我想在 Mikrotik RouterOS 上設定tcpport 8000->的連接埠轉送。192.168.1.16:4200
我做了以下事情:
/ip firewall nat add dstnat chain=dstnat action=dst-nat to-addresses=192.168.1.16 to-ports=4200 protocol=tcp dst-address=<PUBLIC_IP> dst-port=8000
當我嘗試使用來自 Internet 的服務時,以下命令會掛起:
curl <PUBLIC_IP>:8000
我可以看到計數器在 Mikrotik 的 NAT 規則上移動(透過 WebBox)。
在目標機器上,我可以在以下位置看到以下內容netstat -an | grep 4200:
tcp 0 0 0.0.0.0:4200 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.16:4200 <REMOTE_HOST>:37720 SYN_RECV
我確認我可以透過 本地連接到機器curl 192.168.1.16:4200。
我不知道哪裡出了問題:(
更新:防火牆過濾規則:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="fasttrack - except for ipsec" connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN