Help with firewall and NAT

RouterOS Beginner Basics
1

Hi Guys,

I’ve set some firewall rules to drop brute force connections of FTP and SSH to my MikroTik Router:

/ip firewall filter
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp

And create some NAT rules:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="Transmission FreeNAS" dst-port=51413 protocol=tcp to-addresses=192.168.1.6 to-ports=51413
add action=dst-nat chain=dstnat comment=Sitrad dst-port=5010 protocol=tcp to-addresses=192.168.1.30 to-ports=5010
add action=dst-nat chain=dstnat comment="Plex NAS" dst-port=32400 protocol=tcp to-addresses=192.168.1.7 to-ports=32400
add action=redirect chain=dstnat comment="Web Proxy: Redirecionamentos" dst-address=192.168.25.254 dst-port=80 in-interface=ether1 protocol=tcp \
    to-ports=8080
add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1 protocol=tcp to-addresses=192.168.1.8 to-ports=22

The firewall rules for ports 21 and 22 are working great.

The last NAT rule was created so I can connect using SSH to my server and it is working good.

I’ve tried to add one more group of firewall rules to drop brute force connections at port 2222 but they aren’t working (tried a LOT of firewall settings)… How can I achieve this? What I’m missing? :confused:

Thank you!

2

One thing to note is that if you want to affect a SSH server running on another computer, not on the router itself, those rules have to go into the foward chain, not input, or perhaps jump from forward into a custom chain for detailed inspection which is applicable only to ssh. While in forward, dst-nat has already happened, and the port is already 22. If you want to mark connections before dst-nat, and filter by port 2222, you could do that in mangle prerouting (which is probably not necessary in this application).