mikrotik firewall help

end · October 29, 2016, 3:24pm

hy,

i have openvpn server on old pc, that was connected to my isp router till now (i bought mikrotik), and everithyng is working great. now i whant put mikrotik beatwen isp router and openvpn server.
on old pc i have host system that acts as router to kvm virtualized os that contains openvpn, with strict iptables rules.

#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#allow ssh
iptables -A OUTPUT -o enp2s0 -p tcp --sport 4378 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.12 --dport 4378 -j ACCEPT

iptables -A PREROUTING -t nat -d 192.168.0.15 -p udp --dport 1194 -j DNAT --to 192.168.122.100:1194
iptables -A FORWARD -i enp2s0 -o virbr0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i virbr0 -o enp2s0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
iptables -A POSTROUTING -t nat -s 192.168.122.100 -j SNAT --to 192.168.0.15

this is rules on host system. vpn server is on 192.168.122.100 host ip is 192.168.0.15.

after i setup mikrotik i change this rules to

iptables -A PREROUTING -t nat -d 10.0.0.253 -p udp --dport 1194 -j DNAT --to 192.168.122.100:1194
iptables -A FORWARD -i enp2s0 -o virbr0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i virbr0 -o enp2s0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
iptables -A POSTROUTING -t nat -s 192.168.122.100 -j SNAT --to 10.0.0.253

10.0.0.253 is ip address of dhcp server on mikrotik.
my isp router is on 192.168.0.0 subnet

from host system connected to mikrotik i can ping outside masquerade is set.

so hove to set up firewall on mikrotik so i can acces vpn server. or for start hove to setup access to ssh on host 10.0.0.253 from 192.168.0.12 my laptop.

prichiated on help

end · October 29, 2016, 6:33pm

i have connected everything like this.

openvpn

add chain=dstnat dst-address=192.168.0.23 protocol=udp dst-port=1194 action=dst-nat to-address=10.0.0.253

ssh

add chain=dstnat dst-address=192.168.0.23 protocol=tcp dst-port=2222 action=dst-nat to-address=10.0.0.253

can someone post some links how to secure mikrotik and this connections.

in iptables i can first drop all then allow what i need. how can i do this in mik. firewall.

thanks

Sob · October 30, 2016, 12:22am

It’s almost the same as iptables, the only important difference is that you can’t set default policy to DROP, so you need to add drop rule at the end of chain.

end · October 30, 2016, 2:53am

its very close same, but im strugeling whit this.

on input chain i dont yet have rules.

in nat i have this

add chain=dstnat dst-address=192.168.0.23 protocol=udp dst-port=1194 action=dst-nat to-address=10.0.0.253

and masquerade for 10.0.0.0

and this is ok, i can connect to server at 10.0.0 surf etc.

but when i add this

add chain=forward action=accept src-address=192.168.0.0/24 protocol=udp dst-port=1194
add chain=forward action=accept dst-address=192.168.0.0/24 protocol=udp src-port=1194
add chain=forward action=drop

i cant connect to vpn.

but when i add

add chain=forward action=accept connection-state=new,established
add chain=forward action=drop
i can connect but no packets drop no even a byte.

but when i try be more restrictive

add chain=forward action=accept connection-state=new,established protocol=udp dst-port=1194,53
add chain=forward action=drop

i can connect but browsing doesent work.

so can someone tell or suggest hove to do forwarding in this firewall.

and i have this, its same what i try with vpn and this is working.

add chain=forward action=accept src-address=192.168.0.0/24 protocol=tcp dst-port=22
add chain=forward action=accept dst-address=192.168.0.0/24 protocol=tcp src-port=22
add chain=forward action=drop

i can ssh to vpn.

thanks and thanks Sob for replay

Sob · October 30, 2016, 7:22pm

If you allow new and established without further conditions, you’re allowing pretty much everything, you don’t want that. If you allow new and established for only two udp ports, then browsing on two different tcp ports doesn’t have a chance.

What I think you want as starting point is something like this:

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward

First rule allows all established and related connections (related are e.g. data connections for ftp). There’s no danger having this broad rule, because connection won’t become established by itself, without you allowing it first. Second rule drops all packets deemed invalid by conntrack. Packets that get beyond this point should be new connections (or untracked, if you play with raw table). Third rule is a handy shortcut, it allows all dstnatted connections. You just need to forward a port and don’t need to add specific exception to forward chain. Last rule drops the rest. To allow something else (web browsing, …) add additional exceptions before the last rule, e.g.:

/ip firewall filter
add action=accept chain=forward dst-port=80,443 in-interface=<allowed source interface> protocol=tcp

And if something doesn’t work while the last drop rule is active, enable logging for the rule and see what exactly gets dropped, and add additional exceptions if needed.

end · October 31, 2016, 7:26pm

thanks man very much. i try evry combination so i can drop forvard rules.

add action=accept chain=forward connection-nat-state=dstnat

this rule solve everything i didnt know that i need accept dsnat.

yes i know when add new,established that praticly allowing everithing, but nothing did work so i yust try different options.

very thanks

Sob · October 31, 2016, 7:33pm

As I wrote, connection-nat-state=dstnat is a handy shortcut. You don’t have to use it, it would work with manual rule too:

/ip firewall filter
add chain=forward action=accept dst-address=10.0.0.253 protocol=udp dst-port=1194

But it’s easier to have just one universal rule for all forwarded ports.

end · October 31, 2016, 11:00pm

yust if anione follow this, for browsing to work yust add one more rule beafore drop

add chain=forward action=accept src-address=10.10.10.10(local ip of server behind router)

i didnt need to forward 80,443. beacouse i connected to openvpn behind mikrotik.
but i needed to forvard src and dst to be able connect and browse.

thanks sob
reputation botton dont work i dont know way. but +10

alihamid435 · November 2, 2016, 2:24pm

have an issue ,i blocked one MAC of a user with this method but it is not working:

On the “Firewall” window, select the “+” sign (add).
On the “Firewall Rule” window, select the tab “General” and set the “chain” to “forward”.
IF you want to block MAC, go to “Advanced” tab and add the MAC to the “Scr. MAC Address” field.
Then, on the “Action” tab, set the “Action” to “drop”.
Finally, click “Apply” to save the new rule.

But when i check again , this person is again connected with the same MAC Address . Why need your help,

jarda · November 2, 2016, 3:37pm

Do not inject unrelated topics and do not duplicate your posts.