RouterOS firewall not working with netcat?

Hi guys, I’m trying to use netcat on Linux OS to check if a server is correctly working.

I have RB750:

• eth1 = 192.168.1.2/24
• eth2 = 192.168.10.1/24

default gateway = 192.168.1.1/24
test server = 192.168.1.3/24
Ubuntu PC = 192.168.10.2/24 (connected on eth2)


I placed masquerade rule on output traffic on eth1 to make Ubuntu PC running.
I can correctly access to server.

I try to test netcat with TCP protocol on port 80 (http interface on my server):

 nc -zv -w5 192.168.1.3 80 &> /dev/null && echo "online" || echo "offline"

result: “online”

I place firewall rule on my routerOS:
chain=forward
dst-address=192.168.1.3
protocol=tcp
action=drop

Now my netcat output is “offline”.


Now I try to test my UDP server:

 nc -zvu -w5 192.168.1.3 5330 &> /dev/null && echo "online" || echo "offline"

I got output message “online”.

I set firewall to block UDP traffic (I want simulate my server offline):
chain=forward
dst-address=192.168.1.3
protocol=udp
port=5330
action=drop

I correctly see packet counter of drop rule increasing, using wireshark I don’t see any incoming traffic on server, but netcat says: “online”.

Any ideas?
Thanks.

You want:

action=reject
reject-with=icmp-host-unreachable

That’s what router should produce for offline server. If you just drop the packet, nothing is sent back to client. The problem is that if you had silent udp server, which just accepts the packet and does not send any reply, the result would be exactly the same - nothing sent back to client. And it’s hard to tell the different between first case nothing and second case nothing.