Filter Rules do not block SSH

raymonvdm · December 10, 2006, 10:25am

When i add the following rules to my mikrotik. I still can connect to the server with ssh. I have created and interface called 2-4 DMZ. And am dropping everything accept icmp. Why can is still use putty to connect to 192.168.13.200 (CentOS Box)

0 ;;; DMZ Regels
chain=input in-interface=2-4 DMZ dst-address=192.168.13.250
protocol=icmp action=accept

1 chain=output out-interface=2-4 DMZ dst-address=192.168.13.0/24
protocol=icmp action=accept

2 chain=output out-interface=2-4 DMZ action=log log-prefix=“DMZ”

3 chain=output out-interface=2-4 DMZ action=drop

4 chain=input in-interface=2-4 DMZ action=log log-prefix=“DMZ”

5 chain=input in-interface=2-4 DMZ action=drop

6 ;;; DMZ Regels BF2
chain=input dst-address=192.168.13.200 protocol=udp dst-port=16567
action=accept

7 chain=output out-interface=2-4 DMZ dst-address=192.168.13.200 protocol=ud>
dst-port=55123-55125 action=accept

Equis · December 10, 2006, 11:24am

Wouldn’t you need to use foward not input and output?

I’m not sure

andrewluck · December 10, 2006, 12:09pm

Exactly. The input and output chains refer to traffic destined for and originating from the router. If you want to block traffic traversing the router then you need to use the forward chain.

Regards

Andrew