how to limit VPN user access to one server?
BGP, OSFP, MPLS, MME, RIP, HWMPplus

8 posts   •   Page 1 of 1
toedwyday
just joined
 
Posts: 4
Joined: Wed May 18, 2011 1:22 pm

how to limit VPN user access to one server?

by toedwyday » Wed May 18, 2011 8:55 pm

Hi all, i would like to create a VPN account under "PPP", for this VPN account, i name it "user1", this account is only allowed to access one server (IP: 1.1.1.1 ftp port 21) in my internal network. user1 will be dialing VPN from internet.

my idea is do a 2 firewall rules. the first will allow user1 to access to my server 1.1.1.1 ftp port 21, the second firewall rules will drop any other connection to other server or protocol.

i created a "profiles" under "PPP" and name it "profile1", then i change the remote address at profile1 to 9.9.9.9, then at "Secrets" under "PPP", i created a account name "user1" and the profile i change to "profile1"

At "firewall" >> "Address Lists" I created a list name "ftp_list" and address=9.9.9.9

at the "Firewall" under "Filter Rules", i added rule1, chain=input, dst address = 1.1.1.1, protocol = tcp, dst port= 21, under "Advanced" tab, i put Src.address list = ftp_list, Action=accept
(assume user1 dial in, he/she will be assigned ip 9.9.9.9 (ftp_list), so he/she is allowed to ftp to 1.1.1.1 port 21)

at the same place, i added rule2, chain=input, protocol=tcp, action=drop (supposed it will drop everything after rule1)

But, i tested it, and it won't work. When user1 dialed into the MK router, it can ping/telnet/ftp to any servers.

the reason i want to limit user1 to access only to 1.1.1.1 from internet is because security concern.

can anyone give me some advise?

Thanks!

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: how to limit VPN user access to one server?

by fewi » Wed May 18, 2011 9:04 pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
There are three predefined chains, which cannot be deleted:

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain


The 'input' chain is for traffic directly TO the router. You're trying to firewall traffic between a VPN client and a server, which is traffic THROUGH the router. Use for 'forward' chain for your rules.
You also want to change your drop rule to not drop everything, as that would drop all traffic through the router. Drop traffic to/from that address list after permitting FTP traffic. It would also make sense to go stateful to easily allow return traffic from the FTP server to the client.

Code: Select all
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward dst-address=1.1.1.1 protocol=tcp dst-port=21 src-address-address-list=ftp_list action=accept
add chain=forward dst-address-list=ftp_list action=drop
add chain=forward src-address-list=ftp_list action=drop


Generally speaking the above should work. The connection-state rules should be above any other rules you have. If you need more specific help with fitting things into existing rule sets you'll have to post them here.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

blake
Member
Member
 
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: how to limit VPN user access to one server?

by blake » Wed May 18, 2011 10:17 pm

You could use dynamic PPP filters to achieve this.
Code: Select all
/ip firewall filter
add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21
add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop

add chain=forward action=jump jump-target=ppp

/ppp profile
add name=filtered-users copy-from=default-encryption incoming-filter=pptp-filter-in outgoing-filter=pptp-filter-out

/ppp secret
set user1 profile=filtered-users

Connect to the VPN, and then you'll have a dynamic rules added to the PPP chain which directs traffic from that user1 into the specified chains.
Code: Select all
[blake@test] /ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=ppp action=jump jump-target=pptp-filter-in in-interface=<pptp-user1>

 1 D chain=ppp action=jump jump-target=pptp-filter-out out-interface=<pptp-user1>
[blake@test] /ip firewall filter>

I edited this post to add the jump into the ppp chain as I forgot it in the original post. I also removed the connection-state rules because they're not needed in the 'pptp-filter*' chains if they're already in the main forward chain.
Last edited by blake on Wed May 18, 2011 10:28 pm, edited 2 times in total.
IT consultant. Network manager. Packet junkie.
1-928-328-1509

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: how to limit VPN user access to one server?

