I have a problem undeerstanding how firewall rules are evaluated in non-NAT static routing configuration.
What is the correct firewall CHAIN to use, when I open/close ports? I’ve tried with suggestions from forum and Wiki, but they do not work in my static routing configuration. For example, I want to OPEN port 80, and close everything else:
5 ;;; Open some ports on WAN1…
chain=forward action=accept protocol=tcp in-interface=bridgeWAN1 src-port=80
6 ;;; Drop anything else to WAN1
chain=forward action=drop protocol=tcp in-interface=bridgeWAN1
But this blocks ALL ports.
If I change rules numbers, and put DROP action on top, it’s the same - everything is blocked.
I’ve tried using INPUT chain instead, but it seems have no effect at all. When doing static routing only PRERUTING, FORWARD and POSTROUTING chains seems to do any good.
Ideas and tips welcome. Thanx!
Are you trying to allow outside people to use your webserver… or are you trying to allow your own computers to access the internet? You should use dst-port=80, NOT src-port.
INPUT chain is for traffic that is destined to the router itself, not a computer behind the router. Like the built-in webfig or hotspot or dns server or ssh to the router or winbox. Those would be INPUT.
FORWARD chain is for traffic that goes into the router, and then back out to another device. Like a webserver or something. It would also be for internet going to or from a client computer.
OUTPUT chain is traffic from the router itself going somewhere (like the router clock getting NTP from somewhere, or the router looking up DNS)
But is this also valid for my static routing configuration?
As you see, CLASSIC firewalling would influence the main ROUTING SEGMENT, which I DO NOT want.
I want ROUTING SEGMENT to be just protected from hacking attacks.
All other traffic on ROUTING SEGMENT is opened, in both directions.
But for both PUBLIC IP SEGMENTS, I want to use port open/close firewalling:
from internet → public IP segment I want to open just specific ports, all other to be closed. Which firewall chain to use here?
from inside → out I want to open ALL traffic.
Can somebody confirm, which firewall chains to use in this configuration?
just one more:
What’s the correct order of DENY/ALLOW chains, from top (#1) to bottom (#xxx) rule:
1.) should I first open some ports, then block ALL in the last rule
2.) or vice versa, to first block ALL, then open specific ports in rules below?
EDIT:
Don’t be lazy, so I answered to my question - ORDER of rules is to first OPEN ports, then deny all the rest.
And for my case, out-interface needs to be defined:
5 ;;; Open some ports from internet towards my internal servers on WAN1...
chain=forward action=accept protocol=tcp out-interface=bridgeWAN1 dst-port=80,3389
6 ;;; Drop anything else to WAN1
chain=forward action=drop protocol=tcp out-interface=bridgeWAN1
It might be slightly off-topic, but is there any preferred method to have some list of allowed ADMIN IP addresses, to use them in FORWARD firewall rules?
For example, I’d enable port 22 SSH and remote desktop port 3389 only from specific set of IP addresses, but I can only enter 1 IP in 1 rule.
