Page 1 of 1

Help for Firewall

Posted: Sun Mar 12, 2006 8:30 pm
by minist@r
Hi All
Sorry for my bad English.

I have problems with firewall. I have 2 connestions 1 Public 1 private. I enabled massguarade on public interface, and i enabled http proxy. I want to all only thease ports to go out and go in. Tcp 21,23,25,53,80,110,443,1863,3389,5190. I configured on this way:

/ ip firewall nat
add chain=srcnat action=src-nat to-addresses=87.116.*.* to-ports=0-65535 \
comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 \
comment="" disabled=no
add chain=dstnat in-interface=SBB protocol=tcp dst-port=3000 action=netmap \
to-addresses=192.168.0.1 to-ports=3000 comment="" disabled=no
add chain=dstnat in-interface=SBB protocol=tcp dst-port=3389 action=netmap \
to-addresses=192.168.0.1 to-ports=3389 comment="" disabled=no
add chain=dstnat in-interface=SBB protocol=tcp dst-port=21 action=netmap \
to-addresses=192.168.0.1 to-ports=21 comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Firewall za \
ruter" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input src-address=192.168.0.0/24 action=accept comment="Allow access \
to router from known network" disabled=no
add chain=input protocol=tcp dst-port=8291 action=accept comment="" \
disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp dst-port=21 action=accept comment="Firewall" \
disabled=no
add chain=forward protocol=tcp dst-port=23 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=25 action=passthrough comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=53 action=accept comment="" \
disabled=no
add chain=forward protocol=udp dst-port=53 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=443 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=1863 action=passthrough comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=3375 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=3389 action=passthrough comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=5190 action=accept comment="" \
disabled=no
add chain=forward dst-address=192.168.0.1 p2p=all-p2p action=accept comment="" \
disabled=no
add chain=forward p2p=all-p2p action=drop comment="P2p Saobracaj" disabled=yes
add chain=forward in-interface=SBB protocol=tcp action=drop comment="" \
disabled=yes

When i Enable last rule all trafic stop. What is the problem?

Posted: Sun Mar 12, 2006 9:25 pm
by mag
i would suggest a closer look to the demo-system at mikrotik: http://demo.mt.lv/ there are some firewall-rules.

Posted: Sun Mar 12, 2006 10:42 pm
by minist@r
Demo-system dont work. Any other ideas?

Posted: Sun Mar 12, 2006 11:31 pm
by tneumann
Use demo2.mt.lv

Posted: Mon Mar 13, 2006 1:32 am
by jager
Well .... if you enable your last rule:
add chain=forward in-interface=SBB protocol=tcp action=drop comment="" \
disabled=yes 
in that case all tcp traffic to and from your cable provider will be dropped. It means no traffic. You are cutting the tree you are sitting on :)

majku mu ... ;)

Posted: Mon Mar 13, 2006 9:45 am
by mag
But that is not the problem and correct for a default-deny strategy.
The problem here is, that only one one way is configured yet, e.g. client-connections and server-answers are missing. (Quite basic IP-knowledge, though;-)

Posted: Mon Mar 13, 2006 10:41 am
by minist@r
Ok. I see that. I enabled only for time when i export list. But i still dont know how to permit only ports that i selected. Jager radio sam ovo zato sto sam mislio da ide po onom nacinu, odozgo na dole po izvrsavanju pravila. Pa znas ono ovo je dozvoljeno ali ono ne.

Posted: Thu Mar 16, 2006 10:27 pm
by minist@r
Again problem. See my config in attached picture. When i enable jump to firewall. Everything stop. What is wrong?

http://img367.imageshack.us/my.php?imag ... all8tr.jpg

Posted: Fri Mar 17, 2006 1:37 am
by jager
Jager radio sam ovo ...zato sto sam mislio da ide po onom nacinu, odozgo na dole po izvrsavanju pravila. Pa znas ono ovo je dozvoljeno ali ono ne.
Shvatam :) I ja sam se već ovako zajebao :)

OK, moving back to English, for others to understand too ....
I understand that is is easy to track, and the list looks nice if it is sorted by ports.... but! :)
All you have to do is to move to the top ALL the accept rules. They must be right one after another. Only after that, can come your drop rules.
Somebody correct me if I`m wrong.

demo.mt.lv

Posted: Mon Apr 10, 2006 11:47 pm
by sarenos
Could you tell me the login and pass for accessing the demo.mt.lv and demo2.mt.lv?

regards

Posted: Tue Apr 11, 2006 8:21 am
by sergejs
login:demo without password
for demo2.