Problems with NAT and Firewall Filters

I moved my main router from another OS to MIkrotik this weekend, and had to revert back today. The reason was the may MT handles Firewall Filters and NAT.

I am a WISP and my network is Natted. All the IP addresses behind the main router are private. I use dst-nat to connect the Mail server to the outside world. The outside world sees the outside IP address of my main router as my email server address. And, to keep off of the Spam lists (http://www.spamhaus.org), I have a couple of firewall settings that limit outgoing SMTP traffic to only my mail server. That way users infected with viruses will not be spewing SMTP traffic onto the internet (which wouild be seen from the outside as coming from my main router/Mail Server).

However, when I switched over to MT, the firewall filters would not work. I would setup the following firewall statements and it would not limit the outgoing SMTP traffic:

#This command allows outgoing SMTP traffic from my mail server
/ip firewall filter add chain=forward src=address=10.10.100.201 dst-port=25 protocol=tcp out-interface=wan action=allow

#This command drops outgoing SMTP traffic from everywhere else
/ip firewall filter add chain=forward dst-port=25 protocol=tcp out-interface=wan action=drop

When I would disable the first entry, mail would still go out from my mail server. Also, in the process, I got added to the Spam list. I am sure it was because the MT software was not filtering out other computer’s SMTP traffic.

The deny entry seemed to work if I did not specify the interface, but that stops incoming SMTP traffic, which I don’t want.

I worked on this for hours, and then ran across the following note in the manual:

Page 395, under “Property Description” subtopic under the “NAT” topic, it says: “Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules, since the original packets might be already modified by the NAT.”

I tried other things like Mange statements tied to firewall statements. But nothing seemed to be able to shutoff the traffic properly.

So, it appears that I cannot duplicate in MT what I am doing with the other OS. Am I missing something?

Here you find description of packet flow through Mikrotik, so it will be clean in which order filter and nat rules are applied: http://www.mikrotik.com/docs/ros/2.9/ip/flow

Can you please post also rest of your firewall and nat rules?

Also, your last rule should always be a DROP or REJECT. This way stuff you specifically don’t allow isn’t just accepted at the end of the chain. Not sure if you had that.

Sam

Thanks for the link. I think it may show my problem. My deny entry may need to be an output filter, since after being natted, the src-address is now the outside port of the router. Hence, the statement may need to be
ip firewall filter add chain=output dst-port=25 protocol=tcp out-interface=wan action=drop

As far as the rest of my rules, I turned off all the other firewall rules and was having the same issues as with them on, so they are not the problem. The NAT entry was your basic masq entry:

/ip firewall nat add action=masquerade src-address=10.10.10.100/24 out-interface=WAN chain=srcnat

And yes, my last rule was the drop rule. As I stated above, I turned all the other rules off for testing and it was the only rule, and it was not stopping SMTP traffic.

If I am right about limiting outgoing traffic with the output rule I listed above, can I allow traffic from my mail server to go through with a simple forward rule for it placed before the deny rule, or, since this traffic is natted at the router, will I need to create a prerouting mangle entry to capture and identify the packets and use it in the forward rule? [/b]

My deny entry may need to be an output filter, since after being natted, the src-address is now the outside port of the router

Not so. The Output chain is solely for traffic that originates on the router. The Input chain for traffic whose final destination is the router. The Forward chain deals with everything else i.e. traffic that is traversing the router.

The rules you originally listed look basically correct. You need to post your entire ruleset here so we see the whole picture.

Regards

Andrew[/code]

andrewluck is right, your SMTP rules seem to be OK, so please post also rest of filter and nat rules, there can be another rule that has some side effect..