One of the big reasons I’m moving to a Mikrotik router is that Cisco’s base firewall features (without one of their $$$ feature packs) are very limited.
I know the Mikrotik docs state that most ICMP traffic should be blocked, and I’m also interested in pretty blocking all incoming for all but specific ports on our servers (ie. ports 25 and 110 on our mail server, port 80 on web server, etc.) It’s probably just me, but I can’t figure out how to enter these entries. Does anybody have some examples of how block most of the ICMP stuff (except things like TTL exceeded, echo request and reply, that sort of thing) and block all incoming ports save for specific traffic?
If you are using NAT then it is simply a case of setting up dest-nat to the servers you want public access to on the relevant ports. if you have fully routed network then RTFM I guess
Alright, I think I’ve figured it out to a point, at least. My big concern is one of our mail servers, which is getting hit pretty hard with some big attacks (I’m not sure what, mind you, doesn’t appear to be any sort of ICMP thing). At any rate, here’s what I have in the forward chain on the firewall:
Now the problem here is that this server needs to be able to contact the outside for updates. The above config pretty much blocks all outgoing traffic, though it allows incoming on those ports. Is there any way to permit the server to talk to the outside world while limiting the inside world’s ability to create new connections to those three ports (25, 80, 110)?
Are your default policies to Deny? You’ll need a forward rule that allows the traffic through for you servers.
My big concern is one of our mail servers, which is getting hit pretty hard with some big attacks (I’m not sure what, mind you, doesn’t appear to be any sort of ICMP thing).
Perhaps your mail server is being used as a spam relay(?)
I’m still trying to figure it out. I’m a whiz at NAT stuff (having done it on a straight Linux iptables setup, Mikrotik and Cisco), but for some reason this firewalling set up has me puzzled.
Let’s just say I have the server 10.0.0.19 (public IP, not NATed), and I want to block all incoming traffic save on ports 25,80 and 110, but still allow that server to access the outside world (primarily FTP and WWW, but other protocols as well). How does such a firewall table get constructed?
Perhaps your mail server is being used as a spam relay(?)
The mail server in question uses SMTP Auth for outside connections (we have a Postfix server handling MTA traffic), and even so our logs would show people unsuiccessfully trying to relay mail. I think it’s some sort of SYN attack, but I’m not sure.
Let’s just say I have the server 10.0.0.19 (public IP, not NATed), and I want to block all incoming traffic save on ports 25,80 and 110, but still allow that server to access the outside world (primarily FTP and WWW, but other protocols as well). How does such a firewall table get constructed?
It would depend then on how the Mikrotik is setup…bridged or routed? Is there NAT happening, but a public->private 1-to-1 NAT for the mail server?
But first, take a look at IP → Firewall → Filter Chains and see what the default policies are for the input, output, and forward chains (in particular, the forward). If they are all “drop” switch them to accept and see if it works. If not, then it’s got to be a problem with either your firewall rules and/or NAT, or routing. If it does work, switch them back to drop and add a forward rule with the source IP of your server, destination of anything, and optionally the interface (better protection this way). If you’re NAT’ed, you’ll have to do the same rule, plus a destination NAT rule with the same info. That should get you out. If not, double check your server’s ip info, subnet, and gateway, and your routes on the MT.
It would depend then on how the Mikrotik is setup…bridged or routed? Is there NAT happening, but a public->private 1-to-1 NAT for the mail server?
No NAT, just a straight routed network with public IPs. I just want to seal off all incoming ports save those for SMTP and POP3. However, I do want the servers to see the outside world, and this is where the trouble seems to start.
But first, take a look at IP → Firewall → Filter Chains and see what the default policies are for the input, output, and forward chains (in particular, the forward). If they are all “drop” switch them to accept and see if it works. If not, then it’s got to be a problem with either your firewall rules and/or NAT, or routing. If it does work, switch them back to drop and add a forward rule with the source IP of your server, destination of anything, and optionally the interface (better protection this way). If you’re NAT’ed, you’ll have to do the same rule, plus a destination NAT rule with the same info. That should get you out. If not, double check your server’s ip info, subnet, and gateway, and your routes on the MT.
Hope this helps.
I’ve tried to use the example found in the Mikrotik manual, but when I set the reject action, basically things start dying. In particular, it doesn’t seem that outside connections to those ports I’ve opened can be completed, signaling that a lot more is being rejected than I want.
I’ll give it another shot, but I feel like I’m missing some key bit of information I see the following line in the manual (for the forward chain):
add protocol=tcp connection-state=established
Now that obviously is for established connections, but should I also be allowing new and related connections, or is there some other trick to this?[/code]
i have the same problem and i need help desperately…
i have changed so much i have no idea anymore what’s right or wrong…
my mail server is on the private LAN … 192.168.0.30/32 and trying to NAT to the public ip of 68.150.192.222 but i can’t seem to be ableto open port 25 … it can’t seem to get out … it keeps giving me timeout errors… and BTW i’m using postfix as an MTA also …
just forget how it is now ..please tell me how to make it work… i’ve got rules everywhere now and don’t know which i need or don’t need anymore
for example… i’m not sure what order these rules should be in and if it has any effect on the proper operation of it…
ex… should the jump command in forward ------> be before the other rules or not… and i can’t get onto the internet at all unless i have src-nat set up like this… out-interface=Public action =masquerade… sooooooooo should it be that way or should it be nat or ??? and should there be any other rules???
Alright, I think I figured that out. I wasn’t attaching the rules to my inside (ether2) interface. Did that, and my rules are now happily working, blocking all but the ports I want on the hosts that I want.
One last question, if anyone can answer. We want to prevent all inside hosts except our mailservers from sending port 25 traffic through the gateway (stop worms trying to spread from local connections dead in their tracks). Would this be going through the outside (ether1) interface or the inside (ether2)?
And one more one last question, too. For udp, should I only be allowng through established connections? I noticed when I had connection-state set to all that my rules dealing with my DNS servers weren’t getting any bytes, but when I set it to established, then I saw activity on those rules.
The best way to set up rules for servers IMO is to have special chains for each server. For example in an email server setup.
add a chain for the server:
ip firewall>add name=mail
In the forward chain you would have this rule:
ip firewall rule forward>src-address="0.0.0.0/0" dst-address="mail.server.ip" action=jump jump-target="mail"
Then move to the mail chain and add these rules:
ip firewall rule mail> out-interface="interface connected to mail server" connection-state=established action=accept
ip firewall rule mail> dst-port=25 out-interface="interface connected to mail server" protocol=tcp action=accept
ip firewall rule mail> dst-port=110 out-interface="interface connected to mail server" protocol=tcp action=accept
You can add any other ports you need open for this server.
This is the last rule that should be in the chain…
ip firewall rule mail>out-interface="interface connected to mail server" protocol=!icmp action=reject
If you don’t want to accept ping you can remove the “protocol=”!icmp" in this last rule.
I am sure that there are other ways to do this, but this way works for us and it keeps all the firewall rules organized.
You can do the same for other server’s, it all works the same.
In a Nat’d environment forget about the firewall rules and the chains…you need to look in the dst-nat table and punch holes throught the nat’d firewall.
