Firewall rules not working ??

in4ni · Fri Dec 23, 2005 5:56 pm

I have a Mikrotik box i am using as a DSL router and want very limited access in and out. Im trying the reverse approach to firewall ruls by dropping everything and adding accespt rules for the few services that i wont to allow out on the net, but my rules arent working and im wondering what im doing wrong. All i want to allow out is http, pop,smtp,ping and telnet. The only foward rule that is working is my drop everything rule and my ping.My input rules seem to be working.

/ ip firewall filter 
add chain=input protocol=udp src-port=53 action=accept comment="" disabled=no 
add chain=input in-interface=Bellsouth action=drop comment="" disabled=no 
add chain=input connection-state=established action=accept comment="Accept \
    established connections" disabled=no 
add chain=input connection-state=related action=accept comment="Accept related \
    connections" disabled=no 
add chain=input connection-state=invalid action=drop comment="Drop invalid \
    connections" disabled=no 
add chain=input protocol=tcp dst-port=22 dst-limit=0,5,dst-address/1m40s \
    action=accept comment="SSH " disabled=no 
add chain=input protocol=tcp dst-port=8291 action=accept comment="winbox" \
    disabled=no 
add chain=forward protocol=tcp dst-port=80 action=accept comment="" \
    disabled=no 
add chain=forward protocol=tcp dst-port=110 action=accept comment="" \
    disabled=no 
add chain=forward protocol=tcp dst-port=25 action=accept comment="" \
    disabled=no 
add chain=forward protocol=tcp dst-port=23 action=accept comment="" \
    disabled=no 
add chain=forward protocol=icmp action=accept comment="" disabled=no 
add chain=forward action=drop comment="" disabled=no 
[admin@DSL Router] ip firewall filter> 

/ ip firewall nat 
add chain=srcnat src-address=192.168.2.0/24 action=masquerade comment="" \
    disabled=no

Thank you

cmit · Fri Dec 23, 2005 6:07 pm

The first rule that matches a packet in a chain is activated. So your drop rule in the input chain matches (and drops the packet!) before the other accept rules (like for SSH) could get a chance to match...
So move your drop rule to the end of the respective chain.

Best regards,
Christian Meis

in4ni · Fri Dec 23, 2005 6:12 pm

My drop rule is the last rule (its disabled so i can surf).
What else could it be ?

 1   chain=input in-interface=Bellsouth action=drop 

 2   ;;; Accept established connections
     chain=input connection-state=established action=accept 

 3   ;;; Accept related connections
     chain=input connection-state=related action=accept 

 4   ;;; Drop invalid connections
     chain=input connection-state=invalid action=drop 

 5   ;;; winbox
     chain=input protocol=tcp dst-port=8291 action=accept 

 6   chain=forward protocol=tcp dst-port=80 action=accept 

 7   chain=forward protocol=tcp dst-port=110 action=accept 

 8   chain=forward protocol=tcp dst-port=25 action=accept 

 9   chain=forward protocol=tcp dst-port=23 action=accept 

10   chain=forward protocol=icmp action=accept 

11 X chain=forward action=drop

cmit · Fri Dec 23, 2005 6:18 pm

Do you have masquerading (src-nat) enabled (I suppose you need that, as you write you use the MikroTik as DSL router)?

Best regards,
Christian Meis

in4ni · Fri Dec 23, 2005 6:20 pm

Yes

My drop rule is working on the foward chain so i assumed i am placing my rules in the correct chain

/ ip firewall nat 
add chain=srcnat src-address=192.168.2.0/24 action=masquerade comment="" \
    disabled=no

Thank you

andrewluck · Fri Dec 23, 2005 10:56 pm

You have rules to allow related and established traffic in your input chain but no similar rules in the forward chain. So, return traffic is being blocked.

You need to think about adding an interface definition in each of your protocol rules in the forward chain as these rules are otherwise bi-directional.

Regards

Andrew

in4ni · Fri Dec 23, 2005 11:23 pm

That was it, I should have known better

good advice on the interface

Thank you

in4ni · Fri Dec 23, 2005 11:38 pm

Im kinda unclear on what interface to apply to my foward rules

in interface ?

out interface ?

my interfaces ether1=attached to my DSL
pppoe1=atteched to ether1
ether2= my internal masqueraded network
ether3=hotspot

cmit · Sat Dec 24, 2005 12:29 pm

You have to apply the forward rules to those interfaces that receive or send out the traffic you want to affect. There's no general rule for that.

In your example to allow for http traffic from your internal network use in-interface ether2 and out interface pppoe1...

Christian

Tonda · Sun Dec 25, 2005 8:29 pm

Log in to demo.mt.lv by Winbox (user name demo, password none), it is demo router, configured by boys from Mikrotik, so you can find some example configuration of firewall filter rules there. Also consult Mikrotik manual here (http://www.mikrotik.com/docs/ros/2.9/ip/flow), you can find exact information about packet flow through Mikrotik router there.

Firewall rules not working ??

Firewall rules not working ??

Who is online