Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Problem with firewall rules

Locked
 
cokobless
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2017 5:48 pm

Problem with firewall rules

Thu Mar 09, 2017 5:37 pm

Hi to everyone! I'm new in the forum and also with mikrotik.
I have a problem with the firewall rules, I want to permit some pages and block all the rest. According to what I understand it would be something like this:
Code: Select all
ip firewall filter
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward action=drop src-address=172.16.31.101/32
but whith this the host 172.16.13.101 lost all the connection to Internet.
What I'm doing wrong ?

I read this forum a lot and I learn too much, thanks.
And sorry if i write like tarzan :(
Last edited by cokobless on Thu Mar 09, 2017 9:28 pm, edited 1 time in total.
Top
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: Problem with firewall rules

Thu Mar 09, 2017 7:09 pm

Hi, you can add the address of pages into an address list and then block the forward where destination is different from the IPs of list.

Like this:
Code: Select all
/ip firewall address-list
	add list=white-list address=x.x.x.x.x
	add list=white-list address=y.y.y.y
	...
/ip firewall filter
	add chain=forward action=accept src-address=172.16.31.101 protocol=udp dst-port=53
	add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
You don't need to drop on final, this drop all packets from 172.16.31.101.
Top
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Sun Mar 29, 2015 3:58 pm

Re: Problem with firewall rules

Thu Mar 09, 2017 7:33 pm

You are missing established, related firewall rule on forward chain

Your config:
Code: Select all
ip firewall filter
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward action=drop src-address=1172.16.31.101/32
Corrected:
Code: Select all
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward connection-state=established,related
add chain=forward action=drop src-address=1172.16.31.101/32
Top
 
cokobless
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2017 5:48 pm

Re: Problem with firewall rules

Thu Mar 09, 2017 9:15 pm

Hi, you can add the address of pages into an address list and then block the forward where destination is different from the IPs of list.

Like this:
Code: Select all
/ip firewall address-list
	add list=white-list address=x.x.x.x.x
	add list=white-list address=y.y.y.y
	...
/ip firewall filter
	add chain=forward action=accept src-address=172.16.31.101 protocol=udp dst-port=53
	add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
You don't need to drop on final, this drop all packets from 172.16.31.101.
Hi, thanks, this is a good idea, I create the address-list with the ip 192.168.1.0/24 and 190.96.78.8 but the host 172.16.31.101 only see the network 192.168.1.0/24 and not the web 190.96.78.8.
Any idea why ?
Top
 
cokobless
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2017 5:48 pm

Re: Problem with firewall rules

Thu Mar 09, 2017 9:28 pm

Correted:
Code: Select all
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward connection-state=established,related
add chain=forward action=drop src-address=172.16.31.101/32
thanks but nothing changed, doesn't solve the error.
Top
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: Problem with firewall rules

Thu Mar 09, 2017 11:20 pm

What type internet connection you have?
Is your gateway 190.96.78.8? Or is other IP?
You must whitelist the IP from websites that you want to be allow.
Top
 
cokobless
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2017 5:48 pm

Re: Problem with firewall rules

Fri Mar 10, 2017 1:36 pm

I have Internet connection by fiber dedicated 50 Mb up and down..
My gateway is 192.168.1.252
190.96.78.8 is a site for test if it's work fine.
the address list:
Code: Select all
ip firewall address-list 
 add list=white-list address=192.168.1.0/24
 add list=white-list address 190.96.78.8
ip firewall filter
 add chain=forward action=accept protocol=tcp dst-port=53 comment="Accept DNS"
 add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
with this I have connection from host 172.16.31.101 to all network 192.168.1.0/24 but not to the web page 190.96.78.8
that's the problem. Am I blocking something I should not?
Thanks for you time null31.
Top
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: Problem with firewall rules

Fri Mar 10, 2017 6:14 pm

I tested the rules here and works fine. You need remember that websites contain external content like css, scripts, fonts and others from other IPs. Then you is dropping packets from these external IPs.
The DNS rule works with no problems when search a name in 8.8.8.8.
To work the dojin.co, i needed add many external address which dojin.co loads the content. You can see on attachment my address list.
Code: Select all
 [admin@ayaya] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept protocol=udp src-address=10.3.3.14 dst-port=53 log=no log-prefix="" 

 1    chain=forward action=drop src-address=10.3.3.14 dst-address-list=!white log=yes log-prefix="drop"
You do not have the required permissions to view the files attached to this post.
Top
 
cokobless
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2017 5:48 pm

Re: Problem with firewall rules

Wed Mar 15, 2017 2:37 pm

You're right, and do you know a way to know wath IP are necessary for a especific web page ?
Top
 
janus20
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Nov 03, 2016 10:31 am
Location: Pitesti, Romania

Re: Problem with firewall rules

Wed Mar 15, 2017 3:18 pm

Hi,

Quick answer: by using nslookup, ping or resolve.

a. From a windows machine on command terminal type:
Code: Select all
nslookup -type=A webpage_address
Into non-authorative section under addresses you should see the ip(s).
or just
Code: Select all
ping webpage_address
it should return ip address after "reply from..."
b. Onto Mikrotik terminal you could use resolve function to do that ( or just ping )
Code: Select all
put [:resolve webpage_address server 8.8.8.8]
or just
Code: Select all
ping webpage_address count=2
Hope it helps.

kind regards,
Top
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: Problem with firewall rules

Thu Mar 16, 2017 2:00 am

You're right, and do you know a way to know wath IP are necessary for a especific web page ?
You can use Developer mode from browsers, the typical F12.
For the case of dojin.co, i used the Firefox; F12 > Network. After load the page and see what is loaded, i added the names (domains) to address-list.

An example is the below print:
You can see what was loaded when i opened this topic.
You do not have the required permissions to view the files attached to this post.
Top
Locked

Who is online

Users browsing this forum: Bing [Bot], pedroush and 120 guests
  4. RouterOS
  5. Beginner Basics