Hi
New MT user here so please be gentle with me. I like/love my new MT router but there’s one thing that’s keeping me stumped and I hope that some knowledgeable people will be able to help me.
I have written a few firewall rules (don’t laugh if they are messy) and so far everything seems to work ok with a minor exception. When I want to close a port (eg. port 80) the port remains open even if I set a deny rule in the firewall section. The only thing that works is disabling the NAT rule. Disabling the NAT rule closes the port regardless if it’s set as open or closed in the filter tab. But setting a drop rule on the filter tab does nothing if I keep the NAT rule enabled. Is that normal? Because from my although limited knowledge of firewalls it shouldn’t do that. It should drop the rule if I set it to drop. Or am I missing something.
Here is the rule and keep in mind that I’m a newbie so it could be messy and/or ugly.
/ip firewall filter
add action=add-src-to-address-list address-list=knock address-list-timeout=\
15s chain=input comment=\
"Allow access to router from known network via Port Knocking" dst-port=\
xxxx protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m \
chain=input dst-port=xxxx protocol=tcp src-address-list=knock
add chain=input src-address-list=safe
add chain=input comment="Allow Broadcast Traffic (IPTV)" dst-address-type=\
broadcast
add chain=input comment="Allow T-2 IPtv" dst-address=224.0.0.0/4 protocol=udp
add chain=input comment=VPN connection-state=new dst-port=500 in-interface=\
WAN protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=WAN protocol=\
udp
add chain=input connection-state=new dst-port=1701 in-interface=WAN protocol=\
udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Block port scanners" src-address-list=\
"port scanners"
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list="port scanners"
add chain=input comment="Accept established connections" connection-state=\
established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid
add chain=input comment=UDP disabled=yes protocol=udp
add chain=forward comment="allow already established connections" \
connection-state=established
add chain=forward comment="allow related connections" connection-state=\
related
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Block DNS external access" dst-port=53 \
in-interface=WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=input comment="Block SSH from outside" dst-port=22 \
in-interface=WAN protocol=udp
add action=drop chain=input dst-port=22 in-interface=WAN protocol=tcp
add action=drop chain=input comment="Close proxy from outside" dst-port=8080 \
in-interface=WAN protocol=tcp
add action=drop chain=forward comment=BOGON src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward comment="jump to chain services" jump-target=\
DS_Services
add chain=DS_Services dst-port=80 protocol=tcp src-address=my_wan_address
add chain=DS_Services dst-port=443 protocol=tcp src-address=my_wan_address
add chain=DS_Services dst-port=51413 protocol=tcp src-address=my_wan_address
add chain=DS_Services dst-port=51413 protocol=udp src-address=my_wan_address
add chain=DS_Services dst-port=16881 protocol=tcp src-address=my_wan_address
add chain=DS_Services dst-port=5000-5001 protocol=tcp src-address=\
my_wan_address
add chain=DS_Services dst-port=6690 protocol=tcp src-address=my_wan_address
add chain=DS_Services dst-port=6881 protocol=udp src-address=my_wan_address
add chain=DS_Services dst-port=5005-5006 protocol=tcp src-address=\
my_wan_address
add chain=DS_Services dst-port=6662 protocol=tcp src-address=my_wan_address1
add chain=DS_Services dst-port=6672 protocol=udp src-address=my_wan_address
add chain=DS_Services dst-port=55536-55551 protocol=tcp src-address=\
my_wan_address
add chain=DS_Services dst-port=61139 protocol=tcp src-address=my_wan_address
add chain=DS_Services dst-port=61139 protocol=udp src-address=my_wan_address
add action=return chain=DS_Services
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet Connectivity" \
out-interface=WAN
add action=redirect chain=dstnat dst-port=80 in-interface=WiFi+LAN protocol=\
tcp to-ports=8080
add action=dst-nat chain=dstnat comment=Services dst-address=my_wan_address \
dst-port=16881 protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=80 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=443 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=51413 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=51413 \
protocol=udp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=5000-5001 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address1 dst-port=6690 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=6881 \
protocol=udp to-addresses=1my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=5005-5006 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address1 dst-port=6662 \
protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=6672 \
protocol=udp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=\
55536-55551 protocol=tcp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=61139 \
protocol=udp to-addresses=my_lan_address
add action=dst-nat chain=dstnat dst-address=my_wan_address dst-port=61139 \
protocol=tcp to-addresses=my_lan_address
Thanks for all the help you can offer
Blaz