Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Input/Output rules

Locked
 
infused
Member
Member
Topic Author
Posts: 313
Joined: Fri Dec 28, 2012 2:33 pm

Input/Output rules

Thu Jul 11, 2013 4:08 am

Hi Guys,

Having a little bit of a hard time getting my head around this.

I have an input filter that allows a couple of ports. I then allow all output. The final rule disables any other form on input request. What I don't understand is, dns queries and ntp updates from the router do not work with this configuration. What am I missing?
Code: Select all
/ip firewall connection tracking
set tcp-established-timeout=6h
/ip firewall filter
add chain=forward comment="established connections" connection-state=\
    established
add chain=forward comment="related connections" connection-state=related
add chain=forward comment=mail dst-port=25 protocol=tcp
add chain=forward comment="web access" dst-port=443 protocol=tcp
add action=drop chain=forward comment="drop anything else"
add chain=input dst-port=80,8291 protocol=tcp
add chain=input comment=monitoring protocol=icmp src-address=202.68.89.181
add chain=output
add action=drop chain=input
Top
 
infused
Member
Member
Topic Author
Posts: 313
Joined: Fri Dec 28, 2012 2:33 pm

Re: Input/Output rules

Thu Jul 11, 2013 4:27 am

I guess with udp, since it's connectionless, established connections doesn't apply, so I specifically need input rules for ntp and dns, which I've done and work. Correct?
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Input/Output rules

Thu Jul 11, 2013 8:41 am

First of all an short explanation of the various chains.
input is for traffic towards the router as final destination
forward is for traffic entering and also leaving the router to a final destination
output is traffic originated by the router itself.

Since you have only one output rule, and I assume it is allowing traffic, so actually it is doing nothing because all traffic is allowed by default. And I don't think that that is a problem.
And regarding your dns/ntp issue I guess that it has something to do with not having established and related allowances on your input chain.
I guess that if you create both rules just like the ones on your forward chain, the dns and ntp will work.
Top
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Input/Output rules

Tue Jul 21, 2015 9:54 am

Add these two rules, before your drops, and you should be fine:
(change the interface name to your LAN)
Code: Select all
add chain=input in-interface=ether2-lan
add chain=forward in-interface=ether2-lan
Top
Locked

Who is online

Users browsing this forum: STMT and 110 guests
  4. RouterOS
  5. Beginner Basics