Community discussions

MikroTik App
 
nissandata
newbie
Topic Author
Posts: 34
Joined: Fri Dec 03, 2010 7:20 pm

stop traffic between subnets & route via public IPs

Fri Dec 10, 2010 12:53 pm

Hi i have just set up a RB1100 and have some configuration problems.

I want the subnets to NOT be able to talk directly to eachother. And if possible to route the traffic between the subnets via their public IP's.

so for a client in subnet 10.99.99.0/24 to access the ftp-server on 10.24.7.2. The client would connect to 1.2.3.246:21 and the traffic should flow as any other user from the outside would.

if this isn't possible (but hey, everything is possible with RB right?) i want to drop everything between the subnets exept specified allowed services, through the firewall i guess.

the reason that i want to do everything through the public IP's is that i don't want to set up specific DNS records for the local nets to access websites, ftp-servers, mailservers etc on every subnet.

IP Addresses
I have the following networks set up atm, were 0,2,14,15 are local nets for different subnets and the rest are public IP's
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                                           
 0   ;;; ndLocal - lan
     10.24.1.1/24       10.24.1.0       10.24.1.255     ether3 - ndLocal                                                                                                    
 1   ;;; Standard IP for routes
     1.2.3.241/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 2   ;;; ndVerkstad - lan
     10.99.99.1/24      10.99.99.0      10.99.99.255    ether6 - ndVerkstad                                                                                                 
 3   ;;; ndLocal & ndGuest - wan
     1.2.3.242/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 4   ;;; ndHosting - wan
     1.2.3.243/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 5   ;;; ndVerkstad - wan
     1.2.3.244/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 6   ;;; ndDmz1 - wan
     1.2.3.245/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 7   ;;; ndDmz2 - wan
     1.2.3.246/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 8   1.2.3.247/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
 9   1.2.3.249/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
10   1.2.3.250/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
11   1.2.3.251/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
12   1.2.3.252/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
13   1.2.3.253/28  1.2.3.240  1.2.3.255  ether12 - wan1                                                                                                      
14   10.0.0.1/24        10.0.0.0        10.0.0.255      ether4                                                                                                              
15   ;;; ndDmz2 - lan
     10.24.7.1/24       10.24.7.0       10.24.7.255     ndDmz2.124    
IP Firewall NAT
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; ndDmz2 src
     chain=srcnat action=src-nat to-addresses=1.2.3.246 src-address=10.24.7.0/24 out-interface=ether12 - wan1 

 1   ;;; ndDmz2 - ftp
     chain=dstnat action=dst-nat to-addresses=10.24.7.2 to-ports=21 protocol=tcp dst-address=1.2.3.246 dst-port=21 

 2   ;;; ndDmz2 - ftp data
     chain=dstnat action=dst-nat to-addresses=10.24.7.2 to-ports=1401-1410 protocol=tcp dst-address=1.2.3.246 dst-port=1401-1410 

 3   ;;; ndVerkstad src
     chain=srcnat action=src-nat to-addresses=1.2.3.244 src-address=10.99.99.0/24 out-interface=ether12 - wan1 

 4   ;;; ndLocal src
     chain=srcnat action=src-nat to-addresses=1.2.3.242 src-address=10.24.1.0/24 out-interface=ether12 - wan1 

 5   ;;; ndGuest src
     chain=srcnat action=src-nat to-addresses=1.2.3.242 src-address=10.0.0.0/24 out-interface=ether12 - wan1 

 6   ;;; ndHosting src
     chain=srcnat action=src-nat to-addresses=1.2.3.243 src-address=10.24.5.0/24 out-interface=ether12 - wan1 

 7   ;;; masquerade all
     chain=srcnat action=masquerade out-interface=ether12 - wan1
IP Firewall Filter
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; accept established
     chain=forward action=accept connection-state=established in-interface=ether12 - wan1 

