You need a rule to accept connection-state=established,related and place it before all of these rules.
Your reply packets are being dropped by your rules.
----[webserver:80]—> accepted because destination port is 80
<–[client:24768]----- dropped because the destination port is not in your list (the source is 80, but your rules specify DEST. port)
The connection-state=established,related rule will match these replies, and it will also speed up your performance so your firewall only has to check the 100 ports whenever a new connection attempt comes in.
Tks for your reply . I would like to explain that : all my ips are public & valid & I use mikrotik as a software router between the vpses.
I have defined two interfaces (ether1 & ether2) . /27 ip address is assigned to ether2 & connected by ether1 to the internet. I have set the first usable ip of this block as the gateway of vpses.
ether1 has only one ip address and belongs to a different range .
The mentioned /27 ips have been routed to the ip which is set on ether1 by the datacenter.
I have added the following rules before all of my rules . But new connections to each of my /27 ips are still blocked.
Be sure to add “related” to the “allow established connections” rule. (this is for things like FTP and SIP that negotiate some other port or IP address to use along-side the original connection, ICMP error messages, etc)
Your rules are using the wrong interface if you’re wanting to block incoming connections to the /27 network. Use in-interface=ether1 on all of those rules, because a new connection from the Internet will arrive on ether1. The replies will come into the router on ether2, and by that point, the connection state will become “established” so the established rule will allow replies for anything that was allowed to reach the servers.
