Community discussions

MikroTik App
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:00 pm

I seen that an IP (45.117.203.XXX) is accessing a port that it should not (e.g port 522).

I tried to block all connections from it with this rule:
/ip firewall filter
add action=drop chain=input comment="some ip accessing port 522" log=yes log-prefix=adr-blocked: src-address=45.117.203.XXX

But it still shows under "firewall connections" with TCP state "time wait" or "established", even after reboot.
Isn't the above rule supposed to drop all interactions with this IP ?
Is it because I also have a NAT redirect on that port ? Maybe this rule comes before the above firewall filter ?
/ip firewall nat
add action=dst-nat chain=dstnat comment="ssh custom external port to local port 22" dst-port=522 in-interface=pppoe-work log=yes protocol=tcp to-addresses=192.168.XXX.XXX to-ports=22

And the log looks like this, because I enabled logging in the NAT rule, but shouldn't it be dropped before this log ?
dstnat: in:pppoe-work out:(unknown 0), proto TCP (SYN), 45.117.203.XXX:53890->82.79.XXX.XXX:522, len 60
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked IP in firewall filter still shows in log and connections  [SOLVED]

Tue Jul 27, 2021 3:01 pm

1 min reply...

In short, when one packet arrive to routerboard:
pppoe-work->raw->connection-tracking->filter

put the rule on "/firewall raw", chain prerouting
not on "/firewall filter" and clear the already connection tracked with src or dst with that address
Last edited by rextended on Tue Jul 27, 2021 4:08 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:29 pm

Okay you have port forwarding setup to a server on your network behind your router.
Therefore any public traffic arriving at the router on the port will get passed the forward chain firewall rule.
This has nothing to do with traffic to the router which is the input chain, so you need to remove that input chain stuff.

As rextended noted, the place to stop a specific IP address would be in the raw chain.
However, a few things.

a. do you have a source-address-list on your NAT rule?
b. do you have a credible login on the server (aka encrypted https, or FTPS?)

All my server rules for example have a source address list because.
a. most users have a public IP address and
b. if its dynamic then they can get a free dyndns name on the internet and provide you with that name which the router will resolve to the proper IP address.
c. of course this shouldnt stop you from ensuring encrypted logins on the server.
d. One note of information, when you add a source address list, the server port is not visible on a port scan, without a source address list, the port is visible on port scans but appears closed.
Much superior to be invisible..

Finally, if one IP can find your IP (visible port on scans) then there will be far more............. and you will be playing whackamole and chasing.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:36 pm

Thanks for the detailed reply Anav, your reply popped out when I accepted @Rextended's answer and page refreshed :D

I normally use an ip list on my other Mikrotik, on this one it is currently not set, but is good to know that is a common practice.

Some of my trusted IPs are dynamic, I run a script on the Mikrotik to update the IPs by calling the host names.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:37 pm

@Anav, on this case the rule influence both the input and the forward, because the NAT rule are also for redirect from RouterBOARD public IP:522 on pppoe-work, to internal 192.168.x.x:22

dst-nat ... in-interface=pppoe-work dst-port=522 ... to-addresses=192.168.x.x to-ports=22

But can be different if something is omitted on what the real configuration is...
Last edited by rextended on Tue Jul 27, 2021 4:08 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:50 pm

Hi rextended.
Dst nat rules for port forwarding purposes take on 3 flavours but will ignore hairpin nat.

For dynamic public IPs,
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=xxx protocol=yy to-addresses=ip of server to-ports=bb

For static public IPs
add action=dst-nat chain=dstnat dst-address=public IP dst-port=xxx protocol=yy to addresses=ip of server to-ports=bb.

So of course the public IP is involved. But the public IP does not mean access to the router necessarily.
Or how else would WAN to LAN traffic ever take place????

Just because port translation occurs doesnt mean this is input anything.
Its purely a NAT rule. Perhaps you are learning something new today ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:51 pm

Hi adrian, should be no need for your router to run a script, just get your users to get dyndns names..........
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 3:58 pm

Hi adrian, should be no need for your router to run a script, just get your users to get dyndns names..........
Hmm.. so I can directly specify hostnames inside an ip list ? And if so, how often will the router update that ? e.g if my ip changes.
I always had a script that cleared the IPs list and recreated it based on IP returned by my hostnames.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 4:07 pm

@Anav, I really know that, but I can make mistakes...

/ip firewall nat
add action=dst-nat
chain=dstnat
in-interface=pppoe-work dst-port=522 (for example Public IP on RouterBOARD is 4.4.4.4)
to-addresses=192.168.x.x to-ports=22 (for example 192.168.2.2)

packet->pppoe-work->prerouting->(hotspot-in)->raw->connection-tracking->(mangle)->dst-nat
dst-nat in [src=5.5.5.5:22->4.4.4.4:522]
dst-nat out [src=5.5.5.5:22->192.168.2.2:22]
dst-nat->routing-decision (192.168.2.2 not on RouterBOARD, go forward) ->forward

Ok, my error...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 4:08 pm

Yes I do it all the time,
Heck I put IP CLOUD names in firewall lists too.

Take a look at the firewall address list when you do.
You will note that two rules appear, the one you made and then one the router resolved it too.
So yes its kept up to date.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 4:10 pm

No worries rextended when you know too much you can trip over your own complicated piles of expertise, I know so little so sometimes the path, cluttered with so little, is clearer ;-)
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 7:21 pm

Was it always like that ? For IP lists to accept hostnames too ? Because a few years ago I remember I found the script on this forum, that updated hostnames into IP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 7:24 pm

You remember well, only from 6.4something is posible to use FQDN on /ip firewall address list,
and that create dynamic resolved FQDN to IP, with the TTL set like what is wrote on DNS reply.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Blocked IP in firewall filter still shows in log and connections

Tue Jul 27, 2021 11:09 pm

Nice.

Who is online

Users browsing this forum: h1ghrise, lifeboy, phascogale, RobertsN and 66 guests