Community discussions

MUM Europe 2020
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Access servers on a specific port

Thu Oct 10, 2013 6:52 pm

Hello everyone,
I have a problem that I am not able to solve.
It is about 2 subnet masks which should communicate together on certain ports.


Eth2 - clients 192.168.0.0/24
Eth3 - servers 10.80.50.0/29
 0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24 
     in-interface=eth2 dst-port=8291 

1   chain=forward action=accept protocol=tcp src-address=10.80.50.0/29
     dst-address=192.168.0.0/24,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24 
     dst-address=10.80.50.0/29 

 3   chain=forward action=drop 

 4   chain=input action=reject reject-with=icmp-protocol-unreachable 
     protocol=icmp 

 5   chain=input action=drop 
The above rule is working ok. But, the problem is when i wont to specify on wich port they should comunicate only.

 0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24 
     in-interface=eth2 dst-port=8291 

 1   chain=forward action=accept protocol=tcp src-address=10.80.50.0/29
     dst-address=192.168.0.0/24 dst-port=135,136,137,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
     dst-address=10.80.50.0/29 dst-port=135,136,137,

 3   chain=forward action=drop 

 4   chain=input action=reject reject-with=icmp-protocol-unreachable 
     protocol=icmp 

 5   chain=input action=drop
Cannot access at all.
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Fri Oct 11, 2013 11:15 am

Bump.

Here is another example.

Clients from eth2 192.168.0.0/24 need to access file server on eth1 10.80.50.4/29
0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24
     in-interface=eth2 dst-port=8291

 1   chain=forward action=accept protocol=tcp src-address=10.80.50.4
     dst-address=192.168.0.0/24 dst-port=135,136,137,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
     dst-address=10.80.50.4 dst-port=135,136,137,

 3   chain=forward action=drop

 4   chain=input action=reject reject-with=icmp-protocol-unreachable
     protocol=icmp

 5   chain=input action=drop
Cannot access.
 0   chain=input action=accept protocol=tcp src-address=192.168.0.0/24
     in-interface=eth2 dst-port=8291

1   chain=forward action=accept protocol=tcp src-address=10.80.50.0/29
     dst-address=192.168.0.0/24,

 2   chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
     dst-address=10.80.50.0/29

 3   chain=forward action=drop

 4   chain=input action=reject reject-with=icmp-protocol-unreachable
     protocol=icmp

 5   chain=input action=drop 

But this work.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Access servers on a specific port

Fri Oct 11, 2013 6:54 pm

maybe you should torch to see what ports are being used.
maybe you are blocking some ports.
as far as i've read on the internet, the netbios uses broadcast packets, maybe it has something to do with that.
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Fri Oct 11, 2013 8:58 pm

Hmmm.. i used connection filter to check on which ports they communicate and i readed manuel for ports that need to be open.
It seems that work only when i check "Any. Port: " in firewall filter option and adding ports there.

Confusing i must tell, by the way does anyone know what Any. Port: mean, i readed somewhere on the internet but is a litle bit confused for me, my english is not so good.
Continueing to wok under this seting i tested windows rdp as an example. I needed to apply on both rule rule for rdp port in order to work but i just wonned to access from one subnet, dont understand why on both rule i must to add this port and to use Any. Port:?


Any help will,would be appreciated for this "anomaly" and making this correct.
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Sat Oct 12, 2013 8:48 pm

Bump.
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Sun Oct 13, 2013 10:17 pm

I google half internet for this and cannot find solution.
Bump. Sory guys i realy need help about this. :?
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Access servers on a specific port

Sun Oct 13, 2013 10:42 pm

Post your full export compact and what you are trying to do. I'll look at it tonight.

Sent from my SCH-I545 using Tapatalk
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Access servers on a specific port

Mon Oct 14, 2013 12:50 am

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 1:20 am

Post your full export compact and what you are trying to do. I'll look at it tonight.

Sent from my SCH-I545 using Tapatalk
Hi efaden, thanks for help, please read last couple of posts.Its simple, yet strange.. :?
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 1:22 am

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.
Trust me mate i know wich are the ports, the problem is mikrotik (firewall rules) or am i dumb to configure this rules properly thats why i need help. :?
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Access servers on a specific port

Mon Oct 14, 2013 1:23 am

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.
I am pretty sure that looking at the above ruleset his problem is that he has no rules with the src-port as 135,136,137 and they aren't getting picked up by connection tracking....

Op: What is on these ports? And post your whole config... export compact.
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 1:27 am

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.
I am pretty sure that looking at the above ruleset his problem is that he has no rules with the src-port as 135,136,137 and they aren't getting picked up by connection tracking....

