 8    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface=pppoe-out1 log=no log-prefix="DROP"

 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

14    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

 1    chain=dstnat action=dst-nat to-addresses=192.168.1.110 to-ports=8080 protocol=tcp in-interface=pppoe-out1 dst-port=80 log=yes log-prefix="NAT_HTTP"

原始帖子在 NetworkEngineering 上将我重定向到这里...

答案1

我找到了根本原因——ISP 阻止了 TCP 80 和 443 上的流量。

我没有立即发现的原因是他们没有以丢弃所有传入数据包的方式阻止它。我可以到达路由器,数据包被“丢弃”到目的地,回复数据包离开路由器……但这些被 ISP 丢弃了。

相关内容