Page 1 of 1
destination rule - src address list
Posted: Sat Jan 14, 2017 9:03 pm
by onlineuser
Hello,
I have more address lists which should be ignored for my destination NAT rules.
It would be fine if there could be specified more than one address list - it also should be possible to negate some of the address lists.
Or can I create dynamically a new address list which contains the IP addresses of two or three other adress lists (but this would be a waste of memory). It would be better when the rule checks more address lists.
Or can I add two identically destination NAT rules but only the address list is different?
Re: destination rule - src address list
Posted: Sun Jan 15, 2017 12:52 am
by teamer
Or can I add two identically destination NAT rules but only the address list is different?
Sure.
Re: destination rule - src address list
Posted: Sun Jan 15, 2017 10:48 am
by onlineuser
No, it's not possible.
example:
address list 1:
block_scanner
address list 2:
block_permanent_blacklisted
When there are two rules (first one only allows IP addresses which are not in
block_scanner, this rule will be taken without checking the second one if the IP is maybe on the
block_permanent_blacklisted address list.
I think there is the only way to generate a third address list which includes all the IP addresses from
block_scanner and
block_permanent_blacklisted address lists.
Or the feature from my first post will be implemented which would not waste memory.
Re: destination rule - src address list
Posted: Sun Jan 15, 2017 2:54 pm
by teamer
No, it's not possible.
example:
address list 1: block_scanner
address list 2: block_permanent_blacklisted
When there are two rules (first one only allows IP addresses which are not in block_scanner, this rule will be taken without checking the second one if the IP is maybe on the block_permanent_blacklisted address list.
Instead of
allow ip addresses
not in list just
block those
in list.
Re: destination rule - src address list
Posted: Sun Jan 15, 2017 9:42 pm
by onlineuser
Yeah, in meantime I solved it in this way - but it would be also nice if a rule (firewall or NAT) could consider more than one address list.
Re: destination rule - src address list
Posted: Mon Jan 16, 2017 12:04 am
by Sob
Or you can do pretty much anything using chains:
/ip firewall nat
add action=jump chain=srcnat jump-target=test
add action=masquerade chain=srcnat
add action=accept chain=test src-address-list=test1
add action=return chain=test src-address-list=test2
add action=accept chain=test dst-address-list=!test4 src-address-list=test3
Re: destination rule - src address list
Posted: Mon Jan 16, 2017 8:32 am
by onlineuser
Cool, thanks - why do not use the same schema like on firewall rules - good idea.
Re: destination rule - src address list
Posted: Mon Jan 16, 2017 5:25 pm
by onlineuser
For NAT rules there is no DROP available.
A RETURN jumps back where the jump came from.
Why there is no DROP for NAT rules available?
Is a return equivalent to a drop?
Re: destination rule - src address list
Posted: Mon Jan 16, 2017 5:29 pm
by BartoszP
NAT is not for filtering packets but for substituting SRC/DST/PORTS part of packet.
Use firewall rules to drop them. Why do you want NAT do do this ?
Re: destination rule - src address list
Posted: Mon Jan 16, 2017 6:18 pm
by onlineuser
Ok, thanks. I thought when the NAT rule could drop the packet then the firewall rules get a little bit more clearly to read because then there would be less rules in it.