主页 / 问题 / 1191311
Accepted
AlexGlebe
Asked:2021-10-17 03:06:45 +0800 CST2021-10-17 03:06:45 +0800 CST

无法通过 ssh 从外部访问 Mikrotik 本身

  • 772

在网络内部,我连接到路由器,一切正常。

user@himik:~$ ssh -p 12345 -i ~/.ssh/id_rsa_mikro abcdef@192.168.0.1
[abcdef@MikroG] >

屋子里一片寂静:

alex@linux-5y4f:~> ssh -p 12345 -i ~/.ssh/id_rsa_mikro abcdef@195.18.18.18

路由器挂在专用地址上,ssh 连接到网络内的服务器,但不是路由器本身。有些事情需要解决。不知该如何。

/ip 防火墙 nat

add action=src-nat chain=srcnat comment=Internet out-interface=bridge1WAN \
 to-addresses=195.18.18.18
add action=dst-nat chain=dstnat comment=\
 "80=HTML,443=HTMLS,58259=SSH trans to 1.2" dst-port=80,443,58259 \
 in-interface=bridge1WAN protocol=tcp to-addresses=192.168.1.2
add action=src-nat chain=srcnat comment="HTMLS Server answer to 1.1" \
 dst-address=192.168.1.2 dst-port=80,443,58259 protocol=tcp src-address=\
 !192.168.0.0/16 to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment="MySql to server second net" \
 dst-port=23801 in-interface=bridge1WAN protocol=tcp to-addresses=\
 192.168.1.2 to-ports=3306
add action=src-nat chain=srcnat dst-address=192.168.1.2 dst-port=3306 \
 protocol=tcp to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=\
 "HTTPS From Local Net to Public IP -> masque to 1.2" dst-address=\
 195.18.18.18 dst-port=80,443 protocol=tcp src-address=192.168.0.0/16 \
 to-addresses=192.168.1.2
add action=src-nat chain=srcnat dst-address=192.168.1.2 dst-port=80,443 \
 protocol=tcp src-address=192.168.0.0/16 to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment="alex ssh" dst-port=14396 \
 in-interface=bridge1WAN protocol=tcp to-addresses=192.168.0.10
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
 192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=\
 192.168.1.0/24
add action=dst-nat chain=dstnat comment="silent wifi ssh" dst-port=51491 \
 in-interface=bridge1WAN protocol=tcp to-addresses=192.168.0.8
add action=dst-nat chain=dstnat comment="tan wifi ssh" dst-port=11357 \
 in-interface=bridge1WAN protocol=tcp to-addresses=192.168.0.9
add action=dst-nat chain=dstnat comment="Mikrotik from internet outside" \
 dst-port=12345 in-interface=bridge1WAN protocol=tcp to-addresses=192.168.1.1

/ip 防火墙过​​滤器

add action=accept chain=input comment="Good connections" connection-state=established,related
add action=drop chain=input comment="Kill bad" connection-state=invalid
add action=accept chain=input comment="Ping me" protocol=icmp
add action=drop chain=input comment="Kill all inputs" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="Good transit" \
  connection-state=established,related,untracked
add action=drop chain=forward comment="Bad transit" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN to LAN" \
  connection-nat-state=!dstnat connection-state=new in-interface=bridge1WAN
add action=accept chain=forward comment="to MySQL pass from WAN" \
  dst-port=3306 in-interface=bridge1WAN protocol=tcp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related

/ip 服务

set www address=192.168.0.0/16,fe80::/64 port=18671
set ssh port=12345
set www-ssl address=192.168.0.0/16,fe80::/64 certificate=Webfig 
disabled=no port=16190
ssh

1 个回答

  1. Best Answer

    根据Alexey Ten的评论,事实证明,即使您指定重定向/ip firewall natchain=dstnat一个 IP 地址,如果这个地址是 Mikrotik 本身,那么处理/ip firewall input将是类似的chain=input,而不是类似chain=forward的。

    因此我添加

    chain=input action=accept protocol=tcp dst-port=12345

    代替

    chain=forward ...
    • 0

相关问题