I have an RB3011, with two WAN connections, filter various traffic on the RB and the rest I forward it to a linux server.
One of those traffics is for port 25,465,110,995, however, even though I try to deny the traffic coming from several IPs, it continues to be forwarded to my mailserver.
In bytes and packets it is reflected that the rule detects traffic that matches it. However, it is the fail2ban on the mail server that temporarily blocks this traffic. I want to do it from the RB.
Rules…
rules ISP
0 and 1 input rules on the WAN network cards (2 IPs). With JUMP TARJET → from-internet
Rules deny range IP public
2 ;;; IPTEST
chain=from-internet action=drop src-address-list=IP_TEST log=no log-prefix=“IP MAIL BLOCK”
I have changed the order rules even, and putting as input in chain, but it doesn’t stop the traffic in any way. If I activate logs if it registers events.
Sorry, but what should I look for in the nat, since basically I tag the traffic, I redirect traffic to other services that are not the mail, and finally it forwards it to my linux firewall.
If the rule worked, the traffic coming from those IPs would not have to be sent to this Linux server, and therefore to the mail.
Note: in the nat there is no traffic defined for these protocols
you need to also drop these traffic on Forward chain, that is where traffic is flowing through the router, in this case, from the Internet, through the router, to your server.
The input chain, is traffic that is heading to the router itself , for example, traffic heading to the VPN server on the router, or accessing the router via winbox.
My mistake, I was under the impression that NAT was used, but apparently your backend servers have public IP’s directly, so it should only be a filtering job.
EDIT : No they don’t looking at your config…
You have a not so standard config with some jumping around chains and I wonder that if the reason you missed something due to the order of packet processing.
The really smart guys on this forum will spot something
Sorry, but the public IPs are in the RB. In this I nat to a firewall server, where the mail ports are sent to the mailserver.
If you check the configuration of the RB, you will see that I label the inbound traffic, to know that it comes from the internet, then that they are identified, I block certain IPs, and in the order of rules it would be number 3, since I have two ISPs or two WAN providers
As I understand when the counters of each rule increase is because it is actually applied on the package. And the problem is exactly this, it applies, however, traffic continues to come from those blocked IPs.
I clarify, the rule is general on the IP, without differentiating in which port it transmits, what protocol, etc.
try add this to the top of your firewall filter rules
add action=drop chain=forward-from-internet comment=IPTEST log-prefix="IP MAIL BLOCK" \ src-address-list=IP_TEST
not sure why you are using this jump rule but all the other rules on forward chain are still unchainged, so they will not apply to forward chain, and no filter rules are currently on this forward-from-internet chain, which means you have no firewall to protect your LAN.
basicly, input chian, is traffic heading towards the router itself
forward chian, is traffic going through the router, so that is from LAN to internet, and from Internet to LAN.
Thank you, this rule does work. I thought that putting this rule first didn’t matter about the other settings of internet traffic. For peace of solar77, my first barrier is mikrotik, various traffic filter and then I send it to another firewall, which has direct restrictions that protect the LAN.
Input Chain only affects traffic that terminates in the router itself.
Forward Chain affects traffic that passes through the router (what you are trying to do).
Output chain affects traffic that originates in the router itself and is outbound to someplace else..
You can make all the rules in the world in the wrong chain and it won’t accomplish what you want. Doing a Jump in the forward chain to another chain, and then putting rules there should work fine (I do that myself in some cases). Besides organization, putting a bunch of rules in a jump target chain that only involves certain traffic, means that the router only needs to go through those rules for that particular type of traffic. For example, If I have a jump in my input chain that only applies to ICMP traffic (we’ll call it the ICMP chain for this example), then all other traffic will not have to pass through the 20 firewall rules that I put into the ICMP chain. Saves router CPU time.
