Block all ports from outside and allow specific only

keshavB92 · October 26, 2022, 5:30pm

Hello,

Actually I have 3 interfaces configured on my mikrotik.
ether1 - Internet
ether2 - LAN
ether3 - block of public ip addresses, e.g 92.92.92.92/28,

On my virtual machine, i assigned a fixed public IP address and by default all ports are open.
What I’m tried to achieve is that, i wanted to block all ports and allow only specific port number per IP addresses.

For example, I added it like below.

top: chain=forward action=accept protocol=tcp dst-address=92.92.92.93 dst-port=22 log=no log-prefix=“”
bottom: chain=forward action=drop dst-address=92.92.92.92/28 in-interface=ether1 log=yes log-prefix=“”

But for some reason, we have a feature on a server which connects to 0365 which stops working, we get an error “Connection could not be established with host smtp.office365.com”.
From my server, I telnet on smtp.office365.com 587, it fails.

To solve it, I have to either disable the “drop” rule or leave the to rule with no dst-port number, which means I’m allowing all port numbers to be open.

Am i doing it the right way, or is there any other alternatives ?

I tried to allow only the office365.com using below but in vain.
chain=forward action=accept protocol=tcp dst-address=92.92.92.93 dst-port=22 log=no log-prefix=“”
chain=forward action=accept protocol=tcp dst-address=92.92.92.93 src-address-list=SMTP_0365 in-interface=ether1 log=no log-prefix=“”
chain=forward action=drop dst-address=92.92.92.92/28 in-interface=ether1 log=yes log-prefix=“”

Any help. Thanks

k6ccc · October 26, 2022, 5:43pm

The general rule of thumb is to allow what you want to work and then drop everything with a rule similar to this at the very end of the chain:

add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

Do this for both the forward and input chain (and any others that you create).

Sob · October 26, 2022, 6:10pm

Firewall works as whole, showing just few rules is not very useful. Wild guess, perhaps you didn’t yet discover stateful firewall (connection-state option) and you’re doing this in stateless way (which can’t work like this)?

anav · October 26, 2022, 7:07pm

Sob = guess master.
Rest of us = Dont be rude post your config
k6ccc = correct but always remind newbe that doing this in the input chain has a huge caution/caveat, ensure one has an allow rule at least for admin access, above the block all rule in place, before putting in the block all rule at the end.

Config please. diagrams are also helpful.
/export file=anynameyouwish (minus serial number and any public wanip info)

keshavB92 · October 27, 2022, 9:00am

This is my configuration

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=91.18.16.201/26 interface=ether1 network=91.18.16.192
add address=172.29.20.1/24 interface=ether2 network=172.29.20.0
add address=92.92.92.92/28 interface=ether3 network=92.92.92.91
/ip cloud
set update-time=no
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=smtp.office365.com list=SMTP_0365
add address=2.2.2.2/24 list=CountryIPBlocks
add address=3.3.3.3/24 list=Monitoring
/ip firewall filter
add action=accept chain=input comment="Mikrotik Access rule"
src-address-list=CountryIPBlocks
add action=accept chain=input src-address-list="Monitoring"
add action=accept chain=Private20.x comment="Network 192.168.20.0 rules"
src-address=172.29.20.0/24
add action=accept chain=input dst-address=172.29.20.1 log=yes src-address=
172.29.20.0/24 src-address-list=""
add action=jump chain=forward dst-address=172.29.20.0/24 jump-target=
Private10.x
add action=accept chain=forward comment=ALLOWED_INCOMING_PORTS dst-address=92.92.92.94
dst-port=443,80,587,10000,20000 in-interface=ether1 log=yes protocol=tcp
add action=accept chain=forward disabled=yes dst-address=92.92.92.94
in-interface=ether1 protocol=tcp src-address-list=SMTP_0365
add action=drop chain=forward comment=Block-All-TCP-PORTS dst-address=92.92.92.92/28
in-interface=ether1 log=yes protocol=tcp
add action=reject chain=input comment="Deny ALL rule" log=yes reject-with=
icmp-host-prohibited
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=
172.29.20.0/24
/ip route
add distance=1 gateway=91.18.16.193

karlisi · October 27, 2022, 11:02am

What if you add this as first rule in forward chain?

/ip firewall filter
add action=accept chain=forward connection-state=\
    established,related,untracked

keshavB92 · October 27, 2022, 11:23am

Hi Karlis,

Yes it worked using that line.

I’m a newbie on mikrotik, what does it mean ?

karlisi · October 27, 2022, 12:17pm

This rule blocks all traffic to 92.92.92.92./28 subnet, including replies to tcp requests originating from this subnet

add action=drop chain=forward comment=Block-All-TCP-PORTS dst-address=92.92.92.92/28 \
in-interface=ether1 log=yes protocol=tcp

You should allow replies to outgoing requests to establish connections, that rule does it.
More about connection states here https://help.mikrotik.com/docs/display/ROS/Basic+Concepts#BasicConcepts-Connectionstates