 1   ;;; accept related
     chain=forward action=accept connection-state=related in-interface=ether12 - wan1 

 2   ;;; drop invalid
     chain=forward action=drop connection-state=invalid connection-type="" 

 3   ;;; detect hackers
     chain=forward action=jump jump-target=detect_hackers 

 4   ;;; ndDmz2 - Services
     chain=forward action=jump jump-target=ndDmz2 - Services dst-address=10.24.7.2 

 5   ;;; accept established
     chain=input action=accept connection-state=established in-interface=ether12 - wan1 

 6   ;;; accept related
     chain=input action=accept connection-state=related in-interface=ether12 - wan1 

 7   ;;; drop invalid
     chain=input action=drop connection-state=invalid connection-type="" 

 8   ;;; detect hackers
     chain=input action=jump jump-target=detect_hackers 

 9   ;;; allow acces to rb from safe address-list
     chain=input action=accept protocol=tcp dst-address=1.2.3.241 src-address-list=safe dst-port=8291,22 

10   ;;; drop everything elses
     chain=input action=drop in-interface=ether12 - wan1 

11   ;;; drop invalid out
     chain=output action=drop connection-state=invalid 

12   ;;; drop everything to known hackers
     chain=output action=jump jump-target=drop_hackers 

13   ;;; detect ftp bruteforcers
     chain=output action=jump jump-target=detect_hackers_ftp 

14   ;;; accept all out
     chain=output action=accept 

15   ;;; allow smtp from webroot
     chain=ndLocal action=accept protocol=tcp src-address=194.116.198.0/23 dst-port=25 

16   ;;; allow smtp from webroot
     chain=ndLocal action=accept protocol=tcp src-address=208.87.136.0/23 dst-port=25 

17   ;;; allow smtp from webroot
     chain=ndLocal action=accept protocol=tcp src-address=203.100.58.0/24 dst-port=25 

18   ;;; drop rest smtp for ndLocal
     chain=ndLocal action=drop protocol=tcp dst-port=25 

19   ;;; accept pptp
     chain=ndLocal action=accept protocol=tcp dst-port=1723 

20   ;;; accept pptp
     chain=ndLocal action=accept protocol=udp dst-port=1723 

21   ;;; accept gre for pptp
     chain=ndLocal action=accept protocol=gre 

22   ;;; accept sharepoint
     chain=ndLocal action=accept protocol=tcp dst-port=987 

23   ;;; accept https
     chain=ndLocal action=accept protocol=tcp dst-port=443 

24   ;;; accept smtp for ndhosting
     chain=ndHosting action=accept protocol=tcp dst-port=25 

25   ;;; accept pop3 & imap4 ndhosting
     chain=ndHosting action=accept protocol=tcp dst-port=143,110,995,587,993 

26   ;;; accept pptp ndhosting
     chain=ndHosting action=accept protocol=tcp dst-port=1723 

27   ;;; accept sharepoint ndhosting
     chain=ndHosting action=accept protocol=tcp dst-port=987 

28   ;;; accept GRE ndhosting
     chain=ndHosting action=accept protocol=gre 

29   ;;; accept http ndhosting
     chain=ndHosting action=accept protocol=tcp dst-port=80 

30   ;;; accept https ndhosting
     chain=ndHosting action=accept protocol=tcp dst-port=443 

31   ;;; ndDmz2 - FTP
     chain=ndDmz2 - Services action=accept protocol=tcp dst-port=21,1401-1410 

32   ;;; echo reply
     chain=icmp action=accept protocol=icmp icmp-options=0:0 

33   ;;; net unreachable
     chain=icmp action=accept protocol=icmp icmp-options=3:0 

34   ;;; host unreachable
     chain=icmp action=accept protocol=icmp icmp-options=3:1 

35   ;;; allow source quench
     chain=icmp action=accept protocol=icmp icmp-options=4:0 

