Community discussions

MikroTik App
 
Zorker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Aug 10, 2004 1:39 am

2.9 Firewall Rules

Sat Oct 29, 2005 2:31 am

Hi, I'm trying to allow only traffic I need to my web/email servers and blocking everything else. Now it seems to work the way I have it setup, however, I'm unable to send any traffic out from the boxes (such as web browse etc.) I would like it to allow all my local IP's (in the address-list cram) to go out without any filtering. I just want to filter the incoming ports. Here is my forward rules.

add chain=forward src-address-list=cram action=accept comment="" disabled=no
add chain=forward protocol=tcp dst-port=80 dst-address-list=cram action=accept comment="Web" disabled=no
add chain=forward protocol=tcp dst-port=21 dst-address-list=cram action=accept comment="FTP" disabled=no
add chain=forward protocol=tcp dst-port=53 dst-address-list=cram action=accept comment="DNS TCP" disabled=no
add chain=forward protocol=udp dst-port=53 dst-address-list=cram action=accept comment="DNS UDP" disabled=no
add chain=forward protocol=tcp dst-port=445 dst-address-list=cram action=accept comment="SSL" disabled=no
add chain=forward protocol=tcp dst-port=5900 dst-address-list=cram action=accept comment="VNC" disabled=no
add chain=forward protocol=tcp dst-port=3389 dst-address-list=cram action=accept comment="RDP" disabled=no
add chain=forward protocol=tcp dst-port=25 dst-address-list=cram action=accept comment="SMTP" disabled=no
add chain=forward protocol=tcp dst-port=110 dst-address-list=cram action=accept comment="POP3" disabled=no
add chain=forward protocol=tcp dst-port=8383 dst-address-list=cram action=accept comment="Webmail" disabled=no
add chain=forward protocol=tcp dst-port=8484 dst-address-list=cram action=accept comment="Web Calendar" disabled=no
add chain=forward in-interface=External action=log log-prefix="" comment="" disabled=yes
add chain=forward in-interface=External dst-address-list=cram action=drop comment="" disabled=yes


Is there something I'm missing here. No matter what I've tried, it will not let me out for web, ssh, traceroute/icmp etc. However, all my services are working fine, smtp, web, pop3 etc for outside users. Any ideas?

Thanks

Nik
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Sat Oct 29, 2005 12:35 pm

Nik

It's letting you out just fine. However, the router is blocking the return traffic. You need to add two rules similar to these:
28   ;;; Accept Internet Established
     chain=forward in-interface=Internet connection-state=established 
     action=accept 

29   ;;; Accept Internet Related
     chain=forward in-interface=Internet connection-state=related 
     action=accept
Regards

Andrew
 
Zorker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Aug 10, 2004 1:39 am

Sat Oct 29, 2005 7:13 pm

Thanks much, that did the trick.
 
User avatar
larmaid
Member Candidate
Member Candidate
Posts: 177
Joined: Tue Aug 30, 2005 3:06 pm

Sun Oct 30, 2005 7:30 pm

is it in dst-address-list or src-address-list.....?
i like it

Who is online

Users browsing this forum: eworm, Google [Bot], kos, ysha and 68 guests