Hello all. I am in the process of replacing a sonicwall router with a mikrotik ver 2.8.26. I am using these as AP’s out on a wireless network with great success. But now I am trying to use it as my main router and are having problems. I believe that it is having to do with my firewall.
My situation is this:
Public IP: 123.456.789.321
Private IP: 192.168.10.254
I have a mail server that is at 192.168.10.3. I did a DNAT with the public Ip of my mail server to the private ip it is at. Okay, everything works so far. Now, when I start looking at my mail log on the server (Linux - Fedora Core 2 - been running about 2 years fine) I see all kinds of traffic. It almost appeared to be someone trying to DOS me, but I wasn’t sure.
Then I tried implementing some of the rules that are shown in the manul and it appeared that I lost much of everything. I went right down the list as it is in the book to. It appeared that my mail server couldn’t connect with any of the others in order to transfer mail. My mail logs kep telling me that it couldn’t connect and timed out.
This was very frustrating. So, I put the sonicwall back in just to get back where I was and troubleshoot. Anyway, I started looking at the manual and at the forum to try and find some help on this.
Does anyone out there have a tutorial on setting this kind of system up? Or am I just way off base? The manual appears to be okay with just getting it up and working but I need some more info I guess. Please help if you have an idea that might help. Any and all help is most appreciated!
P.S. - I have been working with IPTables for a while now and seem to have a grip on that so I am not sure where I am going wrong.
When you entered the DNAT rule for the mail server did you restrict this to just SMTP traffic? If your rule matches all traffic then that is what will happen. You need something like this:
/ ip firewall dst-nat in-interface=Internet dst-address=:25 protocol=tcp action=nat to-dst-address=192.168.10.3 to-dst-port=25
Everything else translates pretty much directly from IPTables. My Input chain looks like this:
[admin@Net4501] ip firewall rule input> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop TCP Invalid packets
in-interface=Internet connection-state=invalid action=drop log=yes
1 ;;; Accept Internet Established
in-interface=Internet connection-state=established action=accept
2 ;;; Accept Internet Related
in-interface=Internet connection-state=related action=accept
3 ;;; Permit local LAN traffic
in-interface=Internal action=accept
4 ;;; PPTP control
in-interface=Internet dst-address=:1723 protocol=tcp action=accept
5 ;;; PPTP Tunnel
protocol=gre action=accept
6 ;;; Permit DHCP requests
src-address=:68 in-interface=Internal dst-address=:67 protocol=udp action=accept
7 ;;; Silent drop for TCP:445
dst-address=:445 protocol=tcp action=drop
8 ;;; Silent drop for UDP 1026-1027
in-interface=Internet dst-address=:1026-1029 protocol=udp action=drop
9 ;;; Drop & log everything else
in-interface=Internet action=drop log=yes
Regards
Andrew
Thanks, I did miss one part and that was the destination port on my public Ip address. Otherwise it was the same. Thanks for posting yours; it will give me something to work on. I’ll keep messing with it and hopefully come up with something that works!
On second thought, let me ask you one other question. It appears from the manual that if the packet is to go on to the other ethernet interface (for example: from my Public to my Private) then that would actually fall into the forward chain. It appears from the alogorythym that they show, if it is a NAT situation, then it bypasses the Input chain and gets passed onto the forward chain. Am I reading that correctly? If so, then the chain that you posted form your router would not effect any of the forwarding. Should I have this kind of chain in the input or the forwarding?
You are correct. You need to protect both the Input and the Forward chains. I just posted my Input chain as the Forward chain will look pretty similar and I wasn’t trying to post a complete solution. There’s a whole load of stuff posted on the web that’ll translate pretty readily from IPTables to MT.
Firewalling in 2.9 is way more capable and you can start to match packets based upon TCP option flags etc.
Regards
Andrew
Thanks abunch for the help. I’ll google some more and see what I can come up with.