Simple Firewall Rules
RouterOS Scripting and API

3 posts   •   Page 1 of 1
Member Candidate
Member Candidate
Posts: 273
Joined: Wed Jun 30, 2004 8:18 pm

Simple Firewall Rules

by mperdue » Tue Dec 29, 2009 7:10 pm

I've read several forum posts as well as the mikrotik documentation. I even paid someone to write some firewall rules once but I simply do not understand the syntax.

I'd would like to see a simple firewall rule/script that would block a single port on an incoming ethernet port. Such as blocking incoming telnet, ssh, and sql ports.

Thank You

Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Simple Firewall Rules

by fewi » Tue Dec 29, 2009 7:33 pm

I'm assuming you mean traffic flowing through the firewall, and not traffic destined for the firewall itself. The below blocks all traffic that would flow through the firewall, comes in through the interface named WAN and is destined for port tcp/23:

Code: Select all
/ip firewall filter add chain=forward in-interface=WAN protocol=tcp dst-port=23 action=drop

Of course that rule may not work depending on context. If you have a rule higher above it that accepts all traffic coming in the WAN interface, or in the forward chain etc. then this rule would never be reached.

The basic idea is that in firewall filtering there are three major chains: 'forward' contains all traffic flowing through the firewall (traffic that is not initiated by the firewall, and doesn't terminate on the firewall), 'input' contains all traffic directly aimed at the firewall and 'output' contains all traffic created by the firewall itself. Firewall rules apply actions to packets, the most common ones are 'accept' and 'drop'. To specify to which exact packets an action should be applied, lots of filters are available. Some common ones are 'protocol', 'dst-post', 'in-interface' etc. Since the firewall is stateful, you can also use connection states, such as 'new', 'established' and 'related'.

Firewall mangling marks packets/connections with markers that are not transmitted over the wire (they are internal to the firewall only), but are used by many other RouterOS portions to make decisions. Mangle has two additional major chains: 'prerouting', which contains packets before destination NAT runs and a routing decision is made, and 'postrouting', which contains all packets after all other chains have been traversed and the router knows where to output the packet. Mangling can also change some basic packet properties, such as TTL, DSCP values etc.

NAT changes source and destination IPs and ports. Its two major chains are 'srcnat' and 'dstnat'.

When writing a firewall ruleset it is best to take a whitelist (default deny) approach: 'accept' all packets that you know you want to go through the firewall, and make the last rule a generic 'drop'.

Hope that helps.

User avatar
Member Candidate
Member Candidate
Posts: 230
Joined: Mon Sep 07, 2009 2:21 pm
Location: Latvia

Re: Simple Firewall Rules

by DannyZ » Tue Dec 29, 2009 7:36 pm

3 posts   •   Page 1 of 1

Who is online

Users browsing this forum: No registered users and 4 guests

It is currently Sat Nov 29, 2014 12:18 am