Community discussions

MikroTik App
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

port forwarding restrictions

Tue Jun 08, 2021 7:28 pm

I have several ports opened for various things. I'd like to lock some of the ports down by IP address.

I'm not seeing how to do this with the firewall/NAT interface. Can someone help me out with how that is done?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: port forwarding restrictions

Tue Jun 08, 2021 7:36 pm

/export firewall

and explayn what port and what IP you want lock on it.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: port forwarding restrictions

Tue Jun 08, 2021 8:00 pm

Even without an (complete) export, set the Src. Address (or a list if you have multiple IP addresses) on your NAT rule.
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: port forwarding restrictions

Tue Jun 08, 2021 8:41 pm

Even without an (complete) export, set the Src. Address (or a list if you have multiple IP addresses) on your NAT rule.
Ugh. Seriously, I tried this and it did not work. Now, you tell me to do it and it works.

Thanks ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding restrictions

Tue Jun 08, 2021 10:59 pm

Yes, setting the source address in the Dst NAT rule is the way to go.
Clearly for a list then one uses a source-address-list entry (aka make a firewall address list).

This is good because as soon as you add a source address list, when one does a scan of their ports, the port does not appear at all.
Without the source address list if you scan your ports, the dst nat port is visible but closed. I prefer invisible LOL.

Also if someone using the server has a dynamic IP, they can get free dyndns domains out there and thus can give you an IP you can use (domain name with the router will resolve).
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: port forwarding restrictions

Wed Jun 09, 2021 12:15 am

This is good because as soon as you add a source address list, when one does a scan of their ports, the port does not appear at all.
Without the source address list if you scan your ports, the dst nat port is visible but closed. I prefer invisible LOL.

Anav, I want to clarify something about what you said. The way I read this did not make sense. What I understood you to say was that if I have a source address list, the port is not seen at all (good so far), but the implication was that if I don't use a list, and only specify a single source address in the firewall rule, the port would be seen as closed (as opposed to invisible). In other words, it has to be a source address list, not one specific address in the firewall rule to make it invisible. That part does not make sense.

Like I said, if I read that correctly, this would make the port invisible:
add address=15.16.17.18 comment="Test" list="Test-allow-list"

add action=accept chain=input comment="testing" \
    dst-port=12345 in-interface=Ether1 protocol=tcp \
    src-address-list="Test-allow-list"
And this one would make it visible, but closed:
add action=accept chain=input comment="Testing" \
    dst-port=12345 in-interface=Ether1 protocol=tcp \
    src-address=15.16.17.18
The only difference being that in the first example, the source address 15.16.17.18 is in an address list, and in the second, it is specified in the firewall rule (in place of the address list).

Or did I read more into that then you intended?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding restrictions

Wed Jun 09, 2021 4:09 am

Good point I should clarify Ive only tested with a source-address-list.
I suspect you are right that with a source-address entry the result would be the same.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: port forwarding restrictions

Wed Jun 09, 2021 4:27 am

OK, I'm not losing my mind. I have used individual IPs in most situations and it appeared to be working fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding restrictions

Wed Jun 09, 2021 1:42 pm

Well between the mass exodus of people,, the covid fiasco, the vagrants pooping all over downtown, the opioid crisis mass shootings, droughts, wildfires, cosmetic surgery, the occasional earthquake.........yes you should be crazy and should move up to Canada ;-)
Far saner here and besides, you can still buy California wines here too (but dont tell rexetended)
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: port forwarding restrictions

Wed Jun 09, 2021 6:06 pm

...yes you should be crazy and should move up to Canada ;-)
Too cold.

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 70 guests