Firewall rules - Dont know why my server is accessible from the internet. Is should be not

Hello masters of Mikrotik,

I would like to ask you. Here i will print my firewall rules and NAT rules. I wonder, why my TS3 server is accesibble from the internet. It should not be like that. Lets see:

Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 X ;;; Allow OpenVPN
chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=“”

2 X ;;; Povolit jen v p pad , e n kdo chce na FTP
chain=input action=accept protocol=tcp dst-port=7777 log=yes
log-prefix=“”

3 X chain=forward action=accept protocol=tcp in-interface=WAN dst-port=80
log=yes log-prefix=“”

4 X ;;; RDP - komp Emp
chain=input action=accept protocol=tcp dst-port=3389 log=no log-prefix=“”

5 X ;;; Winbox from WAN
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=“”

6 chain=input action=accept protocol=udp src-address=X.X.X.X
dst-port=554 log=no log-prefix=“”

7 ;;; Zabbix - SNMP port
chain=input action=accept protocol=udp src-address=X.X.X.X
dst-port=161 log=no log-prefix=“”

8 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp src-address=X.X.X.X
in-interface=WAN log=no log-prefix=“”

9 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no
log-prefix=“”

10 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”

11 chain=forward action=accept protocol=tcp dst-address=192.168.X.X
dst-port=8006 log=no log-prefix=“”

12 chain=forward action=accept protocol=tcp src-address=192.168.X.X
dst-address=192.168.X.X dst-port=22,8443 log=no log-prefix=“”

13 chain=forward action=accept protocol=tcp src-address=192.168.X.X
dst-address=192.168.X.X dst-port=8080,8443 log=no log-prefix=“”

14 chain=forward action=accept protocol=udp src-address=192.168.X.X
dst-address=192.168.X.X dst-port=3478,10001 log=no log-prefix=“”

15 chain=forward action=accept protocol=tcp src-address=192.168.X.X
dst-address=192.168.X.X dst-port=22 log=no log-prefix=“”

16 ;;; Unifi > controller
chain=forward action=accept protocol=udp src-address=192.168.X.X
dst-address=192.168.X.X dst-port=3478,10001,1900 log=no log-prefix=“”

17 ;;; Unifi > Controller
chain=forward action=accept protocol=tcp src-address=192.168.X.X
dst-address=192.168.X.X dst-port=8080,8443,80 log=no log-prefix=“”

18 X chain=forward action=drop src-address=192.168.X.X out-interface=WAN log=n>
log-prefix=“”

19 ;;; sv tlo pracovna - block do internetu
chain=forward action=drop src-mac-address=5C:E5:0C:AD:47:0B log=no
log-prefix=“”

20 X ;;; TS3
chain=forward action=accept protocol=udp dst-address=MY PUBLIC IP
in-interface=WAN dst-port=9987 log=no log-prefix=“”

21 chain=input action=drop src-address=192.168.X.X/24 dst-address=192.168.X.>
log=no log-prefix=“”

22 chain=forward action=drop src-address=192.168.X.X/24
dst-address=192.168.X.X/24 log=yes log-prefix=“”

23 chain=forward action=drop src-address=192.168.X.X/24
dst-address=192.168.X.X/24 log=yes log-prefix=“”

24 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=WAN log=no log-prefix=“”

25 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

26 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”

27 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

28 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=“”



Here we go with NAT rules:

Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=161
protocol=udp dst-address=MY PUBLIC IP ADDRESS in-interface=WAN dst-port=554 log=no
log-prefix=“”

1 chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=9987
protocol=udp dst-address=MY PUBLIC IP in-interface=WAN src-port=“”
dst-port=9987 log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=30033
protocol=tcp dst-address=MY PUBLIC IP in-interface=WAN dst-port=30033
log=no log-prefix=“”

3 X chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=80
protocol=tcp dst-address=MY PUBLIC IP in-interface=WAN dst-port=80 log=yes
log-prefix=“”

4 X ;;; NAT na komp EMP - RDP
chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=3389
protocol=tcp dst-address=MY PUBLIC IP in-interface=WAN dst-port=3389
log=yes log-prefix=“”


As you can see the rule #20 is disabled so the TS3 server should not be accessible but it is. Why? Do i miss something? In the end i would like to have accessible, but in the way how its supposed to be. Now i am afraid that i have some misconfiguration and my network is exposed.

Thanks a lot.

It is accessible due to NAT rule 1 which dst-nat’s the TS3 port to the public IP.

1 chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=9987
protocol=udp dst-address=MY PUBLIC IP in-interface=WAN src-port=“”
dst-port=9987 log=no log-prefix=“”

If you disable it, it should not be accessible from the internet anymore.

AHa. So it means the NAT rule is above the filter rules i suppose

No.
There is a filter rule that allows NATted traffic:

28 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=“”

(this combined with the fact that after the last rule there is an implicit “default allow” in RouterOS)

I would have to say your firewall rules are less than optimal and you should go back to default type settings to start with and then modify them as required.
The fact that you forward chain port 80 from wan to lan ( vice using dstnat ) seems off.
Confirmed my suspicions when you leave your winbox port OPEN to the internet and default port at that.

@Mesquite both Filter Rules you criticize are disabled. Rules 3 and 5.

@Empulakcz How do you plan to secure the access to the server through the internet?

I dont undestarnd the question sorry. Its supposed to be on the internet, protected by Teamspeak password. Its supposed to be for my friend only.

Aaaa i understand now

Thank you