Dear Gentle Folk,
I am relatively skilled at iptables, but not so much with mikrotik.
I am replacing our linux core router with an RB1100 and need to move the firewall rules over.
One of the key rules simply blocks all DNS requests to port 53 from anywhere to anything except our
proper DNS servers, so other machines are not bothered by floods from the outside to port 53.
In iptables this was done by creating a new sub chain called FORDNS, it checks the packets sent to it and drops them if not
going to the right machines. The machines list below is simple, the real list is pretty complicated.
The forward table sends all port 53 to FORDNS. The code is below.
How do I create a sub chain in mikrotik or do the equivalent?
I have greatly simplified the below, just want to see how to create a subchain and call it
if I need to.
Thanks.
#!/bin/bash
--------------------------------------------------------------
FORWARD CHECKING
/sbin/iptables -A FORWARD -p udp -i eth0 --dport 53 -j FORDNS # CHECK DNS
/sbin/iptables -A FORWARD -p tcp -i eth0 --dport 53 -j FORDNS # CHECK DNS
#!/bin/bash
#--------------------------------------------------------------
DNS ONLY this flushes, destroys and recreates subchain FORDNS
/sbin/iptables -F FORDNS; /sbin/iptables -X FORDNS; /sbin/iptables -N FORDNS;
/sbin/iptables -A FORDNS -i eth0 -d 64.57.176.2 -j ACCEPT # to light
/sbin/iptables -A FORDNS -i eth0 -d 64.57.176.3 -j ACCEPT # to majesty
/sbin/iptables -A FORDNS -j DROP
I mean, it’s the same thing: