Firewall filter rules and nmap scan results

Toby7 · January 4, 2014, 2:37pm

Hello,

I am currently working on my firewall improvements. There is a PPPoE connection to my ISP. My router is configured as source nat with filter rules. Currently I have only the basic filter rules which are recommended in the book “Router OS by example”.

0   ;;; ### 
     chain=input action=drop connection-state=invalid 
     in-interface=PPPoE-TelekomDSL 
 
 1   ;;; ### 
     chain=forward action=drop connection-state=invalid 
     in-interface=PPPoE-TelekomDSL 

 2   ;;; ### 
     chain=input action=accept connection-state=established 
     in-interface=PPPoE-TelekomDSL 

 3   ;;; ### 
     chain=input action=drop in-interface=PPPoE-TelekomDSL 

 4   ;;; ### 
     chain=forward action=accept connection-state=new 
     src-address-list=Telekom Subnet in-interface=PPPoE-TelekomDSL 

 5   ;;; ### 
     chain=forward action=accept connection-state=related 
     in-interface=PPPoE-TelekomDSL 

 6   ;;; ### 
     chain=forward action=accept connection-state=established 
     in-interface=PPPoE-TelekomDSL 

 7   ;;; ### 
     chain=forward action=drop in-interface=PPPoE-TelekomDSL

To validate my settings nmap is the tool I use. So doing nmap -sT gives my this output:

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
143/tcp open imap
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
8080/tcp open http-proxy

Currently I don’t know where any of these open port come from? Can you help please…

Thank you
Toby

lambert · January 5, 2014, 5:05am

Do you have any port forwarding NAT rules?

If no, you may not be scanning the correct IP address. Is “” the address assigned to your PPPoE-TelekomDSL interface or a LAN IP?

Toby7 · January 5, 2014, 2:22pm

No there are just the firewall → service ports enabled. I thought they should be a kind of nat helper which you better do no disable.
The scan goes toward the local adress of the pppoe client. According to my knowledge this is the WAN IP?

I used android tethering(mobile network) as internet connection for the scan. May this influence something?

lambert · January 6, 2014, 6:36am

In order to do more than guess, I believe we need to see

/interface print

/ip address export

/ip firewall export

/ip firewall print

/ip mangle print

/ip route print

Then tell us the IP address of your nmap machine, the physical port on the MikroTik to which your nmap machine is connected, and the actual IP that you are testing, and run your nmap again. You can replace the first two octets of any public IP address with letters so long as the letters are a one-to-one substitution for the octets they are replacing.

Toby7 · January 6, 2014, 11:08pm

Here are the exports:
/interface print

NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ether1_fritzbox ether 1500 1598 4074 00:0C:42:C1:F9:9D
1 R ether2_homenet ether 1500 1598 4074 00:0C:42:C1:F9:9E
2 R ether3_telekom ether 1500 1598 4074 00:0C:42:C1:F9:9F
3 R ether4_modem_telekom ether 1500 1598 4074 00:0C:42:C1:F9:A0
4 R ;;; ::: VLAN Trunk :::
ether5_trunk ether 1500 1598 4074 00:0C:42:C1:F9:A1
5 R PPPoE-TelekomDSL pppoe-out 1480
6 R vlan1_ether5 vlan 1500 1594 00:0C:42:C1:F9:A1
7 R vlan100_ether5 vlan 1500 1594 00:0C:42:C1:F9:A1
8 R vlan200_ether5 vlan 1500 1594 00:0C:42:C1:F9:A1

/ip address
add address=192.168.0.254/24 interface=ether2_homenet network=192.168.0.0
add address=192.168.128.254/24 interface=ether3_telekom network=192.168.128.0
add address=10.0.128.254/24 interface=vlan100_ether5 network=10.0.128.0
add address=10.0.192.254/24 interface=vlan200_ether5 network=10.0.192.0

/ip firewall export
/ip firewall address-list
add address=192.168.128.0/24 list=local-addresses
add address=192.168.0.0/24 list=local-addresses
add address=10.0.192.0/24 list=local-addresses
add address=10.0.128.0/24 list=local-addresses
add address=192.168.128.0/24 list="Telekom Subnet"
add address=192.168.0.0/24 list="E Homenet Subnet"
add address=10.0.192.0/24 list="F PV Subnet"
add address=10.0.128.0/24 list="Guest WLAN Subnet"
add address=192.168.0.119 list=addressList_PenetrationTesting
add address=A.B.C.14 list=addressList_WANIPTelekom
/ip firewall filter
add action=drop chain=input connection-state=invalid
in-interface=PPPoE-TelekomDSL
add action=drop chain=forward connection-state=invalid
in-interface=PPPoE-TelekomDSL
add chain=input connection-state=established in-interface=PPPoE-TelekomDSL
add action=drop chain=input in-interface=PPPoE-TelekomDSL
add chain=forward connection-state=new in-interface=PPPoE-TelekomDSL
src-address-list="Telekom Subnet"
add chain=forward connection-state=related in-interface=PPPoE-TelekomDSL
add chain=forward connection-state=established in-interface=PPPoE-TelekomDSL
add action=drop chain=forward in-interface=PPPoE-TelekomDSL
/ip firewall mangle
add chain=prerouting dst-address-list=local-addresses dst-address-type="" fragment=no
add action=mark-routing chain=prerouting dst-address-list=addressList_WANIPTelekom new-routing-mark=table_PenetrationTesting passthrough=no
src-address-list=addressList_PenetrationTesting
add action=mark-routing chain=prerouting new-routing-mark=WANTelekom passthrough=no
src-address-list="Telekom Subnet"
add action=mark-routing chain=prerouting new-routing-mark=fromFPV passthrough=no
src-address-list="F PV Subnet"
add action=mark-routing chain=prerouting new-routing-mark=
fromflyingEGuest passthrough=no src-address-list="Guest WLAN Subnet"
add action=mark-routing chain=prerouting in-interface=PPPoE-TelekomDSL
new-routing-mark=WANTelekom passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-TelekomDSL src-address=192.168.128.0/24
add action=masquerade chain=srcnat out-interface=PPPoE-TelekomDSL src-address=
192.168.0.0/24