36   ;;; allow echo request (limited by pps and size)
     chain=icmp action=accept protocol=icmp icmp-options=8:0 limit=10,5 packet-size=5-156 

37   ;;; allow time exceed
     chain=icmp action=accept protocol=icmp icmp-options=11:0 

38   ;;; allow parameter bad
     chain=icmp action=accept protocol=icmp icmp-options=12:0 

39   ;;; drop other icmp
     chain=icmp action=drop protocol=icmp 

40   ;;; drop everything from known hackers
     chain=detect_hackers action=jump jump-target=drop_hackers 

41   ;;; detect ssh brute forcers
     chain=detect_hackers action=jump jump-target=detect_hackers_ssh protocol=tcp dst-port=22 

42   ;;; detect ftp brute forcers
     chain=detect_hackers action=jump jump-target=detect_hackers_ftp 

43   ;;; add Port scanners to list 
     chain=detect_hackers action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=hacker_port-scanner address-list-timeout=2w 

44   ;;; add Port scanners to list (NMAP FIN Stealth scan)
     chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w 

45   ;;; add Port scanners to list (SYN/FIN scan)
     chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w 

46   ;;; add Port scanners to list (SYN/RST scan)
     chain=detect_hackers action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w 

47   ;;; add Port scanners to list (FIN/PSH/URG scan)
     chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w 

48   ;;; add Port scanners to list (ALL/ALL scan)
     chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w 

49   ;;; add Port scanners to list (NMAP NULL scan)
     chain=detect_hackers action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w 

50   ;;; add ssh brute forcers to hacker_ssh-bruters for 10days
     chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=hacker_ssh-bruters 
     address-list-timeout=1w3d dst-port=22 

51   ;;; ssh brute forcers the third stage
     chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m 
     dst-port=22 

52   ;;; shh brute forcers the second stage
     chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m 
     dst-port=22 

53   ;;; ssh brute forcers the first stage
     chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

54   ;;; allow 5 logon tries via ftp per minute before block
     chain=detect_hackers_ftp action=accept protocol=tcp src-address=10.24.7.2 content=530 Not logged in (Password incorrect). dst-limit=1/1m,3,dst-address/1m 

55   ;;; add ftp-user to hackers 23h45m
     chain=detect_hackers_ftp action=add-dst-to-address-list protocol=tcp src-address=10.24.7.2 address-list=hacker_ftp-bruters address-list-timeout=23h45m 
     content=530 Not logged in (Password incorrect). 

56   ;;; Drop portscanners
     chain=drop_hackers action=drop src-address-list=hacker_port-scanner 

57   ;;; Drop ssh brute forcing hackers
     chain=drop_hackers action=drop src-address-list=hacker_ssh-bruters 

58   ;;; Drop ftp brute forcing hackers
     chain=drop_hackers action=drop src-address-list=hacker_ftp-bruters
 
nissandata
newbie
Topic Author
Posts: 34
Joined: Fri Dec 03, 2010 7:20 pm

Re: stop traffic between subnets & route via public IPs

Fri Dec 10, 2010 5:16 pm

added
;;; drop everything else
     chain=forward action=drop 
after filter rule number 5 which did the trick... is this the correct way to do it?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: stop traffic between subnets & route via public IPs

Fri Dec 10, 2010 7:09 pm

If you need to NAT, just NAT. If you want to NAT traffic from 10.99.0.0/24 to 10.17.0.0/24 to be translated to 1.2.3.4 write a rule that does that:

/ip firewall NAT
add chain=srcnat src-address=10.99.0.0/24 dst-address=10.17.0.0/24 action=src-nat to-address=1.2.3.4

That's it.

If you want to filter traffic between all interfaces other than the WAN there are several approaches. My favourite would be to use the forward chain permit established, and related traffic from the WAN, then the specific traffic between LANs you want to permit, then all traffic with an out-interface of the WAN, then drop everything else.

Who is online

Users browsing this forum: authemis and 43 guests