Iptables translation to Mikrotik rules

Hello

I’m looking to translate this iptables script into mikrotik firewall rule, but having trouble with some policies:

///////////////////////////////////////////////////////////////////////////////
//
// iptables_tcp_flags_programs.cfg
//
///////////////////////////////////////////////////////////////////////////////

// BADFLAGS – log and drop bad flags

=iptables -N BADFLAGS
=iptables -A BADFLAGS -j LOG --log-prefix "IPT BADFLAGS: " =logopt
=iptables -A BADFLAGS -j DROP

///////////////////////////////////////////////////////////////////////////////

// TCP_FLAGS – check tcp flags

=iptables -N TCP_FLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,URG URG -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL ALL -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL NONE -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BADFLAGS

///////////////////////////////////////////////////////////////////////////////

In iptables these are a little weird, for example ACK, FIN FIN is equal to Mikrotik tcp-flags=!ack,fin, but having issues with some others, if you know how to translate these rules and want to share it you are very welcome.

These are nice rules to filter invalid TCP flags and avoid some kind of attacks and invalid traffic, some are already dropped by mikrotik invalid policy, but I do not think all are dropped

They all translate just as the example you gave. Write out all the TCP flags listed in the first argument, negate all the ones not listed in the second argument.

“ALL SYN,RST,ACK,FIN,URG” becomes “syn,rst,ack,fin,urg,!cwr,!ece,!psh”.

Below all those rules translated. First create a chain ‘badflags’ that drops packets with invalid flags, and as the last step returns:

add chain=badflags action=drop tcp-flags=!ack,fin
add chain=badflags action=drop tcp-flags=!ack,psh
add chain=badflags action=drop tcp-flags=!ack,urg
add chain=badflags action=drop tcp-flags=fin,rst
add chain=badflags action=drop tcp-flags=syn,fin
add chain=badflags action=drop tcp-flags=syn,rst
add chain=badflags action=drop tcp-flags=syn,rst,ack,fin,urg,cwr,ece,psh
add chain=badflags action=drop tcp-flags=!syn,!rst,!ack,!fin,!urg,!cwr,!ece,!psh
add chain=badflags action=drop tcp-flags=!syn,!rst,!ack,fin,urg,!cwr,!ece,psh
add chain=badflags action=drop tcp-flags=syn,!rst,!ack,fin,urg,!cwr,!ece,psh
add chain=badflags action=drop tcp-flags=syn,rst,ack,fin,urg,!cwr,!ece,!psh
add chain=badflags action=return

If you really want logging on this, duplicate all the lines and change the action of the first one to ‘log’.

Then add jumps to that chain in ‘input’ and ‘forward’ at a suitable location in your ruleset:

add chain=input action=jump jump-target=badflags
add chain=forward action=jump jump-target=badflags

But before you implement all this, I’d suggest you shoot an email to support@mikrotik.com and ask them for clarification what exactly gets dropped by ‘connection-state=invalid’ etc. If you do and get a reply, please do post it back into this thread.

Fewi

Really appreciated, thank you for your explanation and taking the time helping out, now I understanding in Mikrotik these rules

I will try out!