Firewall without NAT

labsy · December 20, 2011, 3:00am

Hi,

can anybody explain to me, why my firewall rules and chains do not behave as expected?
I have numerous rules setup under /ip firewall filter, but some of them seems to have no effect.

for example:
PING seems to be enabled in rule #3, but if I ping, and disable this rule…nothing happens, I can still ping the server behind firewall.
Open SSH PORT 22…I cannot open it no mater what. Took me 1 hour to test all possible combinations, put it into INPUT, FORWARD rule, setup IP, or without IP, tried NEW connection or empty… but no, I cannot open port 22 to server behind firewall:

 3   chain=input action=accept connection-state=new protocol=tcp dst-port=22

MAYBE problem is because I do not have NAT translation, but rather static routing, where also my local network is on public IP range?

Any advice welcome!

 0   ;;; Allow Established Connections
     chain=input action=accept connection-state=established

 1   chain=input action=accept protocol=icmp

 2   chain=input action=accept src-address=192.168.1.0/24 in-interface=!ether2

 3   chain=input action=drop connection-state=invalid

 4   chain=input action=drop

 5   chain=forward action=accept connection-state=established

 6   chain=forward action=accept connection-state=related

 7   chain=forward action=drop connection-state=invalid protocol=tcp

 8   chain=forward action=drop src-address=0.0.0.0/8

 9   chain=forward action=drop dst-address=0.0.0.0/8

10   chain=forward action=drop src-address=127.0.0.0/8

11   chain=forward action=drop dst-address=127.0.0.0/8

12   chain=forward action=drop src-address=224.0.0.0/3

13   chain=forward action=drop dst-address=224.0.0.0/3

14   chain=forward action=jump jump-target=tcp protocol=tcp

15   chain=forward action=jump jump-target=udp protocol=udp

16   chain=forward action=jump jump-target=icmp protocol=icmp

17   ;;; deny TFTP
     chain=tcp action=drop protocol=tcp dst-port=69

18   ;;; deny RPC pocp action=drop protocol=tcp dst-port=111

19   ;;; deny RPC porter
     chain=tcp action=drop protocol=tcp dst-port=135

20   ;;; deny NBT
     chain=tcp action=drop protocol=tcp dst-port=137-139

21   ;;; deny cifs
     chain=tcp action=drop protocol=tcp dst-port=445

22   ;;; deny NFS
     chain=tcp action=drop protocol=tcp dst-port=2049

23   ;;; deny NetBus
     chain=tcp action=drop protocol=tcp dst-port=12345-12346

24   ;;; deny NetBus
     chain=tcp action=drop protocol=tcp dst-port=20034

25   ;;; deny BackOriffice
     chain=tcp action=drop protocol=tcp dst-port=3133

26   ;;; deny DHCP
     chain=tcp action=drop protocol=tcp dst-port=67-68

27   ;;; deny TFTP
     chain=udp action=drop protocol=udp dst-port=69

28   ;;; deny PRC portmapper
     chain=udp action=drop protocol=udp dst-port=111

29   ;;; deny PRC portmapper
     chain=udp action=drop protocol=udp dst-port=135

30   ;;; deny NBT
     chain=udp action=drop protocol=udp dst-port=137-139

31   ;;; deny NFS
     chain=udp action=drop protocol=udp dst-port=2049

32   ;;; deny BackOriffice
     chain=udp action=drop protocol=udp dst-port=3133

33   ;;; echo reply
     chain=icmp action=accept protocol=icmp icmp-options=0:0

34   ;;; net unreachable
     chain=icmp action=accept protocol=icmp icmp-options=3:0

35   ;;; host unreachable
     chain=icmp action=accept protocol=icmp icmp-options=3:1

36   ;;; host unreachable fragmentation required
     chain=icmp action=accept protocol=icmp icmp-options=3:4

37   ;;; allow source quench
     chain=icmp action=accept protocol=icmp icmp-options=4:0

38   ;;; allow echo request
     chain=icmp action=accept protocol=icmp icmp-options=8:0

39   ;;; allow time exceed
     chain=icmp action=accept protocol=icmp icmp-options=11:0

40   chain=icmp action=accept protocol=icmp icmp-options=12:0

41   ;;; deny all other types
     chain=icmp action=drop

42   ;;; drop ftp brute forcers
     chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21

43   chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

44   chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h
     content=530 Login incorrect

45   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

46   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3
     address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22

47   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2
     address-list=ssh_stage3 address-list-timeout=1m dst-port=22

48   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1
     address-list=ssh_stage2 address-list-timeout=1m dst-port=22

49   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1
     address-list-timeout=1m dst-port=22

50   ;;; Port scanners to list
     chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners
     address-list-timeout=2w

51   ;;; NMAP FIN Stealth scan
     chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
     address-list=port scanners address-list-timeout=2w

52   ;;; SYN/FIN scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
     address-list-timeout=2w

53   ;;; SYN/RST scan
     chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners
     address-list-timeout=2w

54   ;;; FIN/PSH/URG scan
     chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
     address-list=port scanners address-list-timeout=2w

55   ;;; ALL/ALL scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
     address-list=port scanners address-list-timeout=2w

56   ;;; NMAP NULL scan
     chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
     address-list=port scanners address-list-timeout=2w

57   ;;; dropping port scanners
     chain=input action=drop src-address-list=port scanners

jandafields · December 20, 2011, 1:40pm

Look at the flowchart to exactly how and when packets are processed:
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php

normis · December 20, 2011, 1:41pm

this chart no longer applies, see the new one here

http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

jandafields · December 20, 2011, 1:43pm

Cool, new chart link. Regardless, that isn’t his problem:

You have ping allowed in multiple rules… that is why disabling one rule doesn’t stop ping.

labsy · December 20, 2011, 2:57pm

That’s logical…will analyze rules again to see, what they do.

