Community discussions

MikroTik App
 
User avatar
mseguramCR
just joined
Topic Author
Posts: 5
Joined: Fri May 22, 2020 6:01 pm

Deny ip PUBLIC traffic

Fri May 22, 2020 7:53 pm

I have an RB3011, with two WAN connections, filter various traffic on the RB and the rest I forward it to a linux server.
One of those traffics is for port 25,465,110,995, however, even though I try to deny the traffic coming from several IPs, it continues to be forwarded to my mailserver.

In bytes and packets it is reflected that the rule detects traffic that matches it. However, it is the fail2ban on the mail server that temporarily blocks this traffic. I want to do it from the RB.

Rules...
rules ISP
0 and 1 input rules on the WAN network cards (2 IPs). With JUMP TARJET -> from-internet

Rules deny range IP public
2 ;;; IPTEST
chain=from-internet action=drop src-address-list=IP_TEST log=no log-prefix="IP MAIL BLOCK"


IP_TEST address-list
68 IP_TEST 45.142.195.8
69 IP_TEST 45.142.195.13
70 IP_TEST 45.142.195.15
71 IP_TEST 45.142.195.7

I have changed the order rules even, and putting as input in chain, but it doesn't stop the traffic in any way. If I activate logs if it registers events.
You do not have the required permissions to view the files attached to this post.
MSM
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 218
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Deny ip PUBLIC traffic

Fri May 22, 2020 8:15 pm

Check your NAT rules...
 
User avatar
mseguramCR
just joined
Topic Author
Posts: 5
Joined: Fri May 22, 2020 6:01 pm

Re: Deny ip PUBLIC traffic

Fri May 22, 2020 8:47 pm

Sorry, but what should I look for in the nat, since basically I tag the traffic, I redirect traffic to other services that are not the mail, and finally it forwards it to my linux firewall.
If the rule worked, the traffic coming from those IPs would not have to be sent to this Linux server, and therefore to the mail.
Note: in the nat there is no traffic defined for these protocols
MSM
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Deny ip PUBLIC traffic

Fri May 22, 2020 8:49 pm

cant tell squat from pictures.
please post config
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
solar77
Long time Member
Long time Member
Posts: 529
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Deny ip PUBLIC traffic

Fri May 22, 2020 8:52 pm

you need to also drop these traffic on Forward chain, that is where traffic is flowing through the router, in this case, from the Internet, through the router, to your server.
The input chain, is traffic that is heading to the router itself , for example, traffic heading to the VPN server on the router, or accessing the router via winbox.
MTCNA MTCTCE UEWA
 
User avatar
mseguramCR
just joined
Topic Author
Posts: 5
Joined: Fri May 22, 2020 6:01 pm

Re: Deny ip PUBLIC traffic

Sat May 23, 2020 12:48 am

I send part of the configuration, what I think is what you need, firewall, nat, mangle.
I hope it is enough
You do not have the required permissions to view the files attached to this post.
MSM
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 218
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Deny ip PUBLIC traffic

Sat May 23, 2020 8:23 am

Sorry, but what should I look for in the nat, since basically I tag the traffic, I redirect traffic to other services that are not the mail, and finally it forwards it to my linux firewall.
If the rule worked, the traffic coming from those IPs would not have to be sent to this Linux server, and therefore to the mail.
Note: in the nat there is no traffic defined for these protocols
My mistake, I was under the impression that NAT was used, but apparently your backend servers have public IP's directly, so it should only be a filtering job.

EDIT : No they don't looking at your config....
You have a not so standard config with some jumping around chains and I wonder that if the reason you missed something due to the order of packet processing.

Image

The really smart guys on this forum will spot something ;-)
 
User avatar
mseguramCR
just joined
Topic Author
Posts: 5
Joined: Fri May 22, 2020 6:01 pm

Re: Deny ip PUBLIC traffic

Thu May 28, 2020 2:24 am

Sorry, but the public IPs are in the RB. In this I nat to a firewall server, where the mail ports are sent to the mailserver.

If you check the configuration of the RB, you will see that I label the inbound traffic, to know that it comes from the internet, then that they are identified, I block certain IPs, and in the order of rules it would be number 3, since I have two ISPs or two WAN providers

As I understand when the counters of each rule increase is because it is actually applied on the package. And the problem is exactly this, it applies, however, traffic continues to come from those blocked IPs.

I clarify, the rule is general on the IP, without differentiating in which port it transmits, what protocol, etc.
MSM
 
solar77
Long time Member
Long time Member
Posts: 529
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Deny ip PUBLIC traffic

Thu May 28, 2020 12:33 pm

try add this to the top of your firewall filter rules
add action=drop chain=forward-from-internet comment=IPTEST log-prefix="IP MAIL BLOCK" \  src-address-list=IP_TEST
not sure why you are using this jump rule but all the other rules on forward chain are still unchainged, so they will not apply to forward chain, and no filter rules are currently on this forward-from-internet chain, which means you have no firewall to protect your LAN.

basicly, input chian, is traffic heading towards the router itself
forward chian, is traffic going through the router, so that is from LAN to internet, and from Internet to LAN.
MTCNA MTCTCE UEWA
 
User avatar
mseguramCR
just joined
Topic Author
Posts: 5
Joined: Fri May 22, 2020 6:01 pm

Re: Deny ip PUBLIC traffic

Thu May 28, 2020 9:16 pm

Thank you, this rule does work. I thought that putting this rule first didn't matter about the other settings of internet traffic. For peace of solar77, my first barrier is mikrotik, various traffic filter and then I send it to another firewall, which has direct restrictions that protect the LAN.
MSM
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 514
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Deny ip PUBLIC traffic

Thu May 28, 2020 9:43 pm

Input Chain only affects traffic that terminates in the router itself.
Forward Chain affects traffic that passes through the router (what you are trying to do).
Output chain affects traffic that originates in the router itself and is outbound to someplace else..

You can make all the rules in the world in the wrong chain and it won't accomplish what you want. Doing a Jump in the forward chain to another chain, and then putting rules there should work fine (I do that myself in some cases). Besides organization, putting a bunch of rules in a jump target chain that only involves certain traffic, means that the router only needs to go through those rules for that particular type of traffic. For example, If I have a jump in my input chain that only applies to ICMP traffic (we'll call it the ICMP chain for this example), then all other traffic will not have to pass through the 20 firewall rules that I put into the ICMP chain. Saves router CPU time.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: Ankareth and 36 guests