Help with Firewall Chain

I have two servers behind the Mikrotik
One is a web server the other is a Mail server.

I’ve put a Firewall rule in the Forward chain that says if any address destined to xx.xx.xx.229 (Server Address) going out on the servers port, then Jump to my chain that i made called (Servers_Rules).

In the chain i added rules to allow port 80, port 21, 20, 25, 110, 109 etc… just the main ports needed for web and mail.

This works great the servers seem to be safe this way, but for some strange reason the server cant surf the net.

I was running out of time so i left it like seeing that people could get to the mail and the web server so i figured a well i’ll get to it when i can.

But two days latter i start to get phone calls from client saying people are not getting emails from them… and then it hit me oh shit duh!!! if the servers cant surf thats fine for the web server but not the mail, the MAIL server cannot connect to the outside world.

Does anyone have a clue as to why i made rules that protect the server from all other ports and you can get to it but it cant get out?


Thanks

What about a rule with src-address equal to xx.xx.xx.229 ?

Are you saying to put a rule in my chain with source xx.xx.xx.229?

Cause i’ve tried that and it still wont allow the server to surf.

I went and looked at the log and it shows that when trying to surf say GOOGLE that google will try and communicate back on a random port.

But it cant cause i have them all blocked except for standard web and mail ports.

So i decided to put a source rule that say google.ip is allowed to communicate on a range of addresses and then it worked.

but only for google, whats up with that, how can i make a chain, rule of any kind that will protect my servers but allow me to surf on them.

Please help, THANKS a MILL

You probably need a rule to allow established connections back through the firewall. To me it sounds like your traffic is making it out to the site you are attempting to view but the return traffic is being blocked by you firewall. You need to set up a rule that allows traffic back through the firewall if it was originated from behind the firewall.

Try setting a rule that allows traffic from anywhere to anywhere with a Connections State of established. This will allow return traffic to pass through the firewall.

Ok i’m trying this and still no luck.

Here let me describe how i’m setup.

My main forward chain has a rule;
Any source, destination any, going out on SERVER port with any protocol and any connection state, JUMP TO → Server_Rules Chain.

Ok is this clear?

Now!, in the Server_Rules chain i have rules for all the ports that i want to allow access to these servers e.g. (25,20,21,80,110,143 and such) then last rules is reject everything.

Now i’ve tried putting a rule like you said in there to allow extablished connections and this did not work, the BYTES and PACKES don’t even move.

I’m still in the dark
Thanks

I understand the forward rule part of what you are doing. Now For the established connections rule, Did you move this rule to the top of the list?

I am assuming you did but I just wanted to make sure.

Also, for the action what are you selecting? accept or passthrough?

If you could print the rules in the Terminal and post them here that would help me some to.

Thanks

Ok here is the main forward chain

Flags: X - disabled, I - invalid, D - dynamic
0 protocol=icmp action=accept

1 ;;; Allow UDP packets such as radios to reach the radius server
out-interface=radius protocol=udp action=accept

2 src-address=192.168.10.2/32 dst-address=xxx.xxx.xxx.xxx/32 action=accept

3 src-address=xxx.xxx.xxx.229/32 dst-address=192.168.10.2/32 action=accept

4 dst-address=192.168.10.2/32 out-interface=radius action=jump jump-target=Radius_Access

5 ;;; Jump all trafic from PPPoE clients to PPPoE Rules chain
src-address=xxx.xxx.xxx.0/24 action=jump jump-target=PPPoE_Rules

6 ;;; Jump all trafic destined to Servers, to Servers_Rules chain
dst-address=xxx.xxx.xxx.0/24 out-interface=servers action=jump jump-target=Servers_Rules

7 ;;; Reject Everything to access Radius Server
out-interface=radius action=reject


And here is my Servers_Rules chain
I’ve added 1,2 and 3 (Listed Below) in the past few hours cause thats all that would work.
But i feel that this is not the proper way.

Flags: X - disabled, I - invalid, D - dynamic
0 src-address=:80 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

1 src-address=:25 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

2 src-address=:443 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

3 src-address=:20 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

4 protocol=udp action=accept

5 dst-address=:80 out-interface=servers protocol=tcp action=accept

6 dst-address=:109 out-interface=servers protocol=tcp action=accept

7 dst-address=:110 out-interface=servers protocol=tcp action=accept

8 dst-address=:25 out-interface=servers protocol=tcp action=accept

9 dst-address=:20 out-interface=servers protocol=tcp action=accept

10 dst-address=:21 out-interface=servers protocol=tcp action=accept

11 dst-address=:443 out-interface=servers protocol=tcp action=accept

12 dst-address=:143 out-interface=servers protocol=tcp action=accept

13 out-interface=servers action=reject

At the top of your Servers_Rules chain put:

0 ;;; Allow TCP Established connections
protocol=tcp connection-state=established action=accept

Not sure if this also requires Connection Tracking but I have it enabled.

Regards

Andrew

I wont rule it out but i’m sure i had tried that and it did not work.

I will try and get back to afterwards.

Thanks a lot

Just as i suspected, it did not work.

The easiest way is to log your firewall rules and see what gets blocked.
Then ajust your rules to open desired traffic.
Set up a syslog server so you can browse through your logs.