But another weird thing. When I scan from outside for open ports, I get:

port 80 is opened (…because I have server here listening on port 80), but hey, which rule opens port 80!!!
on the other hand, port 22 is closed, but I have multiple devices here listening on port 22 SSH.

I do not understand.

…BTW, thanx for the link to processing!

jandafields · December 20, 2011, 3:41pm

You don’t have port 22 or 80 open. You need to do chain=forward protocol=tcp port=22 action=allow. Make sure you are routing port 22 to whatever device.

As for 80 showing “open”, are you sure it isn’t your modem it is hitting?

labsy · December 20, 2011, 4:42pm

Thanx for hint, but sorry - no:

port 80 is definitelly my Web Server, because it opens web site
tried suggested FORWARD chain, put it also on TOP of all rules, but no effect whatsoever…weird

Here’s another scheme of my config.
Main question: where FIREWALL kicks-in?

labsy · December 20, 2011, 5:06pm

I think this is in my case:

Which would mean, that only:

prerouting
forward
and postrouting
chains have influence.

QUESTION: What chains are those - under “/IP FIREWALL” or under “/BRIDGE RULES”?

jandafields · December 20, 2011, 5:10pm

Yeah, if you are bridging instead of routing, then you need to enable the bridge use ip firewall option. Read up on the wiki about the different firewall and routing options… it will help you more than anything else.

labsy · December 20, 2011, 5:20pm

Actually, despite it sounds silly - I don’t know what I am doing - routing or bridging. I have both configured, routes and bridges

My top problem is, that most of diagrams there describe functionality, which includes NAT-ing. But I do not use NAT, so I get confused.
So AFAIK considering facts:
1.) Since FIREWALL rules seem to have no effect, AND we know Firewall operates on Layer-3 → seems like I am doing bridging on Layer-2
2.) But on Layer-2 I cannot configure IP-protocol based rules, like opening TCP ports, because it is Layer-2.
3.) But hey…how is then possible that PORT 80 is opened, and PORT 22 cannot be opened? 1 server listening on port 80, and another on port 22. Hmmm…?

Me lost

labsy · December 20, 2011, 5:52pm

Oh my…
Guess what! My colleague, who works on server which I use for testing PORT 22…well, he closed port 22 for security reasons…
But I was so close to discover a bug in router OS…or maybe the anomaly in layer-2 protocol…

Ok, now I can start some REAL firewalling

labsy · December 20, 2011, 9:57pm

Still having problems with firewall.

Example:
Finally I managed to position firewall in my scheme - it sits between ROUTING segment and both my PUBLIC segments. And it seems like rules are somehow “inverted”, meaning that INPUT chain filters outgoing traffic originating in PUBLIC segmetns and destined to ROUTING segment. Hmmm.
I disabled ECHO icmp in INPUT chain of /ip firewall
Then I could NOT ping my ROUTING segment IP from inside my PUBLIC segment.
Nice, seems I found something.

So, for example, to block connections from outside world to inside to RDC port 3389, this would be logical rule:

chain=input action=drop protocol=tcp dst-port=3389

But NO, above does not work. Instead, this one does:

chain=forward action=drop protocol=tcp src-port=3389

So here it is what I think:

labsy · December 21, 2011, 12:52am

Stuck with port forwarding/redirection
Cannot find any suggestions on internet on how to create port REDIRECTION without NAT.

Yes, I can open and close specific ports for specific BRIDGE or specific IP.
But this is just plain 1-to-1 fort forward, liek this:

chain=forward action=accept protocol=tcp in-interface=bridgeWAN1 src-port=80

What about port REDIRECTION?
For example, to redirect public port 81 to local IP:PORT x.x.81.20:80
I tried also with NAT rule, since only there you can use “redirect” action:

chain=dstnat action=redirect to-ports=80 protocol=tcp dst-address=x.x.81.20 dst-port=81

Packet gets detected, counter increases…but redirection to no avail Probing from outside, nothing responds on 81, but still just on 80.

Ideas welcome.

labsy · December 22, 2011, 8:54pm

This is information from support team:
Only way to change some fields in IP packets header is with NAT, if you like to change dst-address or port you must use connection tracking so that when packets reply comes back connection tracking can “denat” packet back to original state that source is waiting.
In other words: port redirection is NOT possible with static routing.

Hope this helps somebody.

jandafields · December 22, 2011, 10:34pm

The port really is part of the network address. By defination, that is what NAT is: Network Address Translation.

You can’t really change the address (port redirection) without changing the address (Network Address Translation)…

Just use NAT… it isn’t that bad.

labsy · December 23, 2011, 5:02pm

Hehehe, I know it isn’t so bad… but it is no avail in my case (see picture above). I cannot do NAT between public internet addresses to another set of public IP addresses. Would make no sense