Community discussions

 
neutronlaser
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Thu Jan 18, 2018 5:18 pm

Filter Rules - Output showing activity, why?

Mon Apr 08, 2019 3:26 pm

Hi
I have blocked an address list in my Filter Rules. The intention is to block computers on the network from accessing the address list.

I understand Forward chain is most appropriate, as it is for routed traffic.

I also added Input and Output chains just to see what happened, and I noticed that the Output chain has activity. Forward and Input don't have activity.

Why would this be?

These are my Filter Rules:
# apr/08/2019 13:18:20 by RouterOS 6.44.2
# model = RBD52G-5HacD2HnD
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Block China" dst-address-list=\
    CountryIPBlocks log=yes log-prefix=block_china
add action=drop chain=input comment="Block China" dst-address-list=\
    CountryIPBlocks log=yes log-prefix=block_china
add action=drop chain=output comment="Block China" dst-address-list=\
    CountryIPBlocks log=yes log-prefix=block_china
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="Port scanner detection" log=\
    yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" log=\
    yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="SYN/FIN scan" log=yes \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="SYN/RST scan" log=yes \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" log=yes \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="ALL/ALL scan" log=yes \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1h chain=input comment="NMAP NULL scan" log=yes \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow guest VLAN to printer" \
    dst-address=192.168.0.13 log=yes log-prefix=vlan150_to_printer \
    src-address=192.168.150.0/24
add action=drop chain=forward comment="Block guest VLAN to LAN" dst-address=\
    192.168.0.0/24 log=yes log-prefix=vlan150_to_lan_block src-address=\
    192.168.150.0/24
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1435
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Filter Rules - Output showing activity, why?

Mon Apr 08, 2019 3:52 pm

cause your rules are incorrect:

Forward chain, you have dst address list which should work ok, but should really be src address list
input chain, again you have dst address list, this will never work as you should not have any China IPs as per address list on your router, so should also be src address list instead of dst address list
Output chain, IPs come in from China, as they are not blocked by above rules, router responds, but is blocked by FW rule to dst address list IPs
MTCNA, MTCTCE, MTCRE & MTCINE
 
neutronlaser
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Thu Jan 18, 2018 5:18 pm

Re: Filter Rules - Output showing activity, why?

Mon Apr 08, 2019 7:14 pm

So is this correct:

Forward src - Will block access from country to computers on my network
Forward dst - Will block access from my network to country

Input src - Will block access from country directly to my router (e.g. router admin page, if foolishly open)
Output dst - Will block access if my router for some reason was directly accessing country e.g. Mikrotik ping tool
 
sutrus
newbie
Posts: 27
Joined: Fri Jun 30, 2017 11:27 pm

Re: Filter Rules - Output showing activity, why?

Mon Apr 08, 2019 7:33 pm

forward - packets passing through the router between ports
input - packets coming to the port
output - packets leaving the port

src - the source from which the packet goes
dst - where the packet is going
 
neutronlaser
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Thu Jan 18, 2018 5:18 pm

Re: Filter Rules - Output showing activity, why?

Mon Apr 08, 2019 10:38 pm

Ok got it, thanks. I guess network computers can access external IPs without passing through Input or Output at all.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 124 guests