Open port between two specific IP address

Flashpowa · March 26, 2015, 10:15am

Hello Guys,

I have two network 0.0/24 and 0.1/24…firewall in between. Can you please help me someone to achieve, to allow 8080 port only between two IP-s:

192.168.0.2 and 192.168.1.2.

If i provide src and dst IP and src dst intreface the traffic stops. If i provide only dst IP, it goes smoothly.

Any ideas?

Thank you much!

ZeroByte · March 26, 2015, 12:56pm

Do you want both sides to be able to start a connection to port 8080 on the opposite side, or do you just want certain host on 0.0 to be allowed to reach a certain host in 1.0 on port 8080?

Usually, you should have a rule very early in the forward chain, that says to accept traffic with a connection state of established, and another one to accept related connections. These rules will allow the “reply” traffic from anything you’ve allowed outbound. If your rules say “allow out to tcp 25” then these established/related rules save you from also having to “allow in from tcp 25”

OK - so far, we’ve said “allow replies from any connection we’ve allowed to establish”

Now you just make a rule to allow the new connection:
/ip firewall filter add action=accept chain=forward protocol=tcp dst-port=8080 dst-address=192.168.1.4

You can stop there if you like - this would mean that anyone anywhere trying to reach .1.4:8080 will be allowed to do so.
If you want to limit this to a specific source network, add this matcher to the rule above: in-interface=LAN1

Remember that the replies from 1.4:8080 will be accepted by the state=established rule.

If you only want one specific host to be allowed to make this connection, then add this matcher to the rule above: src-address=192.168.0.4 and remove the in-interface=LAN1 condition. (it’s an unnecessary extra thing to check)

If you also want to allow 192.168.1.4 to reach 192.168.0.4:8080 then that requires a second rule. It’s the same as the first rule but with the src and dst addresses switched:
/ip firewall filter add action=accept chain=forward protocol=tcp dst-port=8080 dst-address=192.168.0.4 src-address=192.168.1.4

Finally, you want to block any communications between these two LANs that you haven’t already permitted explicitly.

/ip firewall filter
add chain=forward in-interface=LAN1 out-interface=LAN2 action=drop
add chain=forward in-interface=LAN2 out-interface=LAN1 action=drop

Make sure these are the last two rules that have anything to do with LAN1<>LAN2 communication.

Whenever you want a new type of connection between the LANs to be permitted, add the rule and make sure that it comes before these last two drop rules, but after the established/related rules.

Seva · March 26, 2015, 2:41pm

Hello,

I have network topology as on picture below
mikrotik.png
I want to connect to one of device behind MikroTik router from PC. PC is in our network, Mikrotik have one WAN port with public IP. IP address of other devices connected to the Microtik are same. I need to create SSH tunel over Putty. I would like to set up in Putty for example port 5000 and Mikrotik forward me to LAN 2 on port 3389. When I set up in Putty port 5001, Mikrotik forward me to LAN 3 on port 3389 etc. I want SSH tunel on RDP.

Would you help me with this problem please?

Thank you

David

ZeroByte · March 26, 2015, 10:32pm

Why do you have the same IP address on 4 different devices connected to 4 different internal interfaces?
This is going to make your firewall rules hellishly complicated because it’s going to require packet and connection marking so that you can force a particular interface.

Maybe you mean that the 4 interfaces are bridged into a single LAN, and the internal devices are all 192.168.1.x and that the Mikrotik is 192.168.1.1 on its LAN bridge interface…

If that’s the case, then your rules are very easy: (assuming WAN interface is ether1)

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=5000 action=dst-nat to-addresses=192.168.1.2 to-ports=3389
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=5001 action=dst-nat to-addresses=192.168.1.3 to-ports=3389
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=5002 action=dst-nat to-addresses=192.168.1.4 to-ports=22
etc...

This requires that the hosts themselves accept SSH connections - the Mikrotik’s not going to terminate ssh tunnels in the way you’re expecting. All it does is manipulate the port numbers and IP addresses in the packet headers to help them get to some device. If you want to VPN to the Mikrotik and then r-desktop beyond it, then set up a VPN and don’t use port forwarding.

Seva · March 30, 2015, 7:52am

Hello,

I update my picture.
mikrotik.png
I need create SSH tunel to MikroTik router which forward me to destination device on port 3389. I get information that I have to create script which forward all communication to LAN 2-5 depending on which port comes request, but I don’t know how. When I have different IP on dest. device, I know to set MikroTik. In Putty I set up connect to WAN port of MikroTik and in SSH Tunels I set up port forwarding to dest. device
putty.png
When MikroTik detect request on port 5000 forward me to LAN2 for example etc…