Community discussions

 
ksthree
just joined
Topic Author
Posts: 1
Joined: Thu Jul 18, 2019 10:51 pm

Firewall killing NAT rule

Thu Jul 18, 2019 11:09 pm

Let me start by introducing myself.

My name is Karl, and I am from South Africa. I am a seasoned Mikrotik installer/programmer/whatever I can get it to do guy. I have been referring back to these forums often for help when I start scratching my head, so thanks to all of you for the bits of info that point me in the right direction when I hit my head on a wall.

I have created a Firewall Filter that blocks incoming ports 1-1024, however I have added a backdoor rule in the NAT section to use port xxxx to point to Port 80 on 192.168.x.x on Ether2.

My NAT rule works fine, until I enable any the Firewall Filter rule. Then it dies. I still have access to Port 80 on 192.168.1.1 from any of my four subnets on Eth2-5.

Here are my rules...

NAT:
/ip firewall nat
add chain=dst-nat protocol=tcp dst-port=xxxx in-interface=PPPoE action=dst-nat to-address=192.168.1.1 to-port=80

This rule works fine to port forward xxxx to 192.168.1.1:80 on Eth2

FILTER:
/ip firewall filter
add chain=input protocol=tcp dst-port=1-1024 in-interface=PPPoE action=reject

This rule is blocking all incoming connections on ports 1-1024.

Together, the NAT rule fails.

Any ideas?
 
sindy
Forum Guru
Forum Guru
Posts: 3974
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall killing NAT rule

Fri Jul 19, 2019 10:35 pm

Filter comes after dst-nat. 192.168.1.1, which is the destination address of the packet after the dst-nat has been done, is one of local addresses of your Mikrotik, so chain=input of /ip firewall filter is used. The dst-nat rule only redirects the packet (changes its destination address and/or port), but that alone doesn't mean that it would bypass the filter. So one possibility is to add connection-state=!dstnat to your action=reject rule in /ip firewall filter.

Unless you've hidden some additional conditions (like src-address or src-address-list) in the dst-nat rule to simplify the description of the scenario, the configuration is highly unsafe as internet is full of robots which scan for any open port anywhere and try to connect using all sorts of L7 protocols (telnet, http, ssh, ...). So exposing management access to your Tik through plaintext http to the whole internet, even though on an unusual port, is a Bad Idea.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall killing NAT rule

Sat Jul 20, 2019 4:32 pm

If indeed the filter forward rule is applied after NAT, then port redirection wont work (higher port to lower port) and thus one should just put the allow dstnat rule before the kill all ports rule in the forward chain order and it should work.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3974
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall killing NAT rule

Sat Jul 20, 2019 5:13 pm

If indeed the filter forward rule is applied after NAT,
@anav, have you ever bothered to look at the diagrams I've linked above?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 94 guests