Hi everyone,
I have tried a few different ways, I cannot seem to make any thing work properly.
I have a 750Gl that I have a webserver behind. It’s address is 10.30.1.70/24.
I had a problem with it getting hacked, after rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out, is to close all outgoing ports except 53 & 80.
I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.
I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. Any help would be
/ip firewall filter
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
add chain=forward action=drop
With a forward like this:
/ip firewall nat
add action=dst-nat chain=dstnat comment=“Access to Webserver NAT Rule” disabled=no
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80
You need to add something like:
add chain=forward action=accept dst-address=10.30.1.70 protocol=tcp dst-port=80
The NAT entry on its own does not permit the traffic. You need to ensure that the traffic to the NATed destination can get through the forward chain.
I assume that other hosts on the LAN side of the router should not be limited to ports 80 and 53.
I also assume that the server is not hosting DNS for any (sub)domain, so no inbound NAT pinhole for 53.
Given that, I would use the following as a base configuration:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=WAN
add chain=dstnat action=dst-nat in-interface=WAN to-addresses=10.30.1.70 protocol=tcp dst-port=80
/ip firewall filter
add chain=input action=accept connection-state=established,related
add chain=input action=accept in-interface=!WAN
add chain=input action=accept protocol=icmp
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept out-interface=WAN src-address=!10.30.1.70
add chain=forward action=accept out-interface=LAN protocol=tcp dst-port=80 dst-address=10.30.1.70
add chain=forward action=accept out-interface=WAN protocol=tcp dst-port=80
add chain=forward action=accept out-interface=WAN protocol=udp dst-port=53
add chain=forward action=drop
Try to keep each rule as simple as possible.
If you’re behind the Mikrotik and want to access the server by typing the hostname into your browser, it will get the public IP of the server, so add this hairpin rule to to let that work too
add chain=srcnat action=masquerade out-interface=LAN src-address=10.30.1.0/24 comment=“allow NAT hairpin to internal server”
And also, modify the dst-nat rule by removing the in-interface=WAN and changing it to dst-address=x.x.x.x (the Mikrotik’s public IP)
Using in-interface allows dynamic WAN IP address without needing to change the firewall configuration every time the IP changes, so I gave that method in my first set of commands.
That should work for you.