Page 1 of 1

Problem with firewall rules

Posted: Thu Mar 09, 2017 5:37 pm
by cokobless
Hi to everyone! I'm new in the forum and also with mikrotik.
I have a problem with the firewall rules, I want to permit some pages and block all the rest. According to what I understand it would be something like this:
ip firewall filter
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward action=drop src-address=172.16.31.101/32
but whith this the host 172.16.13.101 lost all the connection to Internet.
What I'm doing wrong ?

I read this forum a lot and I learn too much, thanks.
And sorry if i write like tarzan :(

Re: Problem with firewall rules

Posted: Thu Mar 09, 2017 7:09 pm
by null31
Hi, you can add the address of pages into an address list and then block the forward where destination is different from the IPs of list.

Like this:
/ip firewall address-list
	add list=white-list address=x.x.x.x.x
	add list=white-list address=y.y.y.y
	...
/ip firewall filter
	add chain=forward action=accept src-address=172.16.31.101 protocol=udp dst-port=53
	add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
You don't need to drop on final, this drop all packets from 172.16.31.101.

Re: Problem with firewall rules

Posted: Thu Mar 09, 2017 7:33 pm
by tr00g33k
You are missing established, related firewall rule on forward chain

Your config:
ip firewall filter
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward action=drop src-address=1172.16.31.101/32
Corrected:
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward connection-state=established,related
add chain=forward action=drop src-address=1172.16.31.101/32

Re: Problem with firewall rules

Posted: Thu Mar 09, 2017 9:15 pm
by cokobless
Hi, you can add the address of pages into an address list and then block the forward where destination is different from the IPs of list.

Like this:
/ip firewall address-list
	add list=white-list address=x.x.x.x.x
	add list=white-list address=y.y.y.y
	...
/ip firewall filter
	add chain=forward action=accept src-address=172.16.31.101 protocol=udp dst-port=53
	add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
You don't need to drop on final, this drop all packets from 172.16.31.101.
Hi, thanks, this is a good idea, I create the address-list with the ip 192.168.1.0/24 and 190.96.78.8 but the host 172.16.31.101 only see the network 192.168.1.0/24 and not the web 190.96.78.8.
Any idea why ?

Re: Problem with firewall rules

Posted: Thu Mar 09, 2017 9:28 pm
by cokobless
Correted:
add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS"
add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32
add chain=forward action=accept src-address=190.96.78.8/32 dst-address=172.16.31.101/32
add chain=forward connection-state=established,related
add chain=forward action=drop src-address=172.16.31.101/32
thanks but nothing changed, doesn't solve the error.

Re: Problem with firewall rules

Posted: Thu Mar 09, 2017 11:20 pm
by null31
What type internet connection you have?
Is your gateway 190.96.78.8? Or is other IP?
You must whitelist the IP from websites that you want to be allow.

Re: Problem with firewall rules

Posted: Fri Mar 10, 2017 1:36 pm
by cokobless
I have Internet connection by fiber dedicated 50 Mb up and down..
My gateway is 192.168.1.252
190.96.78.8 is a site for test if it's work fine.
the address list:
ip firewall address-list 
 add list=white-list address=192.168.1.0/24
 add list=white-list address 190.96.78.8
ip firewall filter
 add chain=forward action=accept protocol=tcp dst-port=53 comment="Accept DNS"
 add chain=forward action=drop src-address=172.16.31.101 dst-address-list=!white-list
with this I have connection from host 172.16.31.101 to all network 192.168.1.0/24 but not to the web page 190.96.78.8
that's the problem. Am I blocking something I should not?
Thanks for you time null31.

Re: Problem with firewall rules

Posted: Fri Mar 10, 2017 6:14 pm
by null31
I tested the rules here and works fine. You need remember that websites contain external content like css, scripts, fonts and others from other IPs. Then you is dropping packets from these external IPs.
The DNS rule works with no problems when search a name in 8.8.8.8.
To work the dojin.co, i needed add many external address which dojin.co loads the content. You can see on attachment my address list.
 [admin@ayaya] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept protocol=udp src-address=10.3.3.14 dst-port=53 log=no log-prefix="" 

 1    chain=forward action=drop src-address=10.3.3.14 dst-address-list=!white log=yes log-prefix="drop"

Re: Problem with firewall rules

Posted: Wed Mar 15, 2017 2:37 pm
by cokobless
You're right, and do you know a way to know wath IP are necessary for a especific web page ?

Re: Problem with firewall rules

Posted: Wed Mar 15, 2017 3:18 pm
by janus20
Hi,

Quick answer: by using nslookup, ping or resolve.

a. From a windows machine on command terminal type:
nslookup -type=A webpage_address
Into non-authorative section under addresses you should see the ip(s).
or just
ping webpage_address
it should return ip address after "reply from..."
b. Onto Mikrotik terminal you could use resolve function to do that ( or just ping )
put [:resolve webpage_address server 8.8.8.8]
or just
ping webpage_address count=2
Hope it helps.

kind regards,

Re: Problem with firewall rules

Posted: Thu Mar 16, 2017 2:00 am
by null31
You're right, and do you know a way to know wath IP are necessary for a especific web page ?
You can use Developer mode from browsers, the typical F12.
For the case of dojin.co, i used the Firefox; F12 > Network. After load the page and see what is loaded, i added the names (domains) to address-list.

An example is the below print:
You can see what was loaded when i opened this topic.