Community discussions

 
KennyPowers
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue May 05, 2015 6:18 pm

Firewall Filter

Sun May 17, 2015 8:43 pm

Hi,

Here is my firewall the section with ip address 10.10.10.0/24 is the public hotspot I only want to allow ports listed and drop everything else which seems to work ok, Only problem is if I add a mac address to the IP Bindings section in the hotspot to bypass the login page they have no internet access because of this rule on the 3 last line in red. Internet access works fine for other users who have logged in.

Can anyone advise please?


ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="accept vpn gre" protocol=gre
add chain=input comment="accept vpn" dst-port=1723 protocol=tcp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
address-list-timeout=1d chain=input comment=\
"list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp
add chain=input comment="allow ssh" disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add chain=forward comment="allow already established connections" \
connection-state=established
add chain=forward comment="allow related connections" connection-state=\
related
add action=drop chain=input comment="drop Invalid connections" \
connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
src-address=192.168.5.0/24
add action=drop chain=input comment="drop everything else"
add chain=forward comment="Allow HTTP" dst-port=80 protocol=tcp src-address=\
10.10.10.0/24
add chain=forward comment="Allow HTTPS" dst-port=443 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="Allow SMTP" disabled=yes dst-port=25 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="Allow SMTP Secure" disabled=yes dst-port=567 \
protocol=tcp src-address=10.10.10.0/24
add chain=forward comment="Allow POP" dst-port=110 protocol=tcp src-address=\
10.10.10.0/24
add chain=forward comment="Allow IMAP" dst-port=143 protocol=tcp src-address=\
10.10.10.0/24
add chain=forward comment="Allow IMAP4-SSL" dst-port=585 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="Allow IMAP4-SSL" dst-port=993 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="Allow POP-SSL" dst-port=995 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="Allow DNS" dst-port=53 protocol=tcp src-address=\
10.10.10.0/24
add chain=forward comment="" dst-port=5251 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=4244 protocol=tcp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=5243 protocol=udp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=7985 protocol=udp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=5222-5223 \
protocol=tcp src-address=10.10.10.0/24
add chain=forward comment="" dst-port=3478-3497 protocol=udp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=16384-16387 protocol=udp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=16393-16402 protocol=udp \
src-address=10.10.10.0/24
add chain=forward comment="" dst-port=123 protocol=udp src-address=\
10.10.10.0/24
add action=drop chain=forward comment="drop everything else" disabled=yes \
src-address=10.10.10.0/24

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
 
KennyPowers
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue May 05, 2015 6:18 pm

Re: Firewall Filter

Sun May 17, 2015 9:49 pm

Got it sorted needed to allow UDP on port 53

add chain=forward comment="Allow DNS" dst-port=53 protocol=udp src-address=\
10.10.10.0/24

Who is online

Users browsing this forum: Bing [Bot] and 17 guests