Block one IP dossnt seem to work

mworsnop · March 14, 2019, 6:44pm

I have the following filter but it doesnt seem to work? What did I do wrong? I am trying to block the one IP from the internet

chain=input action=drop src-address=10.215.81.105 log=yes log-prefix=""

nichky · March 14, 2019, 7:02pm

What ealse have you got in your firewall?

anav · March 14, 2019, 7:24pm

All you are doing is blocking that IP to the router and not the internet and without context of the other rules actually almost meaningless.
Since this is a basic fact you are not aware of, I have to 100% agree with the previous poster in that we need to see your config (and most likely a mess of firewall rules LOL).

/export hide-sensitive file=yourconfigmar14

mworsnop · March 14, 2019, 7:26pm

Yes I just left the automated filters in there when I started it.

Here is the list. Sorry I am new at this!

[mark@MikroTik] > /ip firewall filter print  
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

11    chain=input action=drop src-address=10.215.81.105 log=yes log-prefix=""

mkx · March 14, 2019, 7:57pm

Address in your FW rule (10.215.81.105) is not a proper internet address. And even if it was, you’re blocking communication between that particular host and router (chain=input … and that particular direction of connection establishment - src-address) … which might be already blocked by rule number 4 (if that’s indeed internet host). If you mean to block communication between LAN hosts and the incriminated host, you should hace similar rule, but with chain=forward and dst-address set to the particular IP (the other direction is already covered by rule #10).

slightly unrelated question: I’ve placed a log on car’s roof … why doesn’t it make car rolling uphill?

mworsnop · March 14, 2019, 7:58pm

I am trying to block the one IP from accessing the internet. 10.215.81.105 is the internal workstation I want to block

mkx · March 14, 2019, 8:00pm

So only change the chain from input to forward. To fine-tune the rule you might want to add out-interface-list=WAN …

Unrelated: it was aactually a wheel on the car roof failing to make car rolling uphill …

mworsnop · March 14, 2019, 8:13pm

Thank you the forward was all that was needed.

I appreciate everyones help!

anav · March 14, 2019, 8:20pm

How does the wheel on a roof gain traction in air, unless the car was upside down LOL.