Dear All,
I had studied Packet Flow (traverse) diagram mentioned in MK manual which seems to me much simillar to Packet Traverse in IPTABLES/NetFilter embeded in Linux kernel 2.4.xx. But I have confusion in dealing with Input-Interface criteria upon matching a packet!
To explain more, I’m here to put an example:
To deny any access to MK through using Telnet FROM any host, the following rule is acting well enough:
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
Now to deny access to MK through using Telnet FROM ONLY hosts connected to LAN side of MK (ether1=192.168.0.0/24), the following rule sholud work:
/ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=23 action=drop
BUT, this rule won’t work properly and won’t block access to MK!
I had put a log rule before it to log all destination TCP port 23. What I found is that all packets with dst.port 23 coming to MK from LAN side had In-Interface=ether0 (WAN interface) and Out-Interface=none. This is very strange case!
It is well known to me that any host on LAN side of MK would like to access MK, it should compose a packet with dst-address equal to any of MK router interfaces IPs, but they will come in through only Input Interface. In my case, it seems to me the packets had changed their In-Interface by some Routing Decision points before they reach INPUT chain.
I know that this issue can be solved using other criteria upon matching a packet, but I want answers to stick with In-Interface criteria to understand well how packets traverse along chains.
Thanks in advance …
Moody,