Block access to the default MT Admin page

ScottReed · November 17, 2009, 3:32pm

I want to prevent access to the default MT Admin page that allows access to Webbox, Graphs, Winbox, Docs, etc…

I changed /ip services so that Winbox, SSH and www are only available from my mgmt interface (ether3 100.0/30). The rest of the services are disabled.

After doing that I could still access the page from the ether2 (1.0/30) and wlan (20.0/27) interfaces (these will become part of a hotspot).

I found an article on here that recommended setting up a firewall filter like this:

/ip firewall filter add chain=forward action=drop src-address=192.168.1.0/30 dst-address=192.168.100.0/30 connection-state=new
/ip firewall filter add chain=forward action=drop src-address=192.168.20.0/27 dst-address=192.168.100.0/30 connection-state=new
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/30 dst-address=192.168.100.0/30 connection-state=new

I understand what that rule is doing and I tried it, and put my laptop on the 20.0 subnet and was still able to hit the page. Funny thing is, I could see the filter processing packets, yet the page still displayed. When I hopped on my 1.0/30 subnet I experienced the same behavior.

Any thoughts?

fewi · November 17, 2009, 4:32pm

Those rules block traffic forwarding from the specified networks to 192.168.100.0/30. That has nothing to do with the administrative ports on the router itself. To block those, you want to drop traffic in the input chain to the service ports from anywhere that is not 192.168.100.0/30. Assuming the default ports (21,22,23,80,443,8291,8728) that would look like this:

/ip firewall filter add chain=input action=drop dst-port=21,22,23,80,443,8291,8728 src-address=!192.168.100.0/30

ScottReed · November 17, 2009, 4:58pm

OK, I removed the other rules and tried adding the new filter rule you provided.

Same thing. It is processing packets but I can still access that page.

Both ether2 (1.0/30) and wlan (20.0/27) are part of a hotspot profile. ether1 (0.0/30) is a HughesNet sat modem, the default gateway and is masqueraded.

The new rule is #11 in the order, below the automatically added hotspot rules.

fewi · November 17, 2009, 5:34pm

How do you masquerade? Depending on how that rule is set up it could change the source IP address seen. Can you post all your firewall rules (filter, mangle and nat)?

ScottReed · November 17, 2009, 5:50pm

I’ll show the rules I added - anything else was added by the HS when I turned it on. I do not have an Mangle rules.

Filter Rules -

/ip firewall filter add chain=input action=drop protocol=tcp src-address=!192.168.100.0/30 dst-port=21,22,23,80,443,8291,8728

NAT Rules - this is the only one I added. The rest are the default HS rules

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

Anything going out ether1 is going to have an IP of 192.168.0.2 attached to it - then will goto the HughesNet sat modem and then out to the internet with the dynamic IP assigned by Hughes. If a client requests 192.168.100.1 (the address of my management lan on ether3) I do not believe the masquerading will take place.

Thanks for your help so far! Appreciated very much.

Scott

fewi · November 17, 2009, 6:12pm

That should work. I’m at a loss as to why it doesn’t.

ScottReed · November 17, 2009, 6:35pm

It has something to do with the Hotspot. I disabled the Hotspot and the rule works as we expected it to.

I am going to keep digging.

fewi · November 17, 2009, 6:42pm

I can’t reproduce that on a 4.2 system.

My firewall ruleset is fairly simple - allow a few services (DNS, DHCP, NTP) from the LAN, allow rate limited ICMP, allow all router access from an address-list populated with IP addresses that get access. Block NetBIOS and a few other ports from being forwarded, and don’t forward traffic between customer networks:

[admin@MikroTik] > /ip fire fil pri det
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   ;;; allow established
     chain=input action=accept connection-state=established

 2   ;;; allow related
     chain=input action=accept connection-state=related

 3   ;;; allow local service UDP ports from LAN
     chain=input action=accept protocol=udp in-interface=!outside dst-port=53,67,123

 4   ;;; allow local service TCP ports from LAN
     chain=input action=accept protocol=tcp in-interface=!outside dst-port=53

