Community discussions

MikroTik App
  4. RouterOS
  5. General

Drop unwanted port-forwarding connections

Post Reply
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

Drop unwanted port-forwarding connections

Fri Nov 29, 2019 12:03 am

I have these forward filters as per default firewall config:
Code: Select all
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANs

Once I set a port forwarding (dst-nat) rule to a LAN machine, this machine is reachable from ANYONE hitting that port from internet.

What's the correct method to drop any connection from internet to a dst-natted machine except the desired external ip address ?
Why there is not an ending "drop-all" rule in the forward chain like the one in input chain ?
Top
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Drop unwanted port-forwarding connections

Fri Nov 29, 2019 12:18 am

You can set a src-address (or src-address-list) in the forward rule:
Code: Select all
/ip firewall address-list
add address=1.1.1.1 list=trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp src-address-list=trusted to-addresses=192.168.88.100
Top
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

Re: Drop unwanted port-forwarding connections

Fri Nov 29, 2019 12:25 am

Nice, so allow the desired addresses into the nat rule rather than drop it with filters.......
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Drop unwanted port-forwarding connections

Fri Nov 29, 2019 10:25 am

Why there is not an ending "drop-all" rule in the forward chain like the one in input chain ?
I'm not the author of this idea used in the default firewall configuratuion, but I read it as a way to concentrate all the decision making into a single rule in the nat table, which can choose from the same match conditions like the rules in filter. So the assumption is that you only dst-nat what you really want to let in using the dst-nat rule in nat, and the dst-nat state of the connection then prevents that traffig from matching the rule in the default configuration action=drop chain=forward in-interface-list=WAN connection-nat-state=!dstnat.
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Drop unwanted port-forwarding connections

Fri Nov 29, 2019 1:16 pm

Why there is not an ending "drop-all" rule in the forward chain like the one in input chain ?
I'm not the author of this idea used in the default firewall configuratuion, but I read it as a way to concentrate all the decision making into a single rule in the nat table, which can choose from the same match conditions like the rules in filter. So the assumption is that you only dst-nat what you really want to let in using the dst-nat rule in nat, and the dst-nat state of the connection then prevents that traffig from matching the rule in the default configuration action=drop chain=forward in-interface-list=WAN connection-nat-state=!dstnat.
The idea of that rule is quite clever, actually, because it depends on interface-list=WAN rather than interface-list=LAN: most unexperienced users forget to add newly created interfaces to corresponding list, so this rules saves them from a headache trying to figure out why their guest LAN or something like that doesn't work. The opposite situation, with second WAN, is less common, IMO, and it needs more qualified user to set up by itself, so it's not the problem as big.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Drop unwanted port-forwarding connections

Fri Nov 29, 2019 2:38 pm

The opposite situation, with second WAN, is less common, IMO, and it needs more qualified user to set up by itself, so it's not the problem as big.
It depends what we consider a problem. If the problem is that something doesn't work (due to forgotten LAN permissive rule), the home user notices it and can solve it (or get mad about the router immediately). If he is clever/brave/skilled enough to add a WAN interface but not enough add it to the interface list, everything works, but he is likely to get hacked, so he'll get mad about the router later, but more :)
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Drop unwanted port-forwarding connections

Fri Nov 29, 2019 2:50 pm

The opposite situation, with second WAN, is less common, IMO, and it needs more qualified user to set up by itself, so it's not the problem as big.
It depends what we consider a problem. If the problem is that something doesn't work (due to forgotten LAN permissive rule), the home user notices it and can solve it (or get mad about the router immediately). If he is clever/brave/skilled enough to add a WAN interface but not enough add it to the interface list, everything works, but he is likely to get hacked, so he'll get mad about the router later, but more :)
Exactly.
And having default firewall to be what it is now, it seems that Mikrotik engineers consider that if one is clever/brave/skilled enough to add additional WAN, he should know how to understand and adjust firewall as well.
Top
Post Reply

Who is online

Users browsing this forum: AimiSayo, Bing [Bot] and 80 guests
  4. RouterOS
  5. General