DST-NAT and Firewall Rules

RouterOS Beginner Basics
1

Hi!

RB750G - RouterOS 6.7

Have problem with port forwarding. Port forwarding is only working when i also add Firewall rule for FORWARD chain for specific port.
For example if i forward port 3389 on NAT then i have to add accept forward rule for port 3389 in firewall. As i was reading dst-nat comes before firewall filtering and firewall should not have affect on that. But in my case that is not like that :confused:

I need to have forward rules on firewall because i want to allow only specific protocols for clients.
Suggestions?

Here is configuration:

x.x.x.x is public IP address

NAT:

 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

 1   ;;; Server
     chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=3389 protocol
     dst-address=x.x.x.x in-interface=ether1-gateway dst-port=3389 

 2   chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=1723 protocol
     dst-address=x.x.x.x in-interface=ether1-gateway dst-port=1723 

 3 X chain=dstnat action=dst-nat to-addresses=192.168.234.254 to-ports=443 protocol=
     dst-address=x.x.x.x dst-port=443 

 4   ;;; ILO
     chain=dstnat action=dst-nat to-addresses=192.168.234.10 to-ports=443 protocol=t
     dst-address=x.x.x.x in-interface=ether1-gateway dst-port=443 

 5   chain=dstnat action=dst-nat to-addresses=192.168.234.10 to-ports=17988-17990 
     protocol=tcp dst-address=x.x.x.x in-interface=ether1-gateway 
     dst-port=17988-17990 

Firewall:
 0   ;;; Drops invalid connections on input and forward chains
     chain=input action=drop connection-state=invalid 

 1   chain=forward action=drop connection-state=invalid 

 2   ;;; Access to router from LAN - administration
     chain=input action=accept src-address-list=LAN 

 3   chain=input action=accept connection-state=related 

 4   chain=input action=accept connection-state=established 

 5   chain=input action=accept protocol=icmp 

 6   chain=input action=drop 

 7   ;;; LAN2WAN rules
     chain=forward action=accept connection-state=established 

 8   chain=forward action=accept connection-state=related 

 9   ;;; HTTP
     chain=forward action=accept protocol=tcp dst-port=80 

10   ;;; HTTPS
     chain=forward action=accept protocol=tcp dst-port=443 

11   ;;; POP3
     chain=forward action=accept protocol=tcp dst-port=110 

12   ;;; SMTP
     chain=forward action=accept protocol=tcp dst-port=25 

13   ;;; DNS
     chain=forward action=accept protocol=udp dst-port=53 

14   ;;; NTP
     chain=forward action=accept protocol=udp dst-port=123 

15   ;;; PING
     chain=forward action=accept protocol=icmp 

16   ;;; RDP
     chain=forward action=accept protocol=tcp dst-port=3389 

17   ;;; VPN
     chain=forward action=accept protocol=tcp dst-port=1723 

18   ;;; Bloom
     chain=forward action=accept protocol=tcp dst-port=8194-8294 

19   chain=forward action=accept protocol=udp dst-port=48129-48137 

20   ;;; ILO
     chain=forward action=accept protocol=tcp dst-port=17988-17990 

21   ;;; Hosting
     chain=forward action=accept protocol=tcp dst-port=2083 

22   chain=forward action=drop
2

That is the correct behavior. You need to have a firewall rule to allow your DST-NAT Traffic. You are correct that DST-NAT comes before Forward, but what that means is if you forward port 99 to port 21 your forward rules will see the dst-port as 21 and not 99. But you still need to allow the packet in the forward chain.

You can always add a specific forward rule for that port… e.g. only when dst-address is the port forward.

3

So to restrict that traffic only for INBOUND i just add rule in firewall for forward chain and put In.Interface ether1-gateway right?
So that users cannot get out on that specific port but inbound that comes on ether1-gateway will be forward correctly.

Btw. Is my Firewall configuration OK looking from security perspective?

4

Correct. Security for what is always the question?. …