NetBIOS block ?

RoyR · September 29, 2017, 7:00pm

Hi I need to know how I block outgoing NetBIOS traffic.

I have a NAS . And when I activate the windows network file share option, my internet service provider is sending me a email that they found on my ip-adres my server
Im located in the Netherlands and my provider is KPN. I’m on fiberoptic and using the mikrotik rb2011uias-2hnd2. The router operations is fine. I understand the working of the vlan setup.
But I can’t work out how to block the NetBIOS to the outside world. I tried in the firewall rules to reject UDP 137 but I still got a email from the provider that I need to address the issue otherwise they going to put my connection in quarantine.. so basically block my access to the internet.

I want to know how to block the NetBIOS from the outside world. So if KPN do a Nmap scan ( that’s automatically done by there servers) that they don’t see my nas anymore.

I read to block 137, 138 and 139
But I’m not sure at this moment anymore.. I need some advice..
Thx in advance
I’ll hope that this is the right section of the form for asking for the solution

ZeroByte · September 29, 2017, 7:22pm

/ip firewall filter
add chain=forward protocol=udp dst-port=137-139 action=drop in-interface=X
add chain=forward protocol=tcp dst-port=137-139 action=drop in-interface=X

X = the name of your interface with the public IP address on it.

for good measure, you can also block it outbound:
/ip firewall filter
add chain=forward protocol=udp src-port=137-139 action=drop out-interface=X
add chain=forward protocol=tcp src-port=137-139 action=drop out-interface=X

RoyR · September 29, 2017, 7:57pm

so for me that is
“ether1-gateway” i asume

RoyR · September 29, 2017, 7:58pm

-cut-

sid5632 · September 29, 2017, 8:04pm

I would suggest you assume wrongly. I would assume “pppoe”.
ZeroByte also forgot tcp port 445.
The real question though is why you are allowing anything in.
What firewall filter rules have you got? Post an export (/ip firewall export).

RoyR · September 29, 2017, 8:10pm

export

[admin@MikroTik] /ip firewall filter> /ip firewall export                         
# sep/29/2017 20:08:34 by RouterOS 6.39.2   
# software id = Q3K3-QDJ0
#
/ip firewall filter
add action=accept chain=input in-interface=pppoe protocol=icmp
add action=accept chain=input connection-state=related
add action=accept chain=input connection-state=established
add action=reject chain=input in-interface=pppoe protocol=tcp reject-with=\
    icmp-port-unreachable
add action=reject chain=input in-interface=pppoe protocol=udp reject-with=\
    icmp-port-unreachable
add action=drop chain=forward dst-port=137-139 in-interface=ether1-gateway \
    protocol=udp
add action=drop chain=forward dst-port=137-139 in-interface=ether1-gateway \
    protocol=tcp
add action=drop chain=forward out-interface=ether1-gateway protocol=udp \
    src-port=137-139
add action=drop chain=forward out-interface=ether1-gateway protocol=tcp \
    src-port=137-139
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=\
    192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=77.162.238.*** to-addresses=\
    192.168.10.40
add action=dst-nat chain=dstnat comment="nas interface" dst-address=\
    77.162.238.128 dst-port=80 protocol=tcp to-addresses=192.168.10.40
add action=dst-nat chain=dstnat comment=torrent dst-address=77.162.238.*** \
    dst-port=3799 protocol=tcp to-addresses=192.168.10.40
add action=dst-nat chain=dstnat comment=server dst-address=77.162.238.*** \
    dst-port=8080 protocol=tcp to-addresses=192.168.10.40
add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.10.0/24 \
    src-address=192.168.10.0/24
add action=src-nat chain=srcnat comment=harpin src-address=192.168.10.40 \
    to-addresses=77.162.238.***
add action=dst-nat chain=dstnat comment="PPT VPN" dst-address=192.168.88.1 \
    dst-port=1723 protocol=udp to-addresses=192.168.10.49 to-ports=1723

JohnTRIVOLTA · September 29, 2017, 8:21pm

add action=dst-nat chain=dstnat dst-address=77.162.238.*** to-addresses=
192.168.10.40

Remove this nat rule , because you are forward all ports to the local address 192.168.10.40 , that is, they become visible to the public !

ZeroByte · September 29, 2017, 8:45pm

I suspected there was a sort of “dmz” rule in the NAT because surely nobody would explicitly map NETBIOS in from a public IP address, right?

RoyR · September 29, 2017, 10:24pm

oeps …
removed

[admin@MikroTik] > /ip firewall export
# sep/29/2017 22:19:01 by RouterOS 6.39.2
# software id = Q3K3-QDJ0
#
/ip firewall filter
add action=accept chain=input in-interface=pppoe protocol=icmp
add action=accept chain=input connection-state=related
add action=accept chain=input connection-state=established
add action=reject chain=input in-interface=pppoe protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=input in-interface=pppoe protocol=udp reject-with=icmp-port-unreachable
add action=drop chain=forward comment=NETbios dst-port=137-139 in-interface=pppoe protocol=udp
add action=drop chain=forward comment=NETbios dst-port=137-139 in-interface=pppoe protocol=tcp
add action=drop chain=forward comment=NETbios out-interface=pppoe protocol=udp src-port=137-139
add action=drop chain=forward comment=NETbios out-interface=pppoe protocol=tcp src-port=137-139
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="nas interface" dst-address=77.162.238.*** dst-port=80 protocol=tcp to-addresses=192.168.10.40
add action=dst-nat chain=dstnat comment=torrent dst-address=77.162.238.*** dst-port=3799 protocol=tcp to-addresses=192.168.10.40
add action=dst-nat chain=dstnat comment=server dst-address=77.162.238.*** dst-port=8080 protocol=tcp to-addresses=192.168.10.40
add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.10.0/24 src-address=192.168.10.0/24
add action=src-nat chain=srcnat comment=harpin src-address=192.168.10.40 to-addresses=77.162.238.***
add action=dst-nat chain=dstnat comment="PPT VPN" dst-address=192.168.88.1 dst-port=1723 protocol=udp to-addresses=192.168.10.49 to-ports=1723
[admin@MikroTik] >

nop .. i was trying to acces my nas form the local network on the web adress. that not working.. i think that link is for years there..

thx all

JohnTRIVOLTA · September 30, 2017, 6:51am

This is a right rule for hairpin nat if you use http for access :
/ip firewall nat
add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.40 protocol=tcp dst-port=80 out-interface=LAN action=masquerade

RoyR · October 17, 2017, 11:06am

thx all.
no more issues on this subject. KPN (internet service company) didn’t send email’s about my network if i turn on the nas and the windows domain