Access servers on a specific port

warlock · October 10, 2013, 3:52pm

Hello everyone,
I have a problem that I am not able to solve.
It is about 2 subnet masks which should communicate together on certain ports.

Eth2 - clients 192.168.0.0/24
Eth3 - servers 10.80.50.0/29

 0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24 
     in-interface=eth2 dst-port=8291 

1   chain=forward action=accept protocol=tcp src-address=10.80.50.0/29
     dst-address=192.168.0.0/24,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24 
     dst-address=10.80.50.0/29 

 3   chain=forward action=drop 

 4   chain=input action=reject reject-with=icmp-protocol-unreachable 
     protocol=icmp 

 5   chain=input action=drop

The above rule is working ok. But, the problem is when i wont to specify on wich port they should comunicate only.

 0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24 
     in-interface=eth2 dst-port=8291 

 1   chain=forward action=accept protocol=tcp src-address=10.80.50.0/29
     dst-address=192.168.0.0/24 dst-port=135,136,137,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
     dst-address=10.80.50.0/29 dst-port=135,136,137,

 3   chain=forward action=drop 

 4   chain=input action=reject reject-with=icmp-protocol-unreachable 
     protocol=icmp 

 5   chain=input action=drop

Cannot access at all.

warlock · October 11, 2013, 8:15am

Bump.

Here is another example.

Clients from eth2 192.168.0.0/24 need to access file server on eth1 10.80.50.4/29

0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24
     in-interface=eth2 dst-port=8291

 1   chain=forward action=accept protocol=tcp src-address=10.80.50.4
     dst-address=192.168.0.0/24 dst-port=135,136,137,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
     dst-address=10.80.50.4 dst-port=135,136,137,

 3   chain=forward action=drop

 4   chain=input action=reject reject-with=icmp-protocol-unreachable
     protocol=icmp

 5   chain=input action=drop

Cannot access.

 0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24
     in-interface=eth2 dst-port=8291

1   chain=forward action=accept protocol=tcp src-address=10.80.50.0/29
     dst-address=192.168.0.0/24,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
     dst-address=10.80.50.0/29

 3   chain=forward action=drop

 4   chain=input action=reject reject-with=icmp-protocol-unreachable
     protocol=icmp

 5   chain=input action=drop

But this work.

deejayq · October 11, 2013, 3:54pm

maybe you should torch to see what ports are being used.
maybe you are blocking some ports.
as far as i’ve read on the internet, the netbios uses broadcast packets, maybe it has something to do with that.

warlock · October 11, 2013, 5:58pm

Hmmm.. i used connection filter to check on which ports they communicate and i readed manuel for ports that need to be open.
It seems that work only when i check "Any. Port: " in firewall filter option and adding ports there.

Confusing i must tell, by the way does anyone know what Any. Port: mean, i readed somewhere on the internet but is a litle bit confused for me, my english is not so good.
Continueing to wok under this seting i tested windows rdp as an example. I needed to apply on both rule rule for rdp port in order to work but i just wonned to access from one subnet, dont understand why on both rule i must to add this port and to use Any. Port:?

Any help will,would be appreciated for this “anomaly” and making this correct.

warlock · October 12, 2013, 5:48pm

Bump.

warlock · October 13, 2013, 7:17pm

I google half internet for this and cannot find solution.
Bump. Sory guys i realy need help about this.

efaden · October 13, 2013, 7:42pm

Post your full export compact and what you are trying to do. I’ll look at it tonight.

Sent from my SCH-I545 using Tapatalk

CelticComms · October 13, 2013, 9:50pm

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.

warlock · October 13, 2013, 10:20pm

Hi efaden, thanks for help, please read last couple of posts.Its simple, yet strange..

warlock · October 13, 2013, 10:22pm

Trust me mate i know wich are the ports, the problem is mikrotik (firewall rules) or am i dumb to configure this rules properly thats why i need help.

efaden · October 13, 2013, 10:23pm

I am pretty sure that looking at the above ruleset his problem is that he has no rules with the src-port as 135,136,137 and they aren’t getting picked up by connection tracking…

Op: What is on these ports? And post your whole config… export compact.

warlock · October 13, 2013, 10:27pm

On these ports is comunication for windows network. I tried src-port dont work. it only work when is Any. Port: even then i must on both rule to add ports that i wont to open. Confusing.
There is no more configuration except this and default rules for ip address mate.

efaden · October 13, 2013, 10:29pm

warlock:

efaden:

CelticComms:

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.

I am pretty sure that looking at the above ruleset his problem is that he has no rules with the src-port as 135,136,137 and they aren’t getting picked up by connection tracking…

Op: What is on these ports? And post your whole config… export compact.

On these ports is comunication for windows network. I tried src-port dont work. it only work when is Any. Port: even then i must on both rule to add ports that i wont to open. Confusing.
There is no more configuration except this and default rules for ip address mate.

I trust that there is nothing else… but I just find it easier to see your export… if you want me to look through it post the whole export compact. I have time tonight to figure it out.

Also windows stuff uses 135, 137, 138, 139…

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

warlock · October 13, 2013, 10:35pm

config in first and other posts, its a default configuration with only these rules above and example when its work and when its not working.
i know, i posts that in last post.

efaden · October 13, 2013, 10:54pm

How are you testing that it is or isn’t working?

efaden · October 13, 2013, 11:36pm

I’m pretty sure you need… All four of these.

chain=forward action=accept protocol=tcp src-address=10.80.50.4
dst-address=192.168.0.0/24 dst-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
dst-address=10.80.50.4 dst-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=10.80.50.4
dst-address=192.168.0.0/24 src-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
dst-address=10.80.50.4 src-port=135,136,137,

warlock · October 14, 2013, 7:57am

That will not work.
The problem is that when a client make a season on that port with server, user use some other port on his side, and when you apply reverse rule server also use another port on his side beside that 135,136,137 etc.
An when rules above or mine apply then they block other ports on they side. got it mate ?

Confusing for makin rule with minimum acces.

CelticComms · October 14, 2013, 10:59am

Which is why you use the ESTABLISHED and RELATED connection states to permit the return traffic to the client as I mentioned earlier.

Apply rules to permit the new connections from the client to the server on the known ports.
Apply rules to permit the ESTABLISHED and RELATED traffic between the client and server.

warlock · October 14, 2013, 11:08am

Oh,
quick from the head…
ip firewall rule chain forward connection state established action accept
ip firewall rule chain forward connection state releated action accept
Am i correct ?

CelticComms · October 14, 2013, 11:59am

Yes - with whatever other selectors are appropriate given the security requirements - e.g. src/dst addresses/address ranges.