These are not necessary, Mikrotik creates a chain as soon as you create a first rule in that chain
####################################
#allowed
$IPT -A allowed -p TCP --syn -j ACCEPT
$IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p TCP -j DROP
>
is equivalent to
```text
/ip firewall filter
add chain=allowed protocol=tcp tcp-flags=syn action=accept
add chain=allowed protocol=tcp connection-state=established,related action=accept
add chain=allowed protocol=tcp action=drop
####################################
bad_tcp_packets
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:" --log-level=info
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>
is equivalent to
```text
/ip firewall filter
add chain=bad-tcp-packets protocol=tcp tcp-flags=syn,ack connection-state=new action=reject reject-with=tcp-reset
add chain=bad-tcp-packets protocol=tcp tcp-flags=!syn connection-state=new action=drop log=yes log-prefix="New not syn"
There si no equivalent of ****
--log-level
. You can use one rule with
action=log
and then another one with
action=drop
like in your original case or you can integrate both into a single rule like I did.
####################################
established sessions
$IPT -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
the first rule is nearly equivalent to
```text
/ip firewall filter
add chain=input src-address=127.0.0.1/32 action=accept
but it is not exactly the same, because in RouterOS, the ****
lo
interface is not shown. There is an auto-generated interface-list named
all
which intuitively should match to any interface but
lo
so maybe you can try to add
in-interface-list=!all
but I've never tested that. If it doesn't work and you want to be equally strict as you were in iptables, you have to create your own interface list and make all existing interfaces members of it to be able to use it as a complement to
lo
.
The second rule is replaced by two:
/ip firewall filter
add chain=output connection-state=new,established,related action=accept
add chain=output action=drop
The reason is that the first rule alone would actually be redundant because Mikrotik does not let you choose the default action for a chain, so it is always ****
accept
. I.e. if you're migrating from iptables where you had a default action
drop
, you have to add the second rule ("drop the rest") to the end of each chain.
The last rule is equivalent to
/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input action=drop
As said above, there must also be a "drop all" rule in the end of the input chain so that this rule would make any difference.