Need help blocking IP from accessing device in my internal network behind NAT

Hello,
I need help to block specific blacklist from accessing my set-top-box which is behind NAT.
I have port forwarding rule that points to my STB in my private home network. I use this port forwarding for watching TV from my STB when I am not at home, but I want to block specific IP addresses from accessing it.

I see the following in my logs. Looks firewall is blocking it, BUT I see the intruder connected to my Set-Top-Box!
When I connect to my STB (which is Linux) and type netstat I see the intruder connected to port 8001(streaming port).
I guess some other rule is overwriting blocking rule and/or order of rules is incorrect.
Please help. I am attaching my config below.

11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40



/ip firewall address-list
add address=111.222.111.222 list=blacklist
add address=111.222.111.223 list=blacklist

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input in-interface=ether1 ipsec-policy=in,ipsec
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat comment="IPSEC" dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 port="" protocol=tcp to-addresses=192.168.0.30 to-ports=8001

If you want to look your TV out of home, you need setup a simple rule wich will allow only your IP or IPs as a source. Others will just drop.

My IP is always different when I am outside. Still I should be able to block specific IP addresses.
I am sure I am doing something wrong.

I believe firewall rule is blocking blacklist, but then port forwarding is letting him in. Something like that.
But how to fix it?!

Just write script which will get your new IP address and paste it in your firewall and NAT rule. Try to search for it in Internet.

Just create any VPN to your router and do not expose STB to the public network at all.

For VPN server also will be access to public, so he also need to allow his public IP’s and drop others.

VPN could be more interesting if he push in it some telnet or web, or some clear text traffic. Here, he need just video stream.

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.

Yes, of course but only he could connect to this VPN. Noone else. And it is the point for setting VPN server.

There are two ways:

A. Easier: setup VPN server and connect to it before watching TV. Only “registerd” users will be able to watch TV … there could be more than one allowed user !!! Simple, clean, easy configuration.

B. Longer version:
Set up blocking rules for all connections trying to reach streaming and somehow inform router what is his current “valid” IP to have “accept” rule to be updated according to this information.
It is quite easy task if you install Dynamic DNS client and register your computer for such service.
In the firewall rule he needs to set address list of choosen Dynamic DNS names … yes, yes … instead of direct IP you can just use myname.dynamicdnsservice.com … Then the firewall rule should specify “address-list=my_allowed_ips_list” as source of allowed IPs.
Mikrotik itself periodically refreshes current IPs in this aaddress list from global DNS so this list should be valid all the time.
The problem is when the user disconnects and reconnects with different IP then DynamicDNS change is not propagated immediatelly and router is droping connection till next DNS refresh.

So … use option A.

Right, but this chain have to be higher than accept chain, in order the router check incoming traffic first by drop chain and then by accept chain.

If his IP is’nt static, problem the same. Time to time IP will switch to another, and he have to know what IP he got.

First of all your rule to drop traffic to your STB is wrong. The input chain is traffic going to the router itself, ie Webfig, Winbox, FTP, DNS… Your drop rule should be for the forward chain. The forward chain is any traffic that is forwarded from one interface of the router to another. The term, port forward, gives some clue.

You have several options to block forwards from your blacklist:

/ip firewall filter add action=drop chain=forward comment="Drop Forwards from Blacklist" src-address-list=Blacklist

This will drop traffic in the Firewall Filter.

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001

This modify’s your DST-NAT rule to only forward traffic not (!=not, in winbox/webfig it is a small checkbox) from Blacklist.

Another way is to use a port knocker, https://wiki.mikrotik.com/wiki/Port_Knocking , this will add your remote IP to safe list and you can only allow that safe list to connect.

No.
IPs assigned to users’s computers are controlled with VPN settings so all users willing to watch TV are from static, predefined and known pool of LOCAL addresses assigned to VPN users. There is no need to make any rules blocking STB streaming, no need to make DST/SRC NAT. Users allowed to watch TV streaming HAVE TO connect to local network with VPN so they are verified/controlled/accepted/allowed with VPN authorization process and seen by STB device as local users = local addresses.

In my opinion VPN solves problem permanently. Period.

P.S.
What if current users’ ISP (eg. hotel, cellular or any other) prohibits VPN connections?
Yes, it could be a problem but then users need to suffer TV detoxication :slight_smile:

I meant public IP, which needs for vpn registration.

But it is common problem for VPN settings, sharing nothing with problem of exposing TV stream to the public for particular users “somewhere in the world”.

Okay. Let the TS to choose.

Going back to the topic author’s original question: 2frogs is correct. You are dropping requests on the INPUT chain. You need to drop on the forward chain. Also, I recommend dropping ICMP input requests.

And I would also like to suggest a double or tripple port knocking as another alternative. If the topic author does not want to set up a VPN, he can

  1. first DROP ICMP requests,
  2. set up pork knocking, and
  3. if by some chance the bad guy gets through, he can drop the blacklist correctly in the forward chain.

It’s a bit cumbersome compared to a VPN, but at least he’ll learn a little more about setting up firewalls.

Sorry for delayed answer. I was out of town.

You mean rule or chain?
Do you mean that drop rules have to be before(higher) accept?

Sorry for delayed answer.
Thanks for your answer. You understood me right!

So If I want to block connection for example to webfig or telnet port on router itself I block it in input chain and
If I want to block connection passing router and going to my devices behind NAT - I block connections in input and forward chains or only forward chain is enough?

Also if I use your second suggested method:

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001

Can I have multiple lines for other blacklists, like this:

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_one protocol=tcp to-addresses=192.168.0.30 to-ports=8001
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_two protocol=tcp to-addresses=192.168.0.30 to-ports=8001

Last question.
My drop rules should be on top of the filter list or they should be last rules (bottom of list)?

Thanks a lot for you help.

Thanks for your answer.

You mean I should drop ICMP requests to router itself. Like PING? If that’s what you mean. I prefer to leave it ON so I can ping my host from outside to diagnose connection problems and availability.

Yes.