Block DST-NAT RDS Users

zuku · June 13, 2017, 11:13am

Hi,
I have redirected RDS users to connect to non-default 3345 port to my mikrotik and then forwarded to standard port 3389 on internal RDS server.
Now my question is how to block users connecting to standard 3389 and allow these connecting to changed 3345 port, because every of them finally going to 3389 port?
If I do something like:

 chain=forward action=drop protocol=tcp dst-port=3389 log=no log-prefix=""

then every users will be blocked.

karlisi · June 13, 2017, 11:54am

There is something wrong with configuration. Post your configuration /ip firewall filter export and /ip firewall nat export here.

BartoszP · June 13, 2017, 11:58am

If they are connectiong to WAN IP on WAN interfsace then you should use input chain, not forward to block 3389

Sob · June 13, 2017, 2:23pm

Input chain would be if the connection was to router itself. But since there’s no RDP server in RouterOS, it’s not going to be the case. If there’s dstnat, forward chain is the right one.

About the original question, I don’t understand the problem. If a non-standard port is forwarded and used by clients, then simply don’t forward standard one and that’s it. But I guess I’m missing some detail, so post exact config as suggested by karlisi and it should become clear.

k6ccc · June 13, 2017, 2:57pm

I agree that you are missing telling us something. Assuming users are connecting to the WAN IP on port 3345 and are forwarded to the standard port 3389 to an internal RDS server. If you don’t want people connecting from the internet via the standard port, then don’t NAT forward it, and they wont get there.
I’m wondering if you are trying to block users on your local LAN from connecting to the RDS server directly on port 3389. If that’s the case, there is not much you can do since traffic from a local LAN user to the RDS server on the same LAN won’t go through the router.
Otherwise, you need to better explain what you are trying to do.

zuku · June 13, 2017, 5:43pm

I have RDS server my customers connecting to it on standard port, but I have so many scans on it and brute force attacks, so I added add to src-list and then block too many login attemps:

add action=drop chain=forward disabled=yes \
     dst-port=3389 log-prefix=RDP protocol=tcp src-address-list=rdp_ssh_blacklist
add action=add-src-to-address-list address-list=rdp_ssh_blacklist address-list-timeout=0s chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
    src-address-list=rdp_ssh_stage5
add action=add-src-to-address-list address-list=rdp_ssh_stage5 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
    src-address-list=rdp_ssh_stage4
add action=add-src-to-address-list address-list=rdp_ssh_stage4 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
    src-address-list=rdp_ssh_stage3
add action=add-src-to-address-list address-list=rdp_ssh_stage3 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
    src-address-list=rdp_ssh_stage2
add action=add-src-to-address-list address-list=rdp_ssh_stage2 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
    src-address-list=rdp_ssh_stage1
add action=add-src-to-address-list address-list=rdp_ssh_stage1 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp

but to this list very often are added my known customers they call me “I can’t connect” and I have to remove it’s from rdp_ssh_blacklist - I don’t want to do this everyday.
So I think to configure this RDS serve on non standard port, I don’t have any IPNUT rules regarding RDS connection and this worked with no problems only FORWARD rules.
So shoud I only on my DST-NAT rule remove 3389 and enter 3345 port and this will be enough?

add action=dst-nat chain=dstnat comment=RDP dst-address=WAN_IP dst-port=3345 log=yes log-prefix=RDP protocol=tcp to-addresses=10.1.0.204 to-ports=3389

My firewall forward rule for DST-NAT is standard one:

add action=accept chain=forward comment="allow DST-NAT " connection-nat-state=dstnat log-prefix=DST-NAT src-address-list=!rdp_ssh_blacklist

boldsuck · June 13, 2017, 6:44pm

Another way or complementary:
Customers only IP src-address-list whitelist in your dst_nat rule.

Only the IP’s from 2 German ISP are allowed for ssh connect. No scans from China more.

Sob · June 13, 2017, 8:24pm

It seems to me that if you don’t have anything on publicly available port 3389 anymore, you no longer need to create blacklist from connection attempts to this port.

You might be thinking about “if they tried to connect to 3389 first, don’t allow them to connect to 3345 later”, which might help in theory, but I doubt that it will help much in practice. But if you want it, it’s possible, just don’t check blacklist in forward filter and do it in dst-nat:

/ip firewall nat
add action=dst-nat chain=dstnat comment=RDP dst-address=WAN_IP dst-port=3345 log=yes log-prefix=RDP \
    protocol=tcp to-addresses=10.1.0.204 to-ports=3389 src-address-list=!rdp_ssh_blacklist

zuku · June 14, 2017, 7:03am

@boldsuck
it’s small problem that not all my customers have public IP so I don’t know every IP they have, and I have also staff members connecting to SSH services.
At the beginning I had whitelist firewall rule with all safe known IP and this rule was before my firewall DST-NAT rule that allowing anything except !rdp_ssh_blacklist.
But no matter of that my src-to-address-list rules added these IP to blacklist too if customers tried to login too many times.

@Sob
I can’t understand what difference will be in moving blacklist (!rdp_ssh_blacklist) from firewall forward rule to NAT DST-NAT rule how this will impact to these connections?
I rather remove these src-to-address-list rules because I have additional work every day because of them.
I wonder if something like this could be possible: let say I need to open standard port 3389 to RDS for my customers that can’t change this connection port, and non-standard 3345 port for others, every connection will be DST-NAT to internal RDS:3389, now how to do this:
-if client connecting to (destination) to mikrotik 3389 then forwarded to RDS:3389 - then src-to-address-list should filter him and add to list
-if client connecting to (destination) to mikrotik 3345 then forwarded to RDS:3389 - then they should’t be added to blacklist
because now this src-to-address-list rules filter every of them.

Sob · June 14, 2017, 1:23pm

There’s a big difference. Forward filter comes after dstnat. So:

If you dstnat packets from public port 3389 to internal 3389, you see 3389 in dstnat and 3389 in forward filter.
If you dstnat packets from public port 3345 to internal 3389, you see 3345 in dstnat and 3389 in forward filter.

In dstnat rule, you can easily tell one from the other. But if you let go through dstnat and want to block it later by forward filter, you can’t, because you only see same internal port. And anyway, it doesn’t make much sense to first let it pass, just to block it a moment later. If you don’t want it, get rid of it as soon as possible, i.e. skip dstnat for it.

To do what you want, you can move adding to blacklist from forward chain to prerouting, there you can also see original port.

k6ccc · June 14, 2017, 1:33pm

I guess we’re trying to figure out what you’re trying to accomplish. If you want people to use the non-standard port, then DST-NAT that port, and don’t DST-NAT the standard port. Without a DST-NAT, incoming traffic to 3389 is not going anywhere without you doing anything. I don’t see why you think you still need to leave 3389 DST-NATed. If you are allowing RDP traffic to 3389, what is the point of trying to get most people to use a non-standard port? Or are you saying that you have users that are too stupid to use a non-standard port (I have NEVER seen an RDP client that does not allow connections to non-standard ports)?

Sent from my phone using Tapatalk, so blame any typos on Android!