Community discussions

 
strelok
just joined
Topic Author
Posts: 12
Joined: Fri Dec 27, 2013 7:40 am

how to deny traffic in one direction ?

Mon Sep 23, 2019 5:31 pm

Hello,

I have two hosts - Host-1 and Host-2
Host-1 connected to interface Ethernet-1 of Mikrotik
Host-2 connected to interface Ethernet-2 of Mikrotik

What I need:

I need to deny traffic (ICMP for example) from host 2.2.2.10 to host 1.1.1.10, but have access from 1.1.1.10 to 2.2.2.10 host.
It's like from DMZ to LAN - deny, but from LAN to DMZ - accept.

So, I can't to set firewall according this requirements.
I thought that if I accept traffic from 1.1.1.10 to 2.2.2.10 and apply common deny at the end It should work.
But in this case I can't traffic between both hosts: Host-1 hasn't access to Host-2 and vice versa.

What's wrong ?


/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall connection tracking
set enabled=yes
/ip address
add address=1.1.1.1/24 interface=ether1 network=1.1.1.0
add address=2.2.2.1/24 interface=ether2 network=2.2.2.0
/ip firewall filter
add action=accept chain=forward dst-address=1.1.1.10 src-address=2.2.2.10
add action=drop chain=forward
[admin@MikroTik] >
 
Exiver
Member Candidate
Member Candidate
Posts: 114
Joined: Sat Jan 10, 2015 6:45 pm

Re: how to deny traffic in one direction ?

Mon Sep 23, 2019 5:52 pm

You have already enabled Connection Tracking which is needed to achieve this goal.

Your firewall rules should look for example like this:
add chain=forward action=accept connection-state=new,established,related in-interface=ether1 out-interface=ether2 src-address=1.1.1.10 dst-address=2.2.2.10 comment="accept new, established and related connections from 1.1.1.10 to 2.2.2.10"

add chain=forward action=accept connection-state=established,related in-interface=ether2 out-interface=ether1 src-address=2.2.2.10 dst-address=1.1.1.10 comment="accept established and related connections from 2.2.2.10 to 1.1.1.10"

add action=drop chain=forward comment="drop default"
Your router will then allow new, related and established connections coming from 1.1.1.10 with destination 2.2.2.10. The second rule will allow 2.2.2.10 to answer to established and related connections to 1.1.1.10. Everything else will be blocked.

See:
https://wiki.mikrotik.com/wiki/Manual:I ... n_tracking and
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
 
strelok
just joined
Topic Author
Posts: 12
Joined: Fri Dec 27, 2013 7:40 am

Re: how to deny traffic in one direction ?

Wed Sep 25, 2019 11:10 am

Thank you very much !

It works. But I'm comfused. I was wrong as I thought that firewall in mikrotik is statefull.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to deny traffic in one direction ?

Wed Sep 25, 2019 3:02 pm

Firewall is statefull if you use it that way (that means working with connection-state). I'd change posted rules a little:
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether1 src-address=1.1.1.10 dst-address=2.2.2.10 action=accept
add chain=forward action=reject
Generally you want to accept all established, related or untracked connections, unless you're doing something special. Then if you drop invalid, everything what's left is new. And reject instead of drop maked debugging easier, because when something is blocked, router sends info about that, instead of silently dropping it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 24 guests