Default firewall rules and NAT

raivan · June 5, 2015, 10:38am

Hi,

I’m new to RouterOS and I’m running Version 6.29 on my 750GL.

A few questions came up during the setup. I have the default ruleset of filters in place, additionally I have the following NAT rule in place:

1    ;;; NAT to Server
      chain=dstnat action=dst-nat to-addresses=192.168.xx.xxx to-ports=1234 
      protocol=udp in-interface=ether1-gateway dst-port=1234 log=no 
      log-prefix=""

Does this NAT rule automatically cause an exception to the default FW filter rule set below?

0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 1    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

 2    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no 
      log-prefix="" 

 3    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 4    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 5    ;;; default configuration
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1-gateway log=no 
      log-prefix=""

Thanks!

pukkita · June 5, 2015, 11:17am

no. You should set it yourself. (see next post)

macgaiver · June 5, 2015, 11:23am

wrong

By default it works correctly.

pukkita · June 5, 2015, 12:21pm

Just noticed new default firewall ruleset takes dst-nat into account!

Does this NAT rule automatically cause an exception to the default FW filter rule set below?

I understood the question as if adding a dst-nat will automatically add a filter rule, the answer still being no.

BUT, as long as you keep this rule in place

5    ;;; default configuration
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1-gateway log=no 
      log-prefix=""

You won’t need to add a filter rule for dst-nat rules on ether1-gateway as this rule is allowing undiscriminated traffic from the internet to enter through that dst-natted port.

raivan · June 5, 2015, 1:07pm

OK then, so the default set of rules contains this rule to pass incoming traffic to dst-nat. I didn’t recognize this when i had a quick look on the rules.

Thanks!