I’m new to Mikrotik router, I have a cloud router CCR1009-8G-1S-1S+
I have an mail security filtering service in the cloud, I want to accept only some range of ip address that will connect to the smtp bridge edge server.
I will like to know, how can we filter or restrict to certain number of ip address, the connection to my smtp server.
Do we do it at the Firewall Nat or firewall filter rules.
I created a list with the firewall address-list command, that I named SMTP-Relay-Pemit.
I have the following firewall rules:
add chain=input comment=“Allow smtp in” dst-address=[IP_WAN] dst-port=25 protocol=tcp src-address-list=SMTP-Relay-Pemit
It does not seem to block any other address apart of the Address in the list that should be permitted, clearly, it does not work.
Anyone got an idea, on how i could change this, so it will accept connection from the address list and dropping everyone else going to port 25?
Maybe the very basics needs to be explained? Each packet is compared against the rules in a chain one-by-one from top to bottom until the first rule provides a verdict (accept, drop, reject, dstnat, …). So your accept rule is fine but unless it is followed by a more open “drop” rule in the same chain, the packets to/from addresses which are not on your whitelist can pass through anyway because the default behaviour of the chain (which takes place if none of the chain’s rules matches the packet) is “accept”. Some actions, like “log”, do not stop processing of the packet by following rules of the chain but may change the properties of the packet.
As @Chupaka says, you also need to choose the right chain: packets with any of Mikrotik’s own addresses as destination are handled by filter chain input, packets with any of Mikrotik’s own addresses as source are handled by filter chain output , and packets forwarded by Mikrotik from one interface to another are handled by NAT chain dstnat, then filter chain forward, and then NAT chain srcnat.
The “search-until-verdict-only” approach is related only to a single chain group - if a packet has been changed by some rule in NAT/dstnat chain, it is still handled by filter/forward or filter/input chains depending on the new destination address assigned by the NAT/dstnat rule.
As stated earlier, you need to look at the ‘forward’ chain instead of the ‘input’ chain. The ‘forward’ chain is for traffic passing through the firewall, and ‘input’ is for traffic destined to the firewall (VPN termination, management traffic, etc.).
Another way to do this, though, is to do it straight from the NAT section. Something like this:
