Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

help with firewall "drop" forward

Mon Jun 14, 2021 1:14 pm

Hello ,
I want to understand soemthing
I have created this ip rules to block unknown networks to my inside network
/ip firewall filter
add action=accept chain=forward src-address-list="Allow IP"
add action=accept chain=input src-address-list="Allow IP"
add action=add-src-to-address-list address-list=BlcokConnections address-list-timeout=none-dynamic chain=forward
add action=drop chain=forward
/ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade 

 1    chain=dstnat action=dst-nat to-addresses=10.0.0.100 to-ports=5900 protocol=tcp dst-port=5900 

 2     chain=dstnat action=dst-nat to-addresses=10.0.0.100 to-ports=9991 protocol=tcp dst-port=9991 

 3     chain=dstnat action=dst-nat to-addresses=10.0.0.100 to-ports=22 protocol=tcp in-interface=Remote dst-port=22 

 4     chain=dstnat action=dst-nat to-addresses=10.0.0.100 to-ports=8000 protocol=tcp in-interface=Remote dst-port=8000 log=no log-prefix="" 

now I can see that in the "BlcokConnections " I have google "8.8.8.8"
and it's not from icmp protocol (beacuse I have enable icmp at place 0 ) and I don't see anything there
1. what could it be ?

2. after I have added 8.8.8.8 to the "Allow IP" list , I can see many IP blocked
/ip firewall address-list print where list=BlcokConnections        
Flags: X - disabled, D - dynamic 
 #   LIST                                                ADDRESS                                                                  CREATION-TIME        TIMEOUT             
 0 D BlcokConnections                                    85.91.1.164                                                              jun/14/2021 12:39:11
 1 D BlcokConnections                                    162.159.200.1                                                            jun/14/2021 12:39:31
 2 D BlcokConnections                                    162.159.200.123                                                          jun/14/2021 12:39:41
 3 D BlcokConnections                                    74.6.168.73                                                              jun/14/2021 12:41:57
 4 D BlcokConnections                                    206.82.16.3                                                              jun/14/2021 12:42:07
 5 D BlcokConnections                                    198.211.103.209                                                          jun/14/2021 12:42:28
 6 D BlcokConnections                                    52.17.231.73                                                             jun/14/2021 12:44:03
 7 D BlcokConnections                                    62.12.173.11                                                             jun/14/2021 12:47:23
 8 D BlcokConnections                                    83.98.201.134                                                            jun/14/2021 12:47:33
 9 D BlcokConnections                                    139.180.160.82                                                           jun/14/2021 12:47:43
10 D BlcokConnections                                    193.182.111.12                                                           jun/14/2021 12:47:53
11 D BlcokConnections                                    44.155.254.17                                                            jun/14/2021 12:48:24
12 D BlcokConnections                                    54.229.222.210                                                           jun/14/2021 12:48:34
13 D BlcokConnections                                    73.239.136.185                                                           jun/14/2021 12:48:55
14 D BlcokConnections                                    71.168.219.127                                                           jun/14/2021 12:49:05
15 D BlcokConnections                                    198.199.120.223                                                          jun/14/2021 12:49:16
16 D BlcokConnections                                    207.244.103.95                                                           jun/14/2021 12:49:26
17 D BlcokConnections                                    103.242.70.4                                                             jun/14/2021 12:54:45
18 D BlcokConnections                                    216.197.156.83                                                           jun/14/2021 12:54:55
19 D BlcokConnections                                    207.34.49.172                                                            jun/14/2021 12:55:05
20 D BlcokConnections                                    199.180.255.17                                                           jun/14/2021 12:55:15
21 D BlcokConnections                                    62.168.65.36                                                             jun/14/2021 13:04:18
22 D BlcokConnections                                    108.61.189.74                                                            jun/14/2021 13:04:28
23 D BlcokConnections                                    66.220.9.122                                                             jun/14/2021 13:04:39
24 D BlcokConnections                                    202.12.97.45                                                             jun/14/2021 13:04:49

I guess those IP are using 8.8.8.8 to see if I'm online somwhow and then try to connect to my router ? did I understand correct ?
should I block the 8.8.8.8? and so those IP will not try to connect to me ?

* the remote interface is vpn connection and the network is in the "Allow IP" *
Thanks ,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with firewall "drop" forward

Mon Jun 14, 2021 3:48 pm

Post your config, snippets are useless

/export hide-sensitive file=anynameyouwish

and for easy reading and troubleshooting you should not mix match forward and input chain rules.......
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: help with firewall "drop" forward

