Problem with firewall rules

cokobless · March 9, 2017, 3:37pm

Hi to everyone! I’m new in the forum and also with mikrotik.
I have a problem with the firewall rules, I want to permit some pages and block all the rest. According to what I understand it would be something like this:

ip firewall filter
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward action=drop src-address=172.16.31.101/32

but whith this the host 172.16.13.101 lost all the connection to Internet.
What I’m doing wrong ?

I read this forum a lot and I learn too much, thanks.
And sorry if i write like tarzan

null31 · March 9, 2017, 5:09pm

Hi, you can add the address of pages into an address list and then block the forward where destination is different from the IPs of list.

Like this:

/ip firewall address-list
	add list=white-list address=x.x.x.x.x
	add list=white-list address=y.y.y.y
	...
/ip firewall filter
	add chain=forward action=accept src-address=172.16.31.101 protocol=udp dst-port=53
	add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list

You don’t need to drop on final, this drop all packets from 172.16.31.101.

tr00g33k · March 9, 2017, 5:33pm

You are missing established, related firewall rule on forward chain

Your config:

ip firewall filter
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward action=drop src-address=1172.16.31.101/32

Corrected:

add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward connection-state=established,related
add chain=forward action=drop src-address=1172.16.31.101/32

cokobless · March 9, 2017, 7:15pm

null31:

Hi, you can add the address of pages into an address list and then block the forward where destination is different from the IPs of list.

Like this:
/ip firewall address-list
	add list=white-list address=x.x.x.x.x
	add list=white-list address=y.y.y.y
	...
/ip firewall filter
	add chain=forward action=accept src-address=172.16.31.101 protocol=udp dst-port=53
	add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
You don’t need to drop on final, this drop all packets from 172.16.31.101.

Hi, thanks, this is a good idea, I create the address-list with the ip 192.168.1.0/24 and 190.96.78.8 but the host 172.16.31.101 only see the network 192.168.1.0/24 and not the web 190.96.78.8.
Any idea why ?

cokobless · March 9, 2017, 7:28pm

tr00g33k:

Correted:

add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward connection-state=established,related
add chain=forward action=drop src-address=172.16.31.101/32

thanks but nothing changed, doesn’t solve the error.

null31 · March 9, 2017, 9:20pm

What type internet connection you have?
Is your gateway 190.96.78.8? Or is other IP?
You must whitelist the IP from websites that you want to be allow.

cokobless · March 10, 2017, 11:36am

I have Internet connection by fiber dedicated 50 Mb up and down..
My gateway is 192.168.1.252
190.96.78.8 is a site for test if it’s work fine.
the address list:

ip firewall address-list 
 add list=white-list address=192.168.1.0/24
 add list=white-list address 190.96.78.8
ip firewall filter
 add chain=forward action=accept protocol=tcp dst-port=53 comment="Accept DNS"
 add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list

with this I have connection from host 172.16.31.101 to all network 192.168.1.0/24 but not to the web page 190.96.78.8
that’s the problem. Am I blocking something I should not?
Thanks for you time null31.

null31 · March 10, 2017, 4:14pm

I tested the rules here and works fine. You need remember that websites contain external content like css, scripts, fonts and others from other IPs. Then you is dropping packets from these external IPs.
The DNS rule works with no problems when search a name in 8.8.8.8.
To work the dojin.co, i needed add many external address which dojin.co loads the content. You can see on attachment my address list.

 [admin@ayaya] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept protocol=udp src-address=10.3.3.14 dst-port=53 log=no log-prefix="" 

 1    chain=forward action=drop src-address=10.3.3.14 dst-address-list=!white log=yes log-prefix="drop"

cokobless · March 15, 2017, 12:37pm

You’re right, and do you know a way to know wath IP are necessary for a especific web page ?

janus20 · March 15, 2017, 1:18pm

Hi,

Quick answer: by using nslookup, ping or resolve.

a. From a windows machine on command terminal type:

nslookup -type=A webpage_address

Into non-authorative section under addresses you should see the ip(s).

or just

ping webpage_address

it should return ip address after “reply from…”

b. Onto Mikrotik terminal you could use resolve function to do that ( or just ping )

put [:resolve webpage_address server 8.8.8.8]

or just

ping webpage_address count=2

Hope it helps.

kind regards,

null31 · March 16, 2017, 12:00am

You can use Developer mode from browsers, the typical F12.
For the case of dojin.co, i used the Firefox; F12 > Network. After load the page and see what is loaded, i added the names (domains) to address-list.

An example is the below print:
You can see what was loaded when i opened this topic.