I apologize if this is a duplicate, but I don’t think my post went through.

I’m trying to enable a simple filter to block port 22 and I’m not doing a good job at it.

I’m running RouterOS 6.25

Below are the interfaces:

[admin@StaidWorks] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ether1 ether 1500 1526 00:0C:42:91:2E:F0
1 ether2 ether 1500 1522 1522 00:0C:42:91:2E:F1
2 R ether3 ether 1500 1522 1522 00:0C:42:91:2E:F2

I’m trying to block port 22 to IP address 192.168.217.15 on ether1

That IP is nat’ed to 172.17.17.6 on ether3. The nat’ing works fine.

12 chain=srcnat action=src-nat to-addresses=192.168.217.15 src-address=172.17.17.6 log=no log-prefix=“”
13 chain=dstnat action=dst-nat to-addresses=172.17.17.6 dst-address=192.168.217.15 log=no log-prefix=“”

Below is my rule, which doesn’t work.

[admin@StaidWorks] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop protocol=tcp dst-address=192.168.217.15 dst-port=22 log=no log-prefix=“”

Any suggestions/recommendations would be greatly appreciated.

Abel

This will drop all packets to port 22:

/ip firewall filter add action=drop chain=input dst-port=22 protocol=tcp

Is this what you are searching for?

I got it working! I had to replace the input chain with the forward chain.

/ip firewall filter add action=drop chain=forward dst-port 22 protocol=tcp dst-address=172.17.17.6

Thank you!

input affects connections to the router itself (when somebody SSHs to the router)
forward affects connections through the router (when a customer SSHs to some device on the internet)