Jump to content

forward в Mikrotik почему так?

В документации к биллингу рекомендовано настраивать так:

[admin@MikroTik] > ip firewall filter add chain=forward action=accept dst-address-list=ACCESS_LIST
[admin@MikroTik] > ip firewall filter add chain=forward action=accept src-address-list=ACCESS_LIST   
[admin@MikroTik] > ip firewall filter add chain=forward action=drop

 

Решил проверить (включил лог вместо дроп):

4   chain=forward action=accept src-address-list=ACCESS_LIST 

5   chain=forward action=accept dst-address-list=ACCESS_LIST 

6   ;;; for NO_MONEY page
    chain=forward action=accept protocol=tcp src-address-list=NO_MONEY 
    dst-port=80 

7   ;;; Block ANY
    chain=forward action=log src-address-list=!ACCESS_LIST log-prefix="" 

В логе получил кучу строк с адресов, которые в ACCESS_LIST. Почему так? Пакет не выходит из цепочки на 5 и 6 правиле, а идет дальше?

Share this post


Link to post
Share on other sites

Между 5 и 6 поставьте правило блокирующее address-list=ACCESS_LIST и дальше не пойдет. Все что не запрещено - разрешено.

Edited by saaremaa

Share this post


Link to post
Share on other sites

Сделал так:

4   chain=forward action=accept src-address-list=ACCESS_LIST 

5   chain=forward action=accept dst-address-list=ACCESS_LIST 

6   ;;; for NO_MONEY page
    chain=forward action=accept protocol=tcp src-address-list=NO_MONEY dst-port=80 

7   chain=forward action=drop src-address-list=ACCESS_LIST 

8   chain=forward action=drop dst-address-list=ACCESS_LIST 

7 и 8 правило - нет трафика

Edited by mash55

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.