Op: What is on these ports? And post your whole config... export compact.
On these ports is comunication for windows network. I tried src-port dont work. it only work when is Any. Port: even then i must on both rule to add ports that i wont to open. Confusing.
There is no more configuration except this and default rules for ip address mate.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Access servers on a specific port

Mon Oct 14, 2013 1:29 am

You really need to use Torch to see which ports are involved. Also note that while some NetBIOS traffic does indeed use the same port on the client and server many protocols do not do that. If your clients always initiate connections you may want to try allowing NEW connections to a restricted IP/port range on the server subnet but allow all ESTABLISHED & RELATED traffic in the other direction.
I am pretty sure that looking at the above ruleset his problem is that he has no rules with the src-port as 135,136,137 and they aren't getting picked up by connection tracking....

Op: What is on these ports? And post your whole config... export compact.
On these ports is comunication for windows network. I tried src-port dont work. it only work when is Any. Port: even then i must on both rule to add ports that i wont to open. Confusing.
There is no more configuration except this and default rules for ip address mate.
I trust that there is nothing else... but I just find it easier to see your export... if you want me to look through it post the whole export compact. I have time tonight to figure it out.

Also windows stuff uses 135, 137, 138, 139...

http://en.wikipedia.org/wiki/List_of_TC ... rt_numbers
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 1:35 am



I trust that there is nothing else... but I just find it easier to see your export... if you want me to look through it post the whole export compact. I have time tonight to figure it out.

Also windows stuff uses 135, 137, 138, 139...

http://en.wikipedia.org/wiki/List_of_TC ... rt_numbers
1. config in first and other posts, its a default configuration with only these rules above and example when its work and when its not working.
2. i know, i posts that in last post.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Access servers on a specific port

Mon Oct 14, 2013 1:54 am

How are you testing that it is or isn't working?
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Access servers on a specific port

Mon Oct 14, 2013 2:36 am

How are you testing that it is or isn't working?
I'm pretty sure you need... All four of these.

chain=forward action=accept protocol=tcp src-address=10.80.50.4
dst-address=192.168.0.0/24 dst-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
dst-address=10.80.50.4 dst-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=10.80.50.4
dst-address=192.168.0.0/24 src-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
dst-address=10.80.50.4 src-port=135,136,137,
 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 10:57 am

How are you testing that it is or isn't working?
I'm pretty sure you need... All four of these.

chain=forward action=accept protocol=tcp src-address=10.80.50.4
dst-address=192.168.0.0/24 dst-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
dst-address=10.80.50.4 dst-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=10.80.50.4
dst-address=192.168.0.0/24 src-port=135,136,137,

chain=forward action=accept protocol=tcp src-address=192.168.0.0/24
dst-address=10.80.50.4 src-port=135,136,137,
That will not work.
The problem is that when a client make a season on that port with server, user use some other port on his side, and when you apply reverse rule server also use another port on his side beside that 135,136,137 etc.
An when rules above or mine apply then they block other ports on they side. got it mate ? :idea:

Confusing for makin rule with minimum acces. :?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Access servers on a specific port

Mon Oct 14, 2013 1:59 pm

That will not work.
The problem is that when a client make a season on that port with server, user use some other port on his side, and when you apply reverse rule server also use another port on his side beside that 135,136,137 etc.
An when rules above or mine apply then they block other ports on they side. got it mate ? :idea:

Confusing for makin rule with minimum acces. :?
Which is why you use the ESTABLISHED and RELATED connection states to permit the return traffic to the client as I mentioned earlier.

1) Apply rules to permit the new connections from the client to the server on the known ports.
2) Apply rules to permit the ESTABLISHED and RELATED traffic between the client and server.
Last edited by CelticComms on Mon Oct 14, 2013 3:00 pm, edited 1 time in total.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 2:08 pm

Oh,
quick from the head...
ip firewall rule chain forward connection state established action accept
ip firewall rule chain forward connection state releated action accept
Am i correct ?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Access servers on a specific port

Mon Oct 14, 2013 2:59 pm

Oh,
quick from the head...
ip firewall rule chain forward connection state established action accept
ip firewall rule chain forward connection state releated action accept
Am i correct ?
Yes - with whatever other selectors are appropriate given the security requirements - e.g. src/dst addresses/address ranges.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
warlock
just joined
Topic Author
Posts: 13
Joined: Thu Oct 10, 2013 6:14 pm

Re: Access servers on a specific port

Mon Oct 14, 2013 10:15 pm

Oh,
quick from the head...
ip firewall rule chain forward connection state established action accept
ip firewall rule chain forward connection state releated action accept
Am i correct ?
Yes - with whatever other selectors are appropriate given the security requirements - e.g. src/dst addresses/address ranges.
Works like a charm. Karma is on the way.
By the way, do you know maybe what this option is for: Any. Port:
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Access servers on a specific port

Mon Oct 14, 2013 11:19 pm

By the way, do you know maybe what this option is for: Any. Port:
It matches on the port regardless of whether it is the dst. or src. port.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

Who is online

Users browsing this forum: No registered users and 35 guests