{"id":1208,"date":"2016-08-11T20:33:57","date_gmt":"2016-08-11T19:33:57","guid":{"rendered":"http:\/\/diablo.craem.net\/?p=1208"},"modified":"2016-08-11T20:33:57","modified_gmt":"2016-08-11T19:33:57","slug":"nat-11-mikrotik-firewall","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=1208","title":{"rendered":"NAT 1:1 Mikrotik + firewall"},"content":{"rendered":"<p>Otra entrada que es un apunte.<br \/>\nEstos d\u00ed\u00adas he tenido que aplicar nat 1:1 con los routers mikrotik y proteger m\u00e1quinas con el firewall del router&#8230;. a priori es sencillo, pero el tema del firewall se me atasc\u00f3 un poco.<br \/>\nImaginamos que tenemos una conexi\u00f3n a internet con un <strong>NAT GLOBAL<\/strong>, un <strong>\/29<\/strong> para repartir entre nuestros servicios. Para hacerlo m\u00e1s sencillo, aplicaremos el nat 1:1<br \/>\nNuestro proveedor nos entrega la subred 1.1.1.0\/29 y como gateway, hemos de usar la 1.1.1.1&#8230;. asignaremos a nuestro server de correo la 1.1.1.2 y deber\u00e1 tener permitido <em>ICMP, WWW y HTTPS<\/em><br \/>\nEmpezamos:<br \/>\n<code><br \/>\n\/ip address<br \/>\nadd address=1.1.1.1\/29 comment=wan interface=outside network=1.1.1.0<br \/>\nadd address=192.168.1.254\/24 interface=inside network=192.168.41.0<br \/>\nadd address=1.1.1.2\/29 comment=\"nat to 192.168.1.2\" interface=outside network=1.1.1.0<br \/>\n<\/code><br \/>\nEl interfaz externo, lo llamaremos <em>outside<\/em>, el interno <em>inside<\/em> y el rango local de la lan: <em>192.168.1.0\/24<\/em><br \/>\nAsignaremos la ip p\u00fablica en el <em>outside<\/em> y la ip del mailserver tambi\u00e9n.<br \/>\nAhora a\u00f1adimos las reglas del firewall para permitir el tr\u00e1fico deseado:<br \/>\n<code><br \/>\n\/ip firewall filter<br \/>\nadd chain=forward comment=\"ip 2\" connection-mark=ip_2 protocol=icmp<br \/>\nadd chain=forward comment=\"ip 2\" connection-mark=ip_2 port=25 protocol=tcp<br \/>\nadd chain=forward comment=\"ip 2\" connection-mark=ip_2 port=80 protocol=tcp<br \/>\nadd chain=forward comment=\"ip 2\" connection-mark=ip_2 port=443 protocol=tcp<br \/>\nadd chain=forward comment=\"ip 2\" connection-mark=ip_2 port=53 protocol=udp<br \/>\nadd action=drop chain=forward comment=\"ip 2\" connection-mark=ip_2<br \/>\n<\/code><br \/>\nLa \u00faltima l\u00ed\u00adnea es importante&#8230; si no la incluyes y tu server es un windows, te lo dejar\u00e1n como un colador xDDDD.<br \/>\nSeguimos con las reglas mangle para identificar las ip&#8217;s:<br \/>\n<code><br \/>\n\/ip firewall mangle<br \/>\nadd action=mark-connection chain=prerouting comment=\"ip 2\" dst-address=1.1.1.2 log-prefix=ip_2 new-connection-mark=ip_2 \\<br \/>\n    passthrough=no<br \/>\nadd action=mark-connection chain=prerouting comment=\"ip 2\" new-connection-mark=publicas passthrough=no src-address=\\<br \/>\n    192.168.1.2<br \/>\n<\/code><br \/>\nY ahora el NAT en cuesti\u00f3n:<br \/>\n<code><br \/>\n\/ip firewall nat<br \/>\nadd action=dst-nat chain=dstnat comment=\"nat to 1.1.1.2\" dst-address=1.1.1.2 in-interface=outside to-addresses=\\<br \/>\n    192.168.1.2<br \/>\nadd action=src-nat chain=srcnat comment=\"nat to 1.1.1.2\" out-interface=outside src-address=192.168.1.2 to-addresses=\\<br \/>\n    1.1.1.2<br \/>\n<\/code><br \/>\nY con \u00e9sto, ya tenemos todo hecho ;).<br \/>\nel proceso es:<br \/>\n&#8211; Asignamos la IP al interfaz p\u00fablico.<br \/>\n&#8211; A\u00f1adimos las reglas de firewall, marcando los paquetes.<br \/>\n&#8211; Aplicamos el nat.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Otra entrada que es un apunte. Estos d\u00ed\u00adas he tenido que aplicar nat 1:1 con los routers mikrotik y proteger m\u00e1quinas con el firewall del router&#8230;. a priori es sencillo, pero el tema del firewall se me atasc\u00f3 un poco. Imaginamos que tenemos una conexi\u00f3n a internet con un NAT GLOBAL, un \/29 para repartir [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[107,120],"class_list":["post-1208","post","type-post","status-publish","format-standard","hentry","category-mikrotik","tag-mikrotik","tag-nat-11"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1208"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1208\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}