Can someone tell me why my firewall and nat rules are not...

elementalwindx · July 29, 2011, 11:06pm

I want to know why the firewall rules I have setup to drop brute forcers is not working. It’s not adding the source addresses to any of the lists I specify. I’m betting its something having to do with the way I have nat setup for the port. Here is an export (all public ip’s were renamed to protect the innocent ) :

ewall> export

/ip firewall address-list
add address=mbffj.lawl.wtf.omg! disabled=no list=rdp_blacklist
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no
dst-port=333 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login” disabled=no dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login” disabled=no
protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp
add action=drop chain=virus comment=“Drop Spammer” disabled=no dst-port=25
protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=
1d chain=virus comment=“add to spammer list” connection-limit=30,32
disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment="Port scanners to list "
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” disabled=no
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=no
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=no
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=no
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” disabled=no
src-address-list=“port scanners”
add action=drop chain=input comment=“Drop brute force rdpers” disabled=no
dst-port=3389 protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=10m chain=input disabled=no dst-port=3389 protocol=
tcp
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=10m chain=input connection-state=new disabled=no
dst-port=3389 protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=10m chain=input connection-state=new disabled=no
dst-port=3389 protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=no
dst-port=3389 protocol=tcp src-address-list=rdp_stage3
/ip firewall nat
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=192.168.16.0/24
add action=dst-nat chain=dstnat disabled=no dst-address=bs.bs.bs.bs
dst-port=21 protocol=tcp to-addresses=192.168.16.2
add action=dst-nat chain=dstnat disabled=no dst-address=bs.bs.bs.bs
dst-port=443 protocol=tcp to-addresses=192.168.16.2
add action=dst-nat chain=dstnat disabled=no dst-address=bs.bs.bs.bs
dst-port=80 protocol=tcp to-addresses=192.168.16.2
add action=dst-nat chain=dstnat disabled=no dst-address=bs.bs.bs.bs
dst-port=3389 protocol=tcp to-addresses=192.168.16.2
add action=dst-nat chain=dstnat disabled=no dst-address=bs.bs.bs.bs
dst-port=333 protocol=tcp to-addresses=192.168.16.2
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=75
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Thanks guys!

cbrown · July 29, 2011, 11:17pm

Are you trying to block connections to the router or devices behind the router?

elementalwindx · July 31, 2011, 5:56pm

I’m only allowing certain ports to go to the server connected behind the mikrotik. But people keep trying to brute force my ftp and rdp and I want to put a stop to that with mikrotik.

cbrown · July 31, 2011, 6:00pm

I you are going through the router you need to use the forward chain. Input goes to the router.

elementalwindx · July 31, 2011, 6:53pm

I dont understand? So I need to change my nat to forward instead of input to make it check the firewall rules first?

cbrown · July 31, 2011, 7:08pm

No your /ip firewall filter shows your rules for brute forcing in the input chain. Change them to the forward chain for traffic through the router.

elementalwindx · July 31, 2011, 7:22pm

Ok I’ve changed the drop rule from input to forward and now it blocks everyone from connecting, reguardless of the list they are on or not. What do I have to do to fix this?

At least now it adds people to the list like it should!

EDIT yay fixed it. The rules were in the wrong order so it was adding the person to ALL the lists on the first connection, so I had to re-order the rules

cbrown · August 1, 2011, 12:44pm

Thats good. Im glad you have it working.