Hi,
Example: I’d like to block all internet traffic to port 22654 of my router, except if the traffic comes from 177.228.59.101.
Is this how we do it?:
add action=drop chain=forward comment=\
"Block all internet traffic to my port, except for specified IP address" dst-port=22654 protocol=\
udp src-address=!177.228.59.101
I guess that’s one way to do it. I’d personally put it in two steps but that’s me coming from the C world. Remember there is no implicit deny at the end like there is with C so you’ll want to add a “drop everything” at the end.
add action=allow chain=forward comment="Allow specified IP address" dst-port=22654 protocol=udp src-address=177.228.59.101
***Followed By this somewhere below in the rules —
add action=drop chain=forward comment="Block all other internet traffic to my port" dst-port=22654 protocol=udp
Hi Michael,
Looks like your method would work for sure. I wonder if the way I did it would also do the job. Looks like it would, but I’d appreciate if someone with some experience with RouterOS could confirm this.
There are two things at play here.
A firewall rule that allows port forwarding in general ( allow WAN to LAN traffic).
Create the specific destination or port forward rule in NAT (destination nat).
Not directly connected but one should also have the standard source nat rule in place (depending upon source of users an additional source nat rule may be required - not the case here though).
FORWARD FILTER FIREWALL RULE.
This is included automatically in the default rule set.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
However, I much prefer separating out functionality, and in the above case, allowing port forwarding and also stopping all unsolicited WAN connectivity by doing it in the following manner: (which allows one to make the port forwarding rule optional)
add action=allow chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN (an optional rule)
add action=drop chain=forward comment=“drop all else”
example dst-nat rule:
add action=dst-nat chain=dstnat comment=“External Authorized Users” dst-address-type=local
dst-port=5000,5550,32332 in-interface-list=WAN log=yes
protocol=tcp src-address-list=Technicians_access to-addresses=192.168.88.200
Your way would do the job, although anav’s way would be considered the correct way.
Not 100% sure, but the general rule to allow port forwarded traffic the way Ive stated it, means 1 firewall rule to be matched. Simple, efficient.
In your situation/config method you would end up making multiple firewall rules which are really not required.
In any case a destination nat rule is also required for each port forwarding (unless same server IP for many ports - as one can combine ports in a rule).
The security is already provided in the DST nat Rule if you have a known source address limit one can add.
No point in doing it also on the firewall rule as its covered in the dst nat rule.
IE one firewall rule + required dst-nat rules VICE multiple firewall rules and multiple dst-nat rules
I hope you see the logic !!
Hi anav, Van9018,
Thanks for the answers.
Here’s more of my config below. So what you say is that only the one NAT rule (and the “defconf: drop all from WAN not DSTNATed”) is sufficient to attain the goal of allowing the ip address, on the internet, to communicate with our equipment on our network, while blocking all other internet IPs? The additional filter (“Block all internet traffic to my port, except for specified IP address”) which specifies to block all other internet IPs would be superfluous?
/ip firewall filter
add action=drop chain=forward comment=\
"Block all internet traffic to my port, except for specified IP address" dst-port=22654 protocol=\
udp src-address=!177.228.59.101
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="SIP Trunk" dst-port=22654 protocol=\
udp src-address=177.228.59.101 to-addresses=192.168.2.250 to-ports=22654
Yes - that line is superfluous.
On an unrelate note, I try to reduce the double-negative rules, I find it easier to wrap my head around it. So instead of dropping all packets from not , I would allow packets from . The last drop rule would take care of all other IPs.
Concur with previous poster.
As I clearly outlined, the allow port forwarding but block all other wan traffic (GOOD STARTING DEFAULT RULE), I normally recommend ditching once one is comfortable in understanding how the rules work. The reason being it forces one to have port forwarding allowed and separating it out, means its then only optional and can be used only if the admin wants it (Disabled till then).
As noted one needs to cover off the incoming wan block by putting in place at the end of the forward chain “drop all else”, which casts a far wider net.
It allows the admin to basically for all admin entered rules, focus solely on what is allowed and not worry at all other traffic. IF not, then the admin has to worry because then all traffic is allowed and one has to ensure that all unwanted traffic is stopped, and frankly i have no idea what that may be LOL.
Side note: The to-ports can be left blank (not entered) if it is the same as dst-port!
/ip firewall nat
add action=dst-nat chain=dstnat comment=“SIP Trunk” dst-port=22654 protocol=
udp src-address=177.228.59.101 to-addresses=192.168.2.250
Suggestion:
add action=dst-nat chain=dstnat comment=“SIP Trunk” dst-port=22654 protocol=
udp src-address-list=allowed_server_users to-addresses=192.168.2.250
In this way you can add users, change the IP address without touching the firewall rule.
More of an object oriented design approach. One does have to create the firewall address list, easy peasy.
Thanks anav and Van9018,
Very useful information.
See you next time.