I Have a Mikrotik. our Exchange mail server IP is 192.168.200.3. I wanted to block all inbound and outbound traffic by blocking all port except mail port in this ip.
I wrote these filter in firewall:
add chain=forward Src. Address= 192.168.200.3 protocol=tcp Src-port=!25,443,465,587,2525 Out. Interface=ppoe(internet Interface) action=drop
add chain=forward Dst. Address= 192.168.200.3 protocol=tcp Dst-port=!25,443,465,587,2525,717 In. Interface=ppoe(internet Interface) action=drop
After apply these filter, I can receive mail from outside of network but I couldnt sent any mail. when I look at exchange server toolbox Queue there is a winsocket error 10051 on port 25.
What should I do to fix this?
Kindis
August 10, 2017, 10:33pm
2
Can you telnet to a mailserver on internet from the exchange server? Wondering if this is Exchange or rules related.
Sob
August 11, 2017, 1:41am
3
When sending mail to outside, source port is some random number. If you drop everything except your few selected ports, it can’t work. You need to allow traffic from 192.168.200.3: to :25.
Thanks. I think You are right. so I changed:
add chain=forward Src. Address= 192.168.200.3 protocol=tcp Src-port=!25,443,465,587,2525 Out. Interface=ppoe(internet Interface) action=drop
To
add chain=forward Dst. Address= 192.168.200.3 protocol=tcp Src-port=25,443,465,587,2525 in. Interface=ppoe(internet Interface) action=Accept
And it works.
Sob
August 14, 2017, 1:01am
5
I don’t know what other rules you have, but if you (I guess) allow everything by default, then your new rule is useless.
Try a different approach. First make sure that you have standard rule to allow established and related connections (ideally at the beginning):
/ip firewall filter
add action=accept chain=forward connection-state=established,related
Then allow new connections to selected ports and block the rest:
/ip firewall filter
add action=accept chain=forward connection-state=new dst-address=192.168.200.3 \
dst-port=25,443,465,587,2525,717 in-interface=<WAN> protocol=tcp
add action=drop chain=forward dst-address=192.168.200.3 in-interface=<WAN>
add action=accept chain=forward connection-state=new dst-port=25 out-interface=<WAN> \
protocol=tcp src-address=192.168.200.3
add action=drop chain=forward out-interface=<WAN> src-address=192.168.200.3
Sob:
I don’t know what other rules you have, but if you (I guess) allow everything by default, then your new rule is useless.
Try a different approach. First make sure that you have standard rule to allow established and related connections (ideally at the beginning):
/ip firewall filter
add action=accept chain=forward connection-state=established,related
Then allow new connections to selected ports and block the rest:
/ip firewall filter
add action=accept chain=forward connection-state=new dst-address=192.168.200.3 \
dst-port=25,443,465,587,2525,717 in-interface=<WAN> protocol=tcp
add action=drop chain=forward dst-address=192.168.200.3 in-interface=<WAN>
add action=accept chain=forward connection-state=new dst-port=25 out-interface=<WAN> \
protocol=tcp src-address=192.168.200.3
add action=drop chain=forward out-interface=<WAN> src-address=192.168.200.3
Yes, you are right. I used yore suggestion and with a little changes, it worked.
add action=drop chain=forward dst-address=192.168.200.3 in-interface=<WAN>
to
add action=drop chain=forward connection-state=new dst-address=192.168.200.3 in-interface=<WAN>