defconf: drop all from WAN not DSTNATed

icee · September 11, 2017, 12:19pm

Hi,

//// Sorry if this was discussed before ////

I have a PPPoE connection on eth1, should this rule apply to eth1 or PPPoE In. Interface ?

;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

Many thanks,

strods · September 11, 2017, 12:24pm

This rule will apply only on incoming traffic through from ether1. If you have PPPoE interface, then you should create copy of this rule and exchange interface or add both interfaces to “/interface list” and replace in-interface on this rule with in-interface-list.

icee · September 11, 2017, 12:36pm

Hi,

I edited the rule and resulted this:

 ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=ETH1_and_PPPoE log=no log-prefix=""

I hope it works, I will monitor the packet count.

icee · September 11, 2017, 2:17pm

Hi,

Do you think there is anything excessive, doubled or out of place in my rules?

0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related in-interface=PPPoE_RDS log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related in-interface=PPPoE_RDS log=no log-prefix="" 

 3    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid in-interface=PPPoE_RDS log=no log-prefix="" 

 4    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=ETH1_and_PPPoE log=no log-prefix="" 

 5    ;;; HTTP WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=80 log=no log-prefix="" 

 6    ;;; WinBox WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=8291 log=no log-prefix="" 

 7    ;;; API WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=8728 log=no log-prefix="" 

 8    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid in-interface=PPPoE_RDS log=no log-prefix="" 

 9    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

10    ;;; Accept L2TP VPN
      chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=1701 log=no log-prefix="" 

11    ;;; Accept L2TP VPN
      chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=500 log=no log-prefix="" 

12    ;;; Accept L2TP VPN
      chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=4500 log=no log-prefix="" 

13    ;;; Accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

14    ;;; drop DNS requests from WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=53 log=no log-prefix="" 

15    ;;; drop DNS requests from WAN
      chain=input action=drop protocol=udp in-interface=PPPoE_RDS dst-port=53 log=no log-prefix="" 

16    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=PPPoE_RDS log=no log-prefix="" 

17    ;;; defcon: drop all ETH1
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""

Regards,