Page 1 of 1

Firewall Chain

Posted: Tue Oct 31, 2017 9:11 pm
by safiullahtariq
Hello All,

I hope you are doing great.

I am not able to properly understand the Firewall Chain process. Can anyone please guide me a very good example.

What I am trying to do is:

Make rules that flow,,, in a flow
1 match this rule
2, then this rule
3, then this rule
4 then this rule.
if all else fails,
go to this rule.

Can anyone show me a working example ? Any example of user defined Firewall chains???

Re: Firewall Chain

Posted: Fri Nov 03, 2017 12:55 pm
by safiullahtariq
Many thanks for reply. It has helped me alot.

I created 2 different Hotspot user profiles and make alotted them different firewall rules via different chains.

Here is my config: Might help someone.
/ip firewall filter
add action=jump chain=forward jump-target=blocked packet-mark=NormalUsers
add action=drop chain=blocked out-interface=ether1 src-address=
add action=drop chain=blocked out-interface=ether1 src-address=
add action=drop chain=blocked out-interface=ether1 src-address=
add action=drop chain=blocked dst-port=!21,22,25,80,143,443,465,587,993,995,5000,8083,8448,1928 out-interface=ether1 protocol=tcp src-address=
add action=jump chain=forward jump-target="Custom Rules" packet-mark=Whatsappallowed
add action=accept chain=forward packet-mark=Whatsappallowed
add action=drop chain=Portsblock disabled=yes dst-port=!34784,45395,50318,59234 out-interface=ether1 protocol=udp src-address=
add action=accept chain=forward disabled=yes dst-port=34784,45395,50318,59234 out-interface=ether1 packet-mark=Whatsappallowed protocol=udp src-address=
add action=accept chain=forward disabled=yes dst-port=4244,5222,5223,5228,5242 out-interface=ether1 packet-mark=Whatsappallowed protocol=tcp src-address=
add action=jump chain=Portsblock disabled=yes jump-target="Other Ports" out-interface=ether1 src-address=
/ip firewall mangle
add action=jump chain=forward jump-target=hotspot src-address-list="Hostpot Packet Marking"
add action=jump chain=forward jump-target=hotspot src-address-list="Normal Users"
add action=jump chain=forward dst-address-list="Normal Users" jump-target=hotspot
add action=jump chain=forward dst-address-list="Hostpot Packet Marking" jump-target=hotspot
/ip hotspot user profile
set [ find default=yes ] address-list="Normal Users" incoming-packet-mark=NormalUsers keepalive-timeout=2h mac-cookie-timeout=1d outgoing-packet-mark=NormalUsers rate-limit=1024k/1024k session-timeout=8h
add !idle-timeout keepalive-timeout=2h mac-cookie-timeout=1d name=Guest rate-limit=512k/512k session-timeout=8h 
add address-list="Hostpot Packet Marking" !idle-timeout incoming-packet-mark=Whatsappallowed keepalive-timeout=2h mac-cookie-timeout=1d name=whatsappallowed outgoing-packet-mark=Whatsappallowed rate-limit=1024k/1024k session-timeout=8h shared-users=2