Community discussions

 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

IPV6 firewall rules

Tue Nov 29, 2016 11:35 am

Please help me to find what I'm doing wrong with ipv6 firewall configuration.
After nmap scanning ipv6 address I have still open some ports like : 111,139,161,445,548,587
In my firewall filter rules I have drop for this port but this is not working and after nmap scanning I dont see on this 0) rule any traffic.
/ipv6 firewall filter print
0  chain=input action=drop protocol=tcp in-interface=he dst-port=111,139,161,445,548,587 log=no log-prefix="" 
1    ;;; Allow established connections
      chain=input action=accept connection-state=established log=no log-prefix="" 
2    ;;; Allow related connections
      chain=input action=accept connection-state=related log=no log-prefix="" 
3    ;;; Allow limited ICMP
      chain=input action=accept protocol=icmpv6 log=no log-prefix="" 
4    chain=input action=drop log=no log-prefix="" 
5    ;;; Allow established connections
      chain=forward action=accept connection-state=established,related,new log=no log-prefix="" 
6    ;;; Allow related connections
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 
7    chain=forward action=drop log=no log-prefix="" 
Please help me how to fix this to drop all ports : 111,139,161,445,548,587 comming to my ipv6 interface (HE).
 
kamillo
Member Candidate
Member Candidate
Posts: 156
Joined: Tue Jul 15, 2014 5:44 pm

Re: IPV6 firewall rules

Tue Nov 29, 2016 1:29 pm

you are applying drop action on the INPUT chain, so traffic going to the router itself and you are allowing all the traffic to go to anything behind the router. Looking at the ports you are scanning they look like services you would run on a server, not on the router. What I'm trying to say is: shouldn't you put drop action on FORWARD chain?
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: IPV6 firewall rules

Tue Nov 29, 2016 10:08 pm

Thank's for advise. I have few devices behind which have own ipv6 address.
For this ipv6 addresses I need to limit connections on ports.
For example limit ports to one of my ipv6 device 2001:....:aaaa 111,139,161,445,548,587

/ipv6 firewall filter
add action=accept chain=input comment="Allow established connections" connection-state=established
add action=accept chain=input comment="Allow related connections" connection-state=related
add action=accept chain=input comment="Allow limited ICMP" protocol=icmpv6
add action=accept chain=input comment="Allow Mail Ports" disabled=yes dst-port=25,465,587,995,993 protocol=tcp
add action=drop chain=forward
add action=accept chain=forward comment="Allow established connections" connection-state=established,related,new
add action=accept chain=forward comment="Allow related connections" connection-state=established,related
add action=drop chain=forward
add action=drop chain=input comment="Limit ports to ipv6" dst-address=2001:470:**:***:***:****:****:ddd1/128 dst-port=111,139,161,445,548,587 in-interface=he \
    protocol=tcp
 
pe1chl
Forum Guru
Forum Guru
Posts: 5920
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPV6 firewall rules

Tue Nov 29, 2016 10:35 pm

You have lots of things in your firewall that do not make sense at all....
Do you understand how the firewall rules work? Please read http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
(it is for IPv4 but the principles are the same and the IPv6 manual is severely lacking)

Who is online

Users browsing this forum: No registered users and 36 guests