Mon Jun 14, 2021 3:59 pm

/interface l2tp-client
add allow=pap,chap connect-to=1.2.3.4 disabled=no max-mtu=1500 mrru=1600 name=Remote user=user
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=ROUTER
/ip pool
add name=dhcp_pool0 ranges=10.0.0.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether1 name=dhcp1
/port
set 0 name=usb1
/interface ppp-client
add allow=pap,chap apn=internet data-channel=3 dial-on-demand=no disabled=no info-channel=2 name=ppp-out1 phone=*99# port=usb1 user=test
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
/ip firewall address-list
add address=132.133.134.7 comment=Oracle list="Allow IP"
add address=85.147.66.1 comment=Office list="Allow IP"
add address=10.0.0.0/24 comment=PI list="Allow IP"
add address=172.16.0.0/16 comment=Remote list="Allow IP"
add address=132.133.135.7 comment=Oracle list="Allow IP"
add address=8.8.8.8 comment=Oracle list="Allow IP"
/ip firewall filter
add action=accept chain=forward src-address-list="Allow IP"
add action=accept chain=input src-address-list="Allow IP"
add action=add-src-to-address-list address-list=BlcokConnections address-list-timeout=none-dynamic chain=forward
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat  dst-port=5900 protocol=tcp to-addresses=10.0.0.100 to-ports=5900
add action=dst-nat chain=dstnat  dst-port=9991 protocol=tcp to-addresses=10.0.0.100 to-ports=9991
add action=dst-nat chain=dstnat  dst-port=22 in-interface=Remote protocol=tcp to-addresses=10.0.0.100 to-ports=22
add action=dst-nat chain=dstnat  dst-port=8000 in-interface=Remote protocol=tcp to-addresses=10.0.0.100 to-ports=8000
/ip service
set telnet disabled=yes
set ftp address=172.16.0.0/16,10.0.0.0/24
set www disabled=yes
set ssh address=172.16.0.0/16,10.0.0.0/24 port=2222
set api address=172.16.0.0/16,10.0.0.0/24
set winbox address=172.16.0.0/16,10.0.0.0/24 port=8299
set api-ssl disabled=yes
/port firmware
set ignore-directip-modem=yes
/system clock
set time-zone-name=Asia/Jerusalem
/system gps
set channel=1 coordinate-format=dms enabled=yes port=usb1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with firewall "drop" forward

Mon Jun 14, 2021 4:36 pm

Sorry David,
Cannot makes heads or tails of your config, hoping someone else will drop by and give you better feedback.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: help with firewall "drop" forward

Tue Jun 15, 2021 10:31 am

maybe you ecan explain to me something basic (that maybe I'm missing) :
input rules - it's the rules to enter the router only.
forward rules - it's the rules to enter the network after the router.

now lets make an simple situation :
1. be able to enter the router only from ssh (port 22) ,all other will be disable and block
2. connect to a device using NAT on port 5678 tcp (simple NAT rule) all other will be disable and block
all the coonections will be made by 2 allow addresss public static IP

is this correct? do I need to change anything else? (I want to understad and learn this is why I'm asking)
/ip firewall address-list
add address=112.151.68.2 comment=Oracle list="Allow IP"
add address=86.3.111.1 comment=Office list="Allow IP"

/ip firewall filter
add action=accept chain=input src-address-list="Allow IP"
add action=add-src-to-address-list address-list=BlockRouterAddress-list-timeout=none-dynamic chain=input 
add action=drop chain=input 
add action=accept chain=forward src-address-list="Allow IP"
add action=add-src-to-address-list address-list=BlockNatAddress-list-timeout=none-dynamic chain=forward
add action=drop chain=forward

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=5678 protocol=tcp to-addresses=10.0.0.100 to-ports=5678 

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes

also if I remove this line
add action=drop chain=forward
and there is only 1 NAT rule (as shown above) , is it not safe ?
lets say someone is trying to to check if port 6666 is open on the router - will he get somewhere? (assuming my device also have port 6666 ?)

Thanks ,
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: help with firewall "drop" forward

Tue Jun 15, 2021 11:33 am

It's not clear why this rule (and similar in input chain):
add action=add-src-to-address-list address-list=BlcokConnections address-list-timeout=none-dynamic chain=forward
This rule adds every new connection to 'BlcokConnections' list. Every means, both directions - WAN to LAN and LAN to WAN. That's why 8.8.8.8 was added, because some devices on your LAN uses it as DNS server. In your case it will be blocked on first try. If you add 8.8.8.8 to allowed list, requests goes trough, clients can resolve addresses, unfortunately every IP clients trying to connect to goes to the same list and are blocked.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: help with firewall "drop" forward

Tue Jun 15, 2021 1:48 pm

so can I cancel the block NAT \ forward rules?

again I want\need to understand
if some one from IP 1.1.1.1 is trying to connect to my router at address 2.2.2.2
the first thing the firewall will check is if the address can connect to the router itself (input)
then he wiil try to forward it to NAT ?

is this correct ?

so if I only block the input unwanted ports\address , then everything should be ok ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with firewall "drop" forward

Tue Jun 15, 2021 4:44 pm

Way overthinking this and SSH is not recommended to access router from external sites.
Use VPN at best or port knocking at worst.

Get rid of all the junk and go back to default rules,
Once posted will show you the few changes you need to lock it down very reasonably.

Who is online

Users browsing this forum: almdandi, baragoon, GoogleOther [Bot], loloski, pajapatak and 74 guests