Feature request - Better control of ip/services/

JJOliver998 · December 9, 2009, 2:47pm

Hi.

I’m pretty new to mikrotik, but what seems to be glaringly obvious is that IP / Services which, forgive me for explaining, allows you to connect to the mikrotik in differing fashions via Api, FTP, ssh, telnet, winbox, www and www-ssl.

What seems to be at fault is that you can only put a single ip address or ip range such as 10.200.0.0/16 or 10.200.1.0/24.

Why can’t I add more than one IP address or use an IP pool? This seems to be a major flaw. I have several fixed IP addresses that connect from different sites, adding a VPN to each one seems a major hassle to allow a user to connect for 5 minutes without adding a huge security risk.

Anyone else think so?

sergejs · December 9, 2009, 2:51pm

Yes, it is correct that you can put one or block of IP address, service will be accessible then.
But you can use /ip firewall filter and create as much complicated restrictions as you need.

JJOliver998 · December 9, 2009, 2:59pm

Sure I appreciate that.

For example if I want to allow 10.200.1.5 and 79.234.1.2 there doesn’t seem to be an easy way.

For example, the use of aliases / ip pools would be a very helpful feature in this situation.

fewi · December 9, 2009, 3:00pm

Example:

/ip services
set ssh address=0.0.0.0/0 
set ssh enabled=yes
set winbox address=0.0.0.0/0
set winbox enabled=yes
/ip firewall address-list
add list=SSH_Access address=192.168.1.10/32
add list=SSH_Access address=10.1.0.45/32
add list=Winbox_Access address=192.168.1.10/32 
add list=Winbox_Access=172.17.1.59/32
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=22 src-address-list=!SSH_Access
add chain=input action=drop protocol=tcp dst-port=8291 src-address-list=!Winbox_Access

Edit: or for your example:

/ip firewall address-list
add list=admins address=10.200.1.5/32
add list=admins address=79.234.1.2/32
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=21,22,23,80,443,8291,8727 src-address-list=!admins

JJOliver998 · December 9, 2009, 3:08pm

Thanks so much, that looks really helpful.

Any chance of letting me know what that does?

Josh

fewi · December 9, 2009, 3:20pm

/ip firewall address-list

Go into the firewall section that builds address lists. Address lists are an easy way to refer to more than one IP address or network.

add list=admins address=10.200.1.5/32
add list=admins address=79.234.1.2/32

Add your two management IP addresses to an address list named ‘admins’. Now whenever you refer to that address list, either IP matches.

/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=21,22,23,80,443,8291,8727 src-address-list=!admins

Install a firewall filter in the ‘input’ chain (which contains all traffic destined to the router directly, i.e. traffic that doesn’t flow through the router but terminates on it, like management traffic). Drop all traffic to ports 21, 22 etc. (compare those ports to the ports listed in ‘/ip service’) that isn’t sourced from the IPs on the ‘admins’ address list, effectively locking access to those ports to just your two management stations. If you need more admin stations, add their IPs to the address list.

All of these commands and their syntax are explained rather well on the wiki. If you are new to firewalls themselves, the primers on netfilter.org (the Linux firewall project that RouterOS’s firewall is built on) are very good.

JJOliver998 · December 9, 2009, 3:49pm

Thanks so much for helping in this issue, this seems to be a much better way of working and I really really appreciate it.

Sorry to have asked a question that was apparently very simple to solve.