 5   ;;; allow rate-limited ICMP
     chain=input action=accept protocol=icmp limit=20,20

 6   ;;; allow everything from admin networks
     chain=input action=accept src-address-list=Administrative_Networks

 7   ;;; drop everything else
     chain=input action=drop

 8   ;;; forward established traffic
     chain=forward action=accept connection-state=established

 9   ;;; forward related traffic
     chain=forward action=accept connection-state=related

10   ;;; drop undesired TCP
     chain=forward action=drop protocol=tcp dst-port=135-139,445,1434,4444

11   ;;; drop undesired UDP
     chain=forward action=drop protocol=udp dst-port=135-139,445,1434,4444

12   ;;; forward traffic from customer interfaces to WAN (all other networks cannot talk to one another)
     chain=forward action=accept out-interface=outside

13   ;;; drop everything else
     chain=forward action=drop

That system also runs Hotspots. Using those rules, trying to access the router webpage from a client on the Hotspot network that isn’t authenticated redirects me to the Hotspot login page. Once authenticated, I cannot access the router webpage. Once I add the client network to the Administrative_Networks address list, I can load the router webpage. Once I remove the network from the address list again, I cannot access the router anymore.

ScottReed · November 17, 2009, 6:43pm

Got it! You need to use hs-input for the chain!

/ip firewall filter chain=hs-input action=drop protocol=tcp src-address=!192.168.100.0/30 dst-port=21,22,23,80,443,8291,8728

fewi · November 17, 2009, 6:58pm

What version RouterOS are you using? Can you post the output of “/ip firewall filter print all”? I’m curious what the differences are.

ScottReed · November 17, 2009, 8:11pm

What version RouterOS are you using?

4.2

Can you post the output of “/ip firewall filter print all”? I’m curious what the differences are.

Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth 

 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth 

 2 D chain=input action=jump jump-target=hs-input hotspot=from-client 

 3 I chain=hs-input action=jump jump-target=pre-hs-input 

 4 D chain=hs-input action=accept protocol=udp dst-port=64872 

 5 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 

 6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth 

 7 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 

 8 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 

 9 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited 

10 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

11   chain=hs-input action=drop protocol=tcp src-address=!192.168.100.0/30 dst-port=21,22,23,80,443,8291,8728

This is it. I am in the early stages of prepping a standard config to push to seven other RB433’s

fewi · November 17, 2009, 8:50pm

Huh. Same for me. Strange.

ScottReed · November 17, 2009, 9:47pm

Did some more messing around and found that if you create the rule as you initially stated and put it before the hotspot rules then it works as we expected and the subsequent hs-input rule is no longer even processing packets.

Actually, the subsequent rule isn’t even processing packets after the client authenticates with the hotspot.

fewi · November 17, 2009, 10:05pm

More idle curiosity: can you post the output of “/ip hotspot export” (just mask the passwords, I guess)? Maybe address pools or transparent proxy settings change packet flow in a way that makes hs-input irrelevant on my system.

ScottReed · November 17, 2009, 10:13pm

/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-chap name=default rate-limit="" smtp-server=\
    0.0.0.0 split-user-domain=no use-radius=no
add dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-chap name=YGS_HSProfile rate-limit="" smtp-server=\
    0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot
add address-pool=HotspotUsers disabled=no idle-timeout=none interface=YGSWIFI keepalive-timeout=none name=YGSHotspot profile=YGS_HSProfile
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
add advertise=no idle-timeout=15m keepalive-timeout=2m name=YGS_HSUsers open-status-page=always rate-limit=25k/10k shared-users=1 status-autorefresh=1m \
    transparent-proxy=yes
add advertise=no idle-timeout=15m keepalive-timeout=2m name=YGS_HSCrippled open-status-page=always rate-limit=10k/5k shared-users=1 status-autorefresh=\
    1m transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="" disabled=no name=xxxx password=xxxx profile=default server=YGSHotspot

My next step is to enable Web Proxy for filtering by DNS names, and I know from the past on another RB433 in a different environment that firewall rules are affected by that too.