I want to create a firewall rule that only allows certain external IP addresses to get to my firewall. The ips would not be in any range so I am not sure how to enter that into my src:address
Thanks
You would create an Address List. Enter each IP into the list, then use src-address-list.
/ip firewall address-list
add address=1.1.1.1 list=Trusted
add address=1.1.1.2 list=Trusted
add address=1.1.1.3 list=Trusted
/ip firewall filter
add chain=input src-address-list=Trusted
I was thinking to create a new topic since it closely matches mine. I’m adding my question here.
let’s suppose i need to block 22.34.xxx.xxx/<i don’t know the subnet>
how can i do that so that the ip starting with 22.34.whatever.should. be blocked.
Thanks
It’s the same basic thing…
/ip firewall address-list
add address=1.1.1.1 list=Blocked
add address=1.1.1.2 list=Blocked
add address=2.2.0.0/16 list=Blocked
/ip firewall filter
add action=drop chain=input src-address-list=Blocked
Just make sure the Blocked rule is at the top of the list.
The mask doesn’t need to match what the actual network is using.
It’s simply a way to specify how large the range of addresses is that you want matched by a rule.
10.10.10.10/32 = exactly one IP
10.10.10.0/24 = entire class C
10.10.10.0/23 = 10.10.10.0 - 10.10.11.255
10.10.8.0/22 = 10.10.8.0 - 10.10.11.255
10.10.0.0/16 = 10.10.0.0 - 10.10.255.255
etc…
So if you want to block 22.34.x.x → 22.34.0.0/16 is the prefix for you.
For more information, search and read about CIDR and subnet mask.
This is one of the key fundamentals to a full understanding of TCP/IP.
So I tried /ip firewall address-list
add address=1.1.1.1 list=Trusted
add address=1.1.1.2 list=Trusted
add address=1.1.1.3 list=Trusted
/ip firewall filter
add chain=input src-address-list=Trusted
And i still can get in from any ip address
Is there a block rule i need to do as well?
Yes. At the end of each chain (input, forward, output, etc) is an implied “accept all” rule.
If a packet makes it to the end of a chain and you haven’t dropped it or something, then the packet is going to be accepted.
Here’s an easy way to do an input chain that trusts all “internal” interfaces, but distrusts the WAN, except for list=trusted:
/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input interface=!wan action=accept
# at this point, only new connections from the Internet are being considered.....
add chain=input protocol=icmp action=accept
add chain=input src-address-list=Trusted action=accept
add chain=input action=drop
add chain=output protocol=icmp out-interface=wan limit=3,20 action=accept
add chain=output protocol=icmp out-interface=wan action=drop comment="no icmp flood"
Another way to do this is with the NOT (!) logic:
/ip firewall filter
add chain=input src-address-list=!Trusted action=drop
This rule will effectively block traffic on the input chain that is NOT from the source address list “Trusted”.
You could use this in tandem with your accept rules and place it at the end of the list. This way, even if you forget to specify a service, as long as the IP is in the Trusted address list, it will be allowed. If the IP is not in the trusted list, it’s dropped (which is essentially everybody else).
You could view it kind of as a fail-safe rule - this way if you forget something you don’t lock yourself out of your own router.
Thanks ZeroByte, Now I’m Clear.
Sorry fo the late response as i was in no internet zone.
Back to driving Seat Now..
Cheers