by fewi » Wed May 18, 2011 10:24 pm

That's considerably nicer.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

toedwyday
just joined
 
Posts: 4
Joined: Wed May 18, 2011 1:22 pm

Re: how to limit VPN user access to one server?

by toedwyday » Thu May 19, 2011 5:45 am

fewi wrote:http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
There are three predefined chains, which cannot be deleted:

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain


The 'input' chain is for traffic directly TO the router. You're trying to firewall traffic between a VPN client and a server, which is traffic THROUGH the router. Use for 'forward' chain for your rules.
You also want to change your drop rule to not drop everything, as that would drop all traffic through the router. Drop traffic to/from that address list after permitting FTP traffic. It would also make sense to go stateful to easily allow return traffic from the FTP server to the client.

Code: Select all
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward dst-address=1.1.1.1 protocol=tcp dst-port=21 src-address-address-list=ftp_list action=accept
add chain=forward dst-address-list=ftp_list action=drop
add chain=forward src-address-list=ftp_list action=drop


Generally speaking the above should work. The connection-state rules should be above any other rules you have. If you need more specific help with fitting things into existing rule sets you'll have to post them here.


hi, thanks for the reply, for your 3rd rule "add chain=forward connection-state=invalid action=drop", will this drop other packets? because this MK served as our main router and it has many other firewall rules.

I don't dare to try out just in case it will drop others connection.

usually i uses GUI to do the config, so I not used to GLI, so for above commands, i will go to terminal and go into /ip firewall, then type in line by line follow by "enter" at each line right?

thanks for the help!

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: how to limit VPN user access to one server?

by fewi » Thu May 19, 2011 7:16 am

You should go with what blake posted.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

toedwyday
just joined
 
Posts: 4
Joined: Wed May 18, 2011 1:22 pm

Re: how to limit VPN user access to one server?

by toedwyday » Thu May 19, 2011 10:14 am

blake wrote:You could use dynamic PPP filters to achieve this.
Code: Select all
/ip firewall filter
add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21
add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop

add chain=forward action=jump jump-target=ppp

/ppp profile
add name=filtered-users copy-from=default-encryption incoming-filter=pptp-filter-in outgoing-filter=pptp-filter-out

/ppp secret
set user1 profile=filtered-users

Connect to the VPN, and then you'll have a dynamic rules added to the PPP chain which directs traffic from that user1 into the specified chains.
Code: Select all
[blake@test] /ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=ppp action=jump jump-target=pptp-filter-in in-interface=<pptp-user1>

 1 D chain=ppp action=jump jump-target=pptp-filter-out out-interface=<pptp-user1>
[blake@test] /ip firewall filter>

I edited this post to add the jump into the ppp chain as I forgot it in the original post. I also removed the connection-state rules because they're not needed in the 'pptp-filter*' chains if they're already in the main forward chain.


hi blake, thanks for the reply..
for this "add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21", how do i add chain=pptp-filter-in? because i only can find "forward, input, output"

for your second and third rules, "add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop"

will this drop all other traffic?

Thanks!

blake
Member
Member
 
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: how to limit VPN user access to one server?

by blake » Thu May 19, 2011 10:59 am

toedwyday wrote:hi blake, thanks for the reply..
for this "add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21", how do i add chain=pptp-filter-in? because i only can find "forward, input, output"

When you run that command it will create the chain 'pptp-filter-in' since it does not already exist.

for your second and third rules, "add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop"

will this drop all other traffic?

Yes. The first 'drop' will drop all inbound (client to network) traffic not permitted by the FTP rule. The second drop will effectively stop anything on the network from initiating a connection to the client. It will not drop the FTP server's reply data to the client as that will be permitted by the 'established' and 'related' rules in the FORWARD chain, assuming you already have those in place.
IT consultant. Network manager. Packet junkie.
1-928-328-1509

8 posts   •   Page 1 of 1

Who is online

Users browsing this forum: No registered users and 6 guests

It is currently Mon Dec 22, 2014 11:34 pm