/ip route print

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 PPPoE-TelekomDSL 1
1 A S 192.168.0.0/24 ether2_homenet 1
2 A S 192.168.128.0/24 ether3_telekom 1
3 A S 0.0.0.0/0 192.168.179.1 1
4 A S 0.0.0.0/0 192.168.179.1 1
5 A S A.B.C.14/32 192.168.0.240 1
6 A S 0.0.0.0/0 192.168.0.240 1
7 S 0.0.0.0/0 PPPoE-TelekomDSL 5
8 ADC 10.0.128.0/24 10.0.128.254 vlan100_ether5 0
9 ADC 10.0.192.0/24 10.0.192.254 vlan200_ether5 0
10 ADC F.G.H.165/32 A.B.C.14 PPPoE-TelekomDSL 0
11 ADC 192.168.0.0/24 192.168.0.254 ether2_homenet 0
12 ADC 192.168.128.0/24 192.168.128.254 ether3_telekom 0
13 ADC 192.168.179.0/24 192.168.179.21 ether1_fritzbox 0IP address of my nmap machine is 192.168.0.119, connected to ether2_homenet.

lambert · January 9, 2014, 8:20am

I think I forgot to ask for

ip address print

and your nmap command is ? nmap -sT A.B.C.14 ?

It looks like you are using routing marks. Could you show us the output of

/ip route export

Are you trying to keep address space isolated (VRF) or are you trying to do rate limits (queues)? I haven’t done much with VRFs, yet.

Toby7 · January 9, 2014, 5:18pm

nmap command is nmap -sT as you said.
/ip address print

ADDRESS NETWORK INTERFACE

0 192.168.0.254/24 192.168.0.0 ether2_homenet
1 192.168.128.254/24 192.168.128.0 ether3_telekom
2 10.0.128.254/24 10.0.128.0 vlan100_ether5
3 10.0.192.254/24 10.0.192.0 vlan200_ether5
4 D 192.168.179.21/24 192.168.179.0 ether1_fritzbox
5 D A.B.C.14/32 F.G.H.165 PPPoE-TelekomDSL

/ip route export
add check-gateway=ping distance=1
gateway=PPPoE-TelekomDSL routing-mark=WANTelekom
add distance=1 dst-address=192.168.0.0/24
gateway=ether2_homenet routing-mark=WANTelekom
add distance=1 dst-address=192.168.128.0/24 gateway=ether3_telekom routing-mark=
WANTelekom
add distance=1 gateway=192.168.179.1 routing-mark=
fromFreyPV
add check-gateway=ping distance=1 gateway=
192.168.179.1 routing-mark=fromflyingEllertGuest
add distance=1 dst-address=A.B.C.14/32 gateway=192.168.0.240 routing-mark=table_PenetrationTesting
add check-gateway=ping distance=1 gateway=192.168.0.240
add check-gateway=ping distance=5 gateway=
PPPoE-TelekomDSL

/ip route rule
add action=drop dst-address=192.168.0.0/24 src-address=10.0.128.0/24
add action=drop dst-address=192.168.128.0/24 src-address=
10.0.128.0/24
add action=drop dst-address=10.0.192.0/24 src-address=10.0.128.0/24
add dst-address=192.168.128.0/24 src-address=192.168.0.0/24 table=main
add action=drop dst-address=10.0.128.0/24 src-address=10.0.192.0/24
add action=drop dst-address=192.168.128.0/24 src-address=10.0.192.0/24
add disabled=yes dst-address=192.168.0.0/24 src-address=192.168.128.0/24
table=main
add action=drop disabled=yes dst-address=192.168.0.0/24 src-address=
10.0.192.0/24I don't know anything about VRFs so I do not use them. There are no queues!

lambert · January 10, 2014, 6:53am

I don’t see anything that tells me what the issue is. Are you still seeing the extra ports when you nmap your A.B.C.14 IP?

I don’t use routing-marks so it may be some side effect of that. I’m sorry but I’m out of ideas.

Toby7 · January 11, 2014, 7:18pm

I’ll give a try again tomorrow. Normally the open ports are still visible… Hm strange if routing marks affect open firewall ports.
May there be a bug in nmap causing supposedly open ports which are invisible?

Toby7 · January 12, 2014, 11:16pm

The namp -sT test now show a different result:

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
8080/tcp open http-proxy

Less open ports but still now explanation for them… No changes were made to routing-marks etc.

Toby7 · January 14, 2014, 8:02pm

Another input from my side. The pppoe connection is done over a Draytek Vigor 120v2 ADSL modem. Has this device something to do with the open ports?

lambert · January 24, 2014, 10:28pm

nmap the internal address just for fun.

CblP · January 29, 2014, 4:21pm

use the force of the packet sniffer, Luke!
Wireshark is my ultimate #1 tool for digging into any kind of network trouble/question.