Community discussions

MikroTik App
 
recsx
newbie
Topic Author
Posts: 34
Joined: Sun Aug 29, 2004 6:30 pm

Help with Firewall Chain

Tue Jan 18, 2005 2:01 pm

I have two servers behind the Mikrotik
One is a web server the other is a Mail server.

I've put a Firewall rule in the Forward chain that says if any address destined to xx.xx.xx.229 (Server Address) going out on the servers port, then Jump to my chain that i made called (Servers_Rules).

In the chain i added rules to allow port 80, port 21, 20, 25, 110, 109 etc... just the main ports needed for web and mail.

This works great the servers seem to be safe this way, but for some strange reason the server cant surf the net.

I was running out of time so i left it like seeing that people could get to the mail and the web server so i figured a well i'll get to it when i can.

But two days latter i start to get phone calls from client saying people are not getting emails from them... and then it hit me oh shit duh!!! if the servers cant surf thats fine for the web server but not the mail, the MAIL server cannot connect to the outside world.

Does anyone have a clue as to why i made rules that protect the server from all other ports and you can get to it but it cant get out?


Thanks
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Jan 18, 2005 3:41 pm

What about a rule with src-address equal to xx.xx.xx.229 ?
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
recsx
newbie
Topic Author
Posts: 34
Joined: Sun Aug 29, 2004 6:30 pm

Tue Jan 18, 2005 4:59 pm

Are you saying to put a rule in my chain with source xx.xx.xx.229?

Cause i've tried that and it still wont allow the server to surf.

I went and looked at the log and it shows that when trying to surf say GOOGLE that google will try and communicate back on a random port.

But it cant cause i have them all blocked except for standard web and mail ports.

So i decided to put a source rule that say google.ip is allowed to communicate on a range of addresses and then it worked.

but only for google, whats up with that, how can i make a chain, rule of any kind that will protect my servers but allow me to surf on them.

Please help, THANKS a MILL
 
Wyoming
Member Candidate
Member Candidate
Posts: 124
Joined: Wed Jun 09, 2004 11:43 pm
Location: Wyoming

Tue Jan 18, 2005 5:49 pm

You probably need a rule to allow established connections back through the firewall. To me it sounds like your traffic is making it out to the site you are attempting to view but the return traffic is being blocked by you firewall. You need to set up a rule that allows traffic back through the firewall if it was originated from behind the firewall.

Try setting a rule that allows traffic from anywhere to anywhere with a Connections State of established. This will allow return traffic to pass through the firewall.
 
recsx
newbie
Topic Author
Posts: 34
Joined: Sun Aug 29, 2004 6:30 pm

Tue Jan 18, 2005 6:32 pm

Ok i'm trying this and still no luck.

Here let me describe how i'm setup.

My main forward chain has a rule;
Any source, destination any, going out on SERVER port with any protocol and any connection state,,, JUMP TO -> Server_Rules Chain.

Ok is this clear?

Now!, in the Server_Rules chain i have rules for all the ports that i want to allow access to these servers e.g. (25,20,21,80,110,143 and such) then last rules is reject everything.

Now i've tried putting a rule like you said in there to allow extablished connections and this did not work, the BYTES and PACKES don't even move.

I'm still in the dark
Thanks
 
Wyoming
Member Candidate
Member Candidate
Posts: 124
Joined: Wed Jun 09, 2004 11:43 pm
Location: Wyoming

Tue Jan 18, 2005 11:52 pm

I understand the forward rule part of what you are doing. Now For the established connections rule, Did you move this rule to the top of the list?

I am assuming you did but I just wanted to make sure.

Also, for the action what are you selecting? accept or passthrough?

If you could print the rules in the Terminal and post them here that would help me some to.

Thanks
 
recsx
newbie
Topic Author
Posts: 34
Joined: Sun Aug 29, 2004 6:30 pm

Wed Jan 19, 2005 12:13 am

Ok here is the main forward chain

Flags: X - disabled, I - invalid, D - dynamic
0 protocol=icmp action=accept

1 ;;; Allow UDP packets such as radios to reach the radius server
out-interface=radius protocol=udp action=accept

2 src-address=192.168.10.2/32 dst-address=xxx.xxx.xxx.xxx/32 action=accept

3 src-address=xxx.xxx.xxx.229/32 dst-address=192.168.10.2/32 action=accept

4 dst-address=192.168.10.2/32 out-interface=radius action=jump jump-target=Radius_Access

5 ;;; Jump all trafic from PPPoE clients to PPPoE Rules chain
src-address=xxx.xxx.xxx.0/24 action=jump jump-target=PPPoE_Rules

6 ;;; Jump all trafic destined to Servers, to Servers_Rules chain
dst-address=xxx.xxx.xxx.0/24 out-interface=servers action=jump jump-target=Servers_Rules

7 ;;; Reject Everything to access Radius Server
out-interface=radius action=reject


And here is my Servers_Rules chain
I've added 1,2 and 3 (Listed Below) in the past few hours cause thats all that would work.
But i feel that this is not the proper way.

Flags: X - disabled, I - invalid, D - dynamic
0 src-address=:80 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

1 src-address=:25 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

2 src-address=:443 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

3 src-address=:20 dst-address=:1024-65535 out-interface=servers protocol=tcp action=return

4 protocol=udp action=accept

5 dst-address=:80 out-interface=servers protocol=tcp action=accept

6 dst-address=:109 out-interface=servers protocol=tcp action=accept

7 dst-address=:110 out-interface=servers protocol=tcp action=accept

8 dst-address=:25 out-interface=servers protocol=tcp action=accept

9 dst-address=:20 out-interface=servers protocol=tcp action=accept

10 dst-address=:21 out-interface=servers protocol=tcp action=accept

11 dst-address=:443 out-interface=servers protocol=tcp action=accept

12 dst-address=:143 out-interface=servers protocol=tcp action=accept

13 out-interface=servers action=reject
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Wed Jan 19, 2005 11:26 pm

At the top of your Servers_Rules chain put:

0 ;;; Allow TCP Established connections
protocol=tcp connection-state=established action=accept

Not sure if this also requires Connection Tracking but I have it enabled.

Regards

Andrew
 
recsx
newbie
Topic Author
Posts: 34
Joined: Sun Aug 29, 2004 6:30 pm

Wed Jan 19, 2005 11:51 pm

I wont rule it out but i'm sure i had tried that and it did not work.

I will try and get back to afterwards.

Thanks a lot
 
recsx
newbie
Topic Author
Posts: 34
Joined: Sun Aug 29, 2004 6:30 pm

Wed Jan 19, 2005 11:55 pm

Just as i suspected, it did not work.
 
User avatar
YazzY
Member Candidate
Member Candidate
Posts: 140
Joined: Fri May 28, 2004 3:26 pm
Location: Norway, Østfold
Contact:

Thu Jan 20, 2005 4:29 am

The easiest way is to log your firewall rules and see what gets blocked.
Then ajust your rules to open desired traffic.
Set up a syslog server so you can browse through your logs.

Who is online

Users browsing this forum: TDJ211 and 78 guests