What is the most efficient way to accomplish the following:
Setup:
6 ports on router ROS 3.3 x86
One port is hooked to internet where all traffic from outside world comes in (CALL IT eth1)
One port is hooked to multiple servers, lets focus on special server 208.208.208.208 (CALL IT eth2)
Ignore the other 4 ports, they go to other internal network links
Objective:
All outgoing traffic originating from 208.208.208.208 to go to internet unrestricted (NS lookups, email, other)
Only tcp port 25 incoming smtp traffic from internet (from eth1) to 208.208.208.208 server
Thats it, should be pretty simple. I’m looking for an answer to clarify something in my mind about how a internet host is able to reply to traffic requests originating from 208.208.208.208 server - say http request to google or something. Its not port 25 coming in but rather a reply to legitimate request from the 208.208.208.208 server which needs to work. dns queries need to work from the server as well.
Take a look at the Firewall section of the docs. There are examples at the bottom. “Protect your router” is important. You should at least use it.
Then for the email, do something like the example for ICMP. Also the first example (at least in the V2.9 docs) is an example for port 135. Change 135 to 25 and drop to accept. Put it at the top of the filters.
Thanks for your time, however I was looking for a more detailed more specific answer to my question which is why I provided all the details necessary for a complete custom answer.
I use the firewall rules now for a lot of things and I have a fairly good understanding of how they work. The one specific item I am looking to learn more about it how to accept traffic from an internet host that is replying to traffic originated from the server listed above.
For example - you try to telnet into port 80 of my server from the source port of say 80 from your computer on the internet. Firewall rule should stop this traffic from ever hitting my server. But, if I do the exact same thing in reverse to your maching from my server it should work.
I am not exactly certain what you want. This 208.208.208.208 server is a local net computer on ether2, correct? What is the IP address of ether2? Like 208.208.208.1/24?
If that is the case, and presuming that ether1 is set up and working, then:
/ip address add address=208.208.208.1/24 interface=ether2
/ip dns set primary-dns=yyy.yyy.yyy.yyy
/ip dns set secondary-dns=zzz.zzz.zzz.zzz
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
This allows you to surf the net from anywhere on the 208.208.208.0/24 net on ether2, including your server at 208.208.208.208.
Static IP only. If you want a dhcp server then
/ip dhcp-server setup
That is part one. Let me know when part one works. I do not recommend going on until this part works. Then you want only port 25 requests forwarded to ether2 208.208.208.208 from your ether1 IP, correct?
BTW, I would recommend staying with accepted private IP address ranges, like the 10.x.x.x and 192.168.x.x sets on ether2.
208.x.x.x is a public net address.
Its not private IP space. Its public routed ips. I know how to to everything you have taken them time to show so far. I appreciate your time, but I am only interested in how to let traffic go out from a server but not let anything come into it.
That is what I was expecting. Now for what I was getting to… Your first rule about accepting incoming traffic once connection established with an internet host – what happens with say a dns udp port 53 request? UDP traffic is connectionless so how will it handle this traffic even if a dns server is responding to a request for my server? Will the traffic be blocked since there is no connection established?
Now we are having the discussion I was interested in
Even though it is connectionless, RouterOS putts an entry in the firewall connection table. IP → Firewall: Connections
The timeout settings for UDP is through the Tracking button.
