Community discussions

 
drdog
just joined
Topic Author
Posts: 7
Joined: Sun Apr 02, 2017 4:02 am

Forwarding packets on input chain

Mon Apr 10, 2017 2:29 pm

I have the default firewall rules that drop packets on the input chain. While I know I can logging these I would like to be able to forward them to a computer running wireshark.

Is there a combination of mangle and firewall rules that would allow me to redirect packets from the input chain to a computer on the LAN - the packets are those that would be normally have been dropped by the standard drop rule.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 604
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Forwarding packets on input chain

Mon Apr 10, 2017 3:45 pm

Hello,

Just add a NAT rule that will dstnat the input traffic to the wireshark computer. Be add specific as you can to be certain what traffic is affected and that it does not go anywhere else by mistake.

Also add a fw filter that allows that traffic to that computer.

Again, make sure not to leave wholes in your security.

Sent from Tapatalk
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
Sob
Forum Guru
Forum Guru
Posts: 4617
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding packets on input chain

Tue Apr 11, 2017 5:29 am

Mangle rules support action=sniff-tzsp, which is specifically made for sniffing packets and sending them elsewhere. The trouble is, mangle happens before filter, so if you have several rules there and you're only interested in packets that get to last drop rule, you'd have to duplicate the whole filtering logic in mangle.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Forwarding packets on input chain

Tue Apr 11, 2017 1:11 pm

Mangle can work in prerouting, input, forward, output or postrouting chains.....


Sent from my iPhone using Tapatalk
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
Sob
Forum Guru
Forum Guru
Posts: 4617
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding packets on input chain

Tue Apr 11, 2017 9:46 pm

Mangle does work in input chain, but still before input's filter. So if I have e.g.:
/ip firewall filter
add chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add chain=input in-interface=ether1
add chain=input src-address-list=Trusted
add chain=input protocol=icmp
<several other rules>
add action=drop chain=input
... and I'm only interested in packets dropped by the last rule, I don't see a way how to do it easily.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
eXS
newbie
Posts: 42
Joined: Fri Apr 14, 2017 4:01 am

Re: Forwarding packets on input chain

Fri Apr 14, 2017 4:17 am

I asked nearly the exact same question - how to TZSP packets on the last drop rules - and was promptly chastised & nearly got into an argument on the mikrotik channel on freenode.

Whoever i was talking with acted like i was an idiot for asking, couldn't possibly understand the need, essentially told me I should already be able to define the traffic being dropped, and then went down some weird path of *cap scripting suggestions.

The question & need seems simple though, to me.

Earlier today I read a thread on Splunk and how it can accept logs from Mikrotik, of which it worked with logging specifics of policies. It appeared there may be a way to pull something off there, but it wouldn't be TZSP. Not quite sure.

So yeah i have pretty much the same question. I'd like to be able to TZSP dropped packets over to Wireshark.
 
Sob
Forum Guru
Forum Guru
Posts: 4617
Joined: Mon Apr 20, 2009 9:11 pm

Re: Forwarding packets on input chain

Tue Apr 18, 2017 1:48 am

There's option log=yes (and related log-prefix=...) that you can add to any rule. You can also send logs to syslog on another machine, so you can use this to get some basic info about dropped packets (when you add logging to drop rule). But if you're interested in whole packet, this won't help you.

You can play in mangle and add same/similar rules as in filter, to finally end up with same packets that in filter get to last drop rule. It may be doable (I'm not sure about all more complex rules), but it would be huge mess.

I don't know how hard it would be for MikroTik to add it, but I can surely imagine TZSP sniffing as same global option like log=yes is, so that it could be used with any rule.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 78 guests