Community discussions

MikroTik App
 
atakacs
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Mon Mar 07, 2016 5:39 pm

Confused about chains

Fri Jun 11, 2021 12:13 am

Hi

My very fist firewall filter rule is
[xxx@mkt-sx-00] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; drop blacklisted
      chain=forward action=drop src-address-list=DenyLIst log=yes log-prefix="deny-" 

I have IP 190.6.38.79 in my DenyLIst
yet it seem to find a way to Winbox

Image

what am I missing ?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Confused about chains

Fri Jun 11, 2021 12:36 am

It is from IP 190.6.38.79 towards what? An IP on another network, or just local to the router where this rule is defined?

Missing the "deny-" in any log line.

Local acces to the router is the "input" chain, not the "forward" chain.
Access to an IP address in the same subnet as the source probably never passes the firewall, but is just bridged.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Confused about chains

Fri Jun 11, 2021 12:41 am

Without seeing your whole config, no one here can help you playing guessing games.......
/export hide-sensitive file=anynameyouwish
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Confused about chains

Fri Jun 11, 2021 2:16 am

move the rule from /ip firewall filter (forward) to /ip firewall raw (prerouting)

is winbox ACL (/ip service winbox) and is a router service (input chain), not a routed service (forward chain)

if you use "forward" you do not intercept "input" traffic vs the Router CPU, and if you see that on log, is working right.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Confused about chains

Fri Jun 11, 2021 2:22 am

...
ping
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Confused about chains

Fri Jun 11, 2021 7:54 am

Under /ip -> services, you have the list with various services like http,https,ssh,winbox,api etc.
Only ENABLE those that are relevant and set the IP's from which is allowed. By default they are world reachable if you do not narrow them down of filter them otherwise (eg. on prerouting chain)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Confused about chains

Fri Jun 11, 2021 10:34 am

Not an answer to your question, but for me it seems that you have Winbox open to internet?????
If so, you are at high risk of being hacked. (older RouterOS has a big bug)

Use VPN to access winbox, then you do not need to block anyone.

If VPN can not be used, follow these steps.

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

Your access list does block some IP to not access Winbox. In step 4, you should block all, only allow valid IP.
 
atakacs
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Mon Mar 07, 2016 5:39 pm

Re: Confused about chains

Fri Jun 11, 2021 11:56 am

Thans for all those excellent advises that I am implenting as we speak !
A bit of a thread drift but how do you do port knocking in mikrotk ?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Confused about chains

Fri Jun 11, 2021 12:06 pm

Thans for all those excellent advises that I am implenting as we speak !
A bit of a thread drift but how do you do port knocking in mikrotk ?
The search will give you plenty of detailed posts on this.
Also,
https://mum.mikrotik.com/presentations/US10/discher.pdf
https://mum.mikrotik.com/presentations/ ... tknock.pdf
https://systemzone.net/securing-mikroti ... -knocking/

and so on and so on.
You can decide yourself howmany "stages" the sequence must be, but 3-stage is pretty secure with extemely small chance of somebody ever hitting the jackpot ;-)
I would also implement something to put "portscanners" on a ban-list if too many attempts are made in a certain time-window, because otherwise you can keep trying port-combinations forever.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Confused about chains

Fri Jun 11, 2021 2:03 pm

3-stage is pretty secure with extremely small chance of somebody ever hitting the jackpot ;-)
65535^3 = 281,462,092,005,375 (depends on how you implement it)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Confused about chains

Fri Jun 11, 2021 2:13 pm

for example:
honeypot IP: some free Public IP

or if free Public IP is not available:
honeypot TCP port: 1433 (SQL for example)
honeypot UDP port: 1434 (SQL for example)

port scan on honeypot indicated surely unwanted connection
the IP directly go on raw/blacklist
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Confused about chains

Fri Jun 11, 2021 3:29 pm

3-stage is pretty secure with extremely small chance of somebody ever hitting the jackpot ;-)
65535^3 = 281,462,092,005,375 (depends on how you implement it)
And since you can use either TCP (64K ports) or UDP (64K ports) or ICMP that number is only getting larger ;-)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Confused about chains

Fri Jun 11, 2021 3:31 pm

Anyone who tries 1 port on my router that are not default open (like 443 is open) will be banned for all ports for 24 hour, even the open ports (443).
There are avrund 5000 to 10000 ip in the block list at any time.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Confused about chains

Fri Jun 11, 2021 3:34 pm

Anyone who tries 1 port on my router that are not default open (like 443 is open) will be banned for all ports for 24 hour, even the open ports (443).
Pfff, where is the hospitality these days ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Confused about chains

Fri Jun 11, 2021 3:38 pm

Better one topic apart, but SOMEONE know a program for shrink ip blackist?

Like when find inside blacklist something like:

1.2.232.0 (/32)
1.2.232.1 (/32)
1.2.232.2 (/32)
1.2.232.3 (/32)
1.2.232.4 (/32)
1.2.232.5 (/32)
1.2.232.6 (/32)
1.2.32.0/23
1.2.34.0/23

shrink it like:
1.2.232.0/30
1.2.232.4/31
1.2.232.6 (/32)
1.2.32.0/22
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Confused about chains

Fri Jun 11, 2021 3:47 pm

Here you go:
https://tehnoblog.org/ip-tools/ip-address-aggregator/

Input
1.2.232.0
1.2.232.1
1.2.232.2
1.2.232.3
1.2.232.4
1.2.232.5
1.2.232.6
1.2.32.0/23
1.2.34.0/23
Result
1.2.32.0/22
1.2.232.0/30
1.2.232.4/31
1.2.232.6/32
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Confused about chains

Fri Jun 11, 2021 3:49 pm

Pfff, where is the hospitality these days ;-)
You are very welcome to visit me, but just use the correct door, or else you may loose your head :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Confused about chains

Fri Jun 11, 2021 4:43 pm

If you come on Italy close to my city, I'm pleased to offer a Pizza :))
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Confused about chains

Fri Jun 11, 2021 7:36 pm

If you come on Italy close to my city, I'm pleased to offer a Pizza :))
Maybe I will one day :)
Coming from the cold north a pizza is always welcome...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Confused about chains

Fri Jun 11, 2021 8:36 pm

If you come on Italy close to my city, I'm pleased to offer a Pizza :))
Maybe I will one day :)
Coming from the cold north a pizza is always welcome and I will bring the Ice Vino...
Rewritten for accuracy!!

Who is online

Users browsing this forum: 0xAA55, EmuAGR and 59 guests