Community discussions

just joined
Topic Author
Posts: 1
Joined: Tue Nov 20, 2018 6:29 pm

Firewall block everything except IP on a dynamic IP address list

Mon Jun 24, 2019 3:10 pm

Dear all,

I have some trouble with a firewall configuration:
I have blocked everything in forward chain except traffic towards some IP addresses included in a IP address list.
It works like a charm.
Now I would like to populate IP address list dynamically using an L7 rule. I have add a mangle rule in prerouting chain to check against L7 rule and add address to allowed IP list.
Unfortunately it doesn't work. It seems forward drop rule is executed before mangle prerouting rule to populate this list.

This is my firewall forward chain related configuration
/ip firewall filter
add action=accept chain=forward comment="forward - accept all connections from lan to allowed ips" packet-mark=lan-wan-allowed-ips
add action=drop chain=forward comment="forward - drop all connections from lan" disabled=yes in-interface-list=lan out-interface-list=wan
This is my firewall L7 related configuration
/ip firewall layer7-protocol
add name=raspbian regexp="^(.*Host: .*rasp.*)"
This is my firewall mangle prerouting chain related configuration
/ip firewall mangle
add action=add-dst-to-address-list address-list=allowed-ips address-list-timeout=none-dynamic chain=prerouting comment="add to destination address list raspberry repositories" connection-mark=no-mark dst-address-list=!allowed-ips dst-port=80 in-interface-list=lan layer7-protocol=raspbian protocol=tcp
add action=mark-connection chain=forward comment="mark packets to allowed ips and ports" dst-address-list=allowed-ips in-interface-list=lan new-connection-mark=lan-wan-allowed-ips out-interface-list=wan passthrough=yes
add action=mark-packet chain=forward comment="mark packets allowed" connection-mark=lan-wan-allowed-ips new-packet-mark=lan-wan-allowed-ips passthrough=no
Thank you all
Best regards

Who is online

Users browsing this forum: No registered users and 92 guests