HI there,
I'm not sure what I've done but I've seem to have messed up my firewall and I cant get my ports to work correctly.
Could someone take a look please because I've done something stupid and I just cant see it.
[admin@MikroTik] /ip firewall service-port> print
Flags: X - disabled, I - invalid
# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 h323
4 sip 5060
5061
5 pptp
[admin@MikroTik] /ip firewall service-port> /
[admin@MikroTik] > ip firewall export
# may/26/2010 20:16:39 by RouterOS 4.9
# software id = 5E9K-MKY7
#
/ip firewall address-list
add address=192.168.1.0/24 comment="" disabled=no list=lan_list
add address=192.168.0.0/24 comment="" disabled=no list=lan_list
add address=192.168.1.0/24 comment="" disabled=no list=lan_list
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=log chain=input comment="log invalid connections" connection-state=invalid disabled=yes log-prefix=INVALID
add action=accept chain=input comment="accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="accept related connections" connection-state=related disabled=no
add action=accept chain=input comment="accept hosts from lan" disabled=no src-address-list=lan_list
add action=accept chain=input comment="accept hosts from trusted list" disabled=no src-address-list=trusted_list
add action=add-src-to-address-list address-list=trusted_list address-list-timeout=15m chain=input comment="port knock stage 2" disabled=no dst-port=XXXXXXX \
protocol=tcp src-address-list=knock_list
add action=add-src-to-address-list address-list=knock_list address-list-timeout=15s chain=input comment="port knock stage 1" disabled=no dst-port=XXXXXXX \
protocol=tcp
add action=drop chain=input comment="Drop FTP Brute Forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/2m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content="530 Login incorrect" disabled=no \
protocol=tcp
add action=drop chain=input comment="Drop SSH Brute Forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 \
protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" connection-state=new disabled=no dst-port=\
22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=input comment="drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment="drop everything else" disabled=no
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Network 192.168.0.0/24" disabled=no new-routing-mark=first passthrough=yes src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment="Network 192.168.1.0/24" disabled=no new-routing-mark=second passthrough=yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT outbound traffic through ether1" disabled=no out-interface=ether1 src-address-list=lan_list
add action=masquerade chain=srcnat comment="NAT outbound traffic through ether2" disabled=no out-interface=ether2 src-address-list=lan_list
add action=dst-nat chain=dstnat comment=HTTPserver-PBX disabled=no dst-port=80 protocol=tcp to-ports=80
add action=dst-nat chain=dstnat comment=Cassini-PBX disabled=no dst-port=5000 protocol=tcp to-addresses=192.168.0.200 to-ports=5000
add action=dst-nat chain=dstnat comment=SIP-PBX disabled=no dst-port=5060 protocol=udp to-addresses=192.168.0.200 to-ports=5060
add action=dst-nat chain=dstnat comment=Tunnel-PBX disabled=no dst-port=5080 protocol=tcp to-addresses=192.168.0.200 to-ports=5080
add action=dst-nat chain=dstnat comment=Tunnel2-PBX disabled=no dst-port=5081 protocol=tcp to-addresses=192.168.0.200 to-ports=5081
add action=dst-nat chain=dstnat comment=TunnelSrv-PBX disabled=no dst-port=5090 protocol=tcp to-addresses=192.168.0.200 to-ports=5090
add action=dst-nat chain=dstnat comment=FaxSrv-PBX disabled=no dst-port=5100 protocol=udp to-addresses=192.168.0.200 to-ports=5100
add action=dst-nat chain=dstnat comment=PhoneDB-PBX disabled=no dst-port=5480 protocol=tcp to-addresses=192.168.0.200 to-ports=5480
add action=dst-nat chain=dstnat comment=CassiniRM-PBX disabled=no dst-port=5481 protocol=tcp to-addresses=192.168.0.200 to-ports=5481
add action=dst-nat chain=dstnat comment=PhoneDB-PBX disabled=no dst-port=5482 protocol=tcp to-addresses=192.168.0.200 to-ports=5482
add action=dst-nat chain=dstnat comment=IVR-PBX disabled=no dst-port=5484 protocol=tcp to-addresses=192.168.0.200 to-ports=5484
add action=dst-nat chain=dstnat comment=ConfServer-PBX disabled=no dst-port=5485 protocol=tcp to-addresses=192.168.0.200 to-ports=5485
add action=dst-nat chain=dstnat comment=AsstServer-PBX disabled=no dst-port=5486 protocol=udp to-addresses=192.168.0.200 to-ports=5486
add action=dst-nat chain=dstnat comment=RTPports-PBX disabled=no dst-port=7000-7499 protocol=udp to-addresses=192.168.0.200 to-ports=7000-7499
add action=dst-nat chain=dstnat comment=RTPMedia-PBX disabled=no dst-port=9000-9049 protocol=udp to-addresses=192.168.0.200 to-ports=9000-9049
add action=dst-nat chain=dstnat comment=FaxSrv-PBX disabled=no dst-port=10000 protocol=udp to-addresses=192.168.0.200 to-ports=10000
add action=dst-nat chain=dstnat comment=OrbitParkSIP-PBX disabled=no dst-port=40000 protocol=udp to-addresses=192.168.0.200 to-ports=40000
add action=dst-nat chain=dstnat comment=OrbitParkRTP-PBX disabled=no dst-port=40010-40138 protocol=udp to-addresses=192.168.0.200 to-ports=40010-40138
add action=dst-nat chain=dstnat comment=ConSrv-PBX disabled=no dst-port=40300 protocol=udp to-addresses=192.168.0.200 to-ports=40300
add action=dst-nat chain=dstnat comment=ConPl-PBX disabled=no dst-port=40310-40438 protocol=udp to-addresses=192.168.0.200 to-ports=40310-40438
add action=dst-nat chain=dstnat comment=IVRSIP-PBX disabled=no dst-port=40600 protocol=udp to-addresses=192.168.0.200 to-ports=40600
add action=dst-nat chain=dstnat comment=IVRRTP-PBX disabled=no dst-port=40610-40866 protocol=udp to-addresses=192.168.0.200 to-ports=40610-40866
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >