Ip firewall filter

gpetrom · August 17, 2011, 2:45pm

Hi

I have a mikrotik with 3 private networks and a dsl connection.
Hol is the internet interface

chain=input action=drop protocol=tcp in-interface=hol dst-port=!1194
chain=forward action=accept src-address=192.168.100.0/24 out-interface=hol
chain=forward action=accept src-address=192.168.99.0/24 out-interface=hol
chain=forward action=accept src-address=192.168.98.0/24 out-interface=hol

I have noticed that mikrotik by default allows all traffic to pass throw the router.
So i added in the end
chain=forward action=drop

The problem is when i do that i don t have internet. If i disable the last rule internet works fine.
Any ideas why is this happening?
Thanks

fewi · August 17, 2011, 2:54pm

chain=forward action=accept src-address=192.168.100.0/24 out-interface=hol
chain=forward action=accept src-address=192.168.99.0/24 out-interface=hol
chain=forward action=accept src-address=192.168.98.0/24 out-interface=hol
chain=forward action=drop

That literally means “allow packets from 192.168.98.0/24, 192.168.99.0/24, and 192.168.100.0/24 to pass out the ‘hol’ interface, and drop every other packet”. What about return traffic, from the Internet back to you? You can now try to establish a connection to a server, but the server can’t respond. After all traffic from the server to the LAN client doesn’t come from any of those three networks, and doesn’t go out the ‘hol’ interface. Return traffic only matches the drop rule.

The easiest solution is to be stateful, and allow all packets that are parts of established connections, and to then only allow trusted hosts to establish connections. You can also simplify things by using an address list to enumerate trusted hosts and networks. The shortest way to write your firewall rule set would be:

/ip firewall address-list
add list=trusted address=192.168.98.0/23
add list=trusted address=192.168.100.0/24
/ip firewall filter
chain=forward connection-state=established action=accept
chain=forward connection-state=related action=accept
chain=forward connection-state=invalid action=drop
chain=forward action=accept src-address-list=trusted out-interface=hol
chain=forward action=drop