Help BLocking incoming connection to subnet used for NAT

surfnet · October 24, 2006, 10:41pm

I use a class c subnet for my wireless network and I use masquerading for NAT. I would like to block incoming connection to my subnet, as the only traffic should be coming from the NAT cleints, and not starting from the outside world

I set up a firewall rule to drop packets with a dst-address of my class C, and a connection state of NEW.

I thought this would not allow sessions to start from the outside, while allowing the client to establish connections from the inside out.

but it did not seem to work , as the phone started ringing with cleint says that cant surf the web.
~Ken

janisk · October 25, 2006, 8:12am

n masquarade set what interfaces should be masquaraded, in this case - wireless and only wireless. that way all the other will no be masquaraded and will be dropped elsewhere

surfnet · October 25, 2006, 1:29pm

THie problem is this.

this masqeraded IP address is 64.74.213.210. I want to tell my backbone router to not allow incoming connection to that IP address, without first being started from inside the wifi router. I thought this woould do the job

chain=forward dst-address=64.74.213.0/24 connection-state=new action=drop

but apparently it does not work, as cleints started calling to complain, and when I disabled the rule, they all could surf

janisk · October 27, 2006, 8:20am

first, is suggest you to test firewall rules on tet client.
second, try droping not in forward but input chain. i think that would help

surfnet · October 27, 2006, 1:36pm

I thought input packets we one destined for the router itself, and forward packets are the one that go through the router.

So in this case, changeing the chain from forward to input would make the rule hit nothing

please correct me if I am wrong

macgaiver · October 27, 2006, 1:50pm

nice rule - now it is impossible to sent any packet to the main GW
Just use in-interface or out-interface options in your rules!

surfnet · October 27, 2006, 2:50pm

Let me clairfy my setup a bit more.

My wireless network consists of 30 mikrotiks, all routed with .252 subnets in the 64.74.213.0 class C. All users are NAT’d and can run no server apps.

When I look at my logs, I see people trying to hit my ssh and telnet and ftp logins all the time, you can see dictionary attacks.

So I want to block all connection that start from the outside and come in. I want to only allow connections that started from the inside and go out.

the core router that is doing this is on a another subnet althogether.