IPV6 firewall rules

MikroTikFan · November 29, 2016, 9:35am

Please help me to find what I’m doing wrong with ipv6 firewall configuration.
After nmap scanning ipv6 address I have still open some ports like : 111,139,161,445,548,587
In my firewall filter rules I have drop for this port but this is not working and after nmap scanning I dont see on this 0) rule any traffic.

/ipv6 firewall filter print
0  chain=input action=drop protocol=tcp in-interface=he dst-port=111,139,161,445,548,587 log=no log-prefix="" 
1    ;;; Allow established connections
      chain=input action=accept connection-state=established log=no log-prefix="" 
2    ;;; Allow related connections
      chain=input action=accept connection-state=related log=no log-prefix="" 
3    ;;; Allow limited ICMP
      chain=input action=accept protocol=icmpv6 log=no log-prefix="" 
4    chain=input action=drop log=no log-prefix="" 
5    ;;; Allow established connections
      chain=forward action=accept connection-state=established,related,new log=no log-prefix="" 
6    ;;; Allow related connections
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 
7    chain=forward action=drop log=no log-prefix=""

Please help me how to fix this to drop all ports : 111,139,161,445,548,587 comming to my ipv6 interface (HE).

kamillo · November 29, 2016, 11:29am

you are applying drop action on the INPUT chain, so traffic going to the router itself and you are allowing all the traffic to go to anything behind the router. Looking at the ports you are scanning they look like services you would run on a server, not on the router. What I’m trying to say is: shouldn’t you put drop action on FORWARD chain?

MikroTikFan · November 29, 2016, 8:08pm

Thank’s for advise. I have few devices behind which have own ipv6 address.
For this ipv6 addresses I need to limit connections on ports.
For example limit ports to one of my ipv6 device 2001:…:aaaa 111,139,161,445,548,587

/ipv6 firewall filter
add action=accept chain=input comment="Allow established connections" connection-state=established
add action=accept chain=input comment="Allow related connections" connection-state=related
add action=accept chain=input comment="Allow limited ICMP" protocol=icmpv6
add action=accept chain=input comment="Allow Mail Ports" disabled=yes dst-port=25,465,587,995,993 protocol=tcp
add action=drop chain=forward
add action=accept chain=forward comment="Allow established connections" connection-state=established,related,new
add action=accept chain=forward comment="Allow related connections" connection-state=established,related
add action=drop chain=forward
add action=drop chain=input comment="Limit ports to ipv6" dst-address=2001:470:**:***:***:****:****:ddd1/128 dst-port=111,139,161,445,548,587 in-interface=he \
    protocol=tcp

pe1chl · November 29, 2016, 8:35pm

You have lots of things in your firewall that do not make sense at all…
Do you understand how the firewall rules work? Please read http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
(it is for IPv4 but the principles are the same and the IPv6 manual is severely lacking)