我正在尝试将传入流量重定向到 Mikrotik 路由器公共 IP 接口的 tcp/80 到具有反向代理的内部服务器。
无论我做什么,NAT 规则都无法在 tcp/80 作为目标端口的情况下工作。如果我将其更改为 tcp/8080 或任何其他端口,它就会开始工作。
使用 tcp/80 作为目标端口,看起来数据包可以到达目标机器,但回复却无法返回。
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X ;;; vacuum-logging
chain=forward action=log src-address=192.168.1.32 log=yes log-prefix="VACUUM"
2 ;;; Allow OpenVPN
chain=input action=accept protocol=tcp dst-port=1194
3 ;;; Allow HTTP
chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=80 log=yes log-prefix="IN_HTTP_ALLOW"
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
8 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface=pppoe-out1 log=no log-prefix="DROP"
9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=192.168.1.110 to-ports=8080 protocol=tcp in-interface=pppoe-out1 dst-port=80 log=yes log-prefix="NAT_HTTP"
这原始帖子在 NetworkEngineering 上将我重定向到这里...
答案1
我找到了根本原因——ISP 阻止了 TCP 80 和 443 上的流量。
我没有立即发现的原因是他们没有以丢弃所有传入数据包的方式阻止它。我可以到达路由器,数据包被“丢弃”到目的地,回复数据包离开路由器……但这些被 ISP 丢弃了。