what am I missing\ doing wrong?
What you are missing is that once the packets have arrived to your machine, the firewall filter on it can only prevent them from being processed there, but not from coming.
I think the question here is how to get rid of this connection. yes it get dropped but still use some of the uplink bandwidth, isn't it?
Correct, it is using part of your download bandwidth. How to get rid of it depends on why it is coming. As @tippenring suggests, it may be a machine in your LAN which actually initiates that traffic. If outbound traffic is src-nat'ed to the IP address of your WAN interface, the response incoming traffic comes to that IP, so it is handled by firewall filter chain input.
To know for sure, go to command line mode (the
button in WebFig or WInbox), and write the following:
/ip firewall connection print where dst-address~"212.29.225.141"
If you get a non-empty list in return, some machine in your LAN is actively connecting to 212.29.225.141 which subsequently responds, and you'll see the IP address of that machine as src-address in the list. To get rid of that, you would have to add a firewall rule:
/ip firewall filter add chain=forward dst-address=212.29.225.141 action=drop
and move it, using the Winbox or WebFig GUI, as high in the list of rules in chain forward as RouterOS lets you.
Otherwise the packets are coming from 212.29.225.141 either because 212.29.225.141 itself is spamming you, or because someone else is sending packets to 212.29.225.141 indicating your address as source one, and 212.29.225.141 responds, making the real attacker invisible to you. But the latter scenario is not very likely as DoS attacks usually use multiplication effects (for one packet sent by the attacker, the amplifier sends many packets to the victim) and this is not easy with changing ports as seen in your screenshots.
As @tippenring has suggested, revert back from
to
as there is no point in sending back icmp rejects and waste your upload bandwidth once the remote side ignores them.
Then, the next step is suggested by
:
% Abuse contact for '212.29.224.0 - 212.29.225.255' is 'nvabuse@013netvision.co.il'