Hello
In fact my knowledge od Linux itself is limited 
I am curious: how it is really done: limiting access by IP adress to Mikrotik router services.
I suspect that propper entries are done in IPtables ( in fact firewall )
Am I right ?
If you want to limit access to only whitelist certain IPs or subnets, itâs best to do them in â/ip serviceâ, via the âaddressâ property.
In any other scenario (e.g. if you want to limit by input interface OR if you want to blacklist, rather than whitelist), you need to use â/ip firewall filterâ, which yes, works similarly to Linuxâs IPtables.
Thanks but, how IP/Services/ Availabile physically works ? Through IP tables or another way ?
And 2nd question arise upon your answer: which method is safer ( limiting service avalability or setting filters on firewall ) and why ?
RouterOS is a closed source piece of software, so no one (other than the developers) can know for sure, but Iâm guessingâŚ
Other than the Linux kernel, almost everything is used as a library (in the âincluded C codeâ sense), and not as a âcustom UI on topâ. Therefore, unless the Linux program in question can be used as a library, itâs unfair to say that anything is being done âthroughâ said Linux program. One example where a project is indeed used by RouterOS in the library sense is OpenSSL, for all crypto related stuff supported by RouterOS.
AFAIK, the Linux kernel contains network filtering functionality, but itâs up to programs to leverage it in order to make it useful. IPtables is merely the simplest, and therefore the most popular way to configure the kernel in most Linux distributions. RouterOS has its own implementation, which happens to be very close to IPtables in the functionality it allows the user to do.
So strictly speaking, both filters work through the Linux kernel, but are configured by two separate RouterOS subprograms (the firewall and the service manager).
As for which one is safer⌠Theyâre equally safer for the âIP whitelistâ scenario, but like I said, other scenarios require the use of the firewall. Those other features, if used correctly, are likely to ultimately make your router more secure, so with those in the mix, the firewall is not only the better, but in fact the only way.
So I am not going to offend you in any way but: you do not know, you are guessing ?
Iptables is just a frontend for manipulating the kernel tables. So yes, we are guessing, but it would be very strange to use a command line frontend as an additional layer, if it can be done e.g. via ioctl and netlink sockets directly by the configuration tools.
Again, just guessing, who knows 
Anyway, thereâs no access to a system console, so it isnât really relevant.
Thank you for sharing your knowledge.
Which method consumes less resources ? Filtering on firewall or service access whitelisting ?