I have a customer who I suspect has a virus. Its opening a hundred or more connections on port 25. Is there a way to either rate limit or block a port based on a customers IP address?

sure, use firewall filter to block port 25 from his IP ... if its infected shut it completely off, if your cautious then only allow 2-3 connections at a time.

add a new firewall rule in the forward chain.

set source IP to the infected machine.
set destination port to 25
set protocol to tcp
set action = reject

Sam

Will this work?

/ ip firewall filter
add chain=known_viruses action=drop src-address=10.10.0.33 dst-address=10.10.0.33 src-port=25 dst-port=25

Does it matter where it is located in the list of my other firewall rules?

this wont work because it'll never match both the src and dst address. Think of it as it's passing thru the router (forward chain) - what is the src ip and what is the dst port.

/ ip firewall filter
add chain=forward action=reject src-address=10.10.0.33 dst-port=25

If your blocking internal clients you should 'reject', that way the icmp goes back to them and immediately says they are blocked. For outside connections its better to use 'drop' so you aren't being used as a ddos bounce.

known_viruses is okay, as long as you jump to that from the forward chain and before you accept the outbound traffic.

Sam

I am finding it difficult to understanding how to setup different firewall rules and reading the reference manual isn’t helping much. Is there a book, website, anything, any ware that will help me to learn? Like “MikroTik Firewall for dummies?”

training and MUM

Firewall examples:
http://wiki.mikrotik.com/wiki/Firewall

Thank you mrz for the link, I cant believe that I couldn’t find it in my searches before. I will study it carefully.

I'm sure you'll really like this!

http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output

That looks like a great one, but I’m concerned that I have placed it in the wrong place in my firewall rules! I’m not even confident that any of my rules are in the correct order! I might have to resort to having to pay someone to look it over, unless someone here would be willing to look it over to see if I missed something.

That looks like a great one, but I’m concerned that I have placed it in the wrong place in my firewall rules! I’m not even confident that any of my rules are in the correct order! I might have to resort to having to pay someone to look it over, unless someone here would be willing to look it over to see if I missed something.

I had that rule running for quite some time now.
I would like to help if i can.

Thanks Dragonmen, Here it is!

Any help would be greatly appreciated!


/ ip firewall filter
add chain=RouterServices action=accept protocol=icmp comment="Allow ICMP" disabled=no
add chain=RouterServices action=accept dst-port=67-68 protocol=udp comment="Allow DHCP" disabled=no
add chain=RouterServices action=accept dst-port=53 protocol=udp comment="Allow DNS" disabled=no
add chain=RouterServices action=accept dst-port=20561 protocol=udp comment="Allow MAC-Winbox" disabled=no
add chain=RouterServices action=accept dst-port=8291 protocol=tcp comment="Allow Winbox" disabled=no
add chain=RouterServices action=accept src-port=123 protocol=udp comment="Allow NTP" disabled=no
add chain=RouterServices action=accept dst-port=123 protocol=udp comment="Allow NTP server "If we are running NTP server" disabled=no

add chain=RouterServices action=accept protocol=ospf comment="Allow OSPF" disabled=yes
add chain=RouterServices action=accept src-port=520-521 protocol=udp comment="Allow RIP" disabled=yes

add chain=RouterServices action=accept src-port=520-521 protocol=tcp fragment=no time=0s-23h59m,sat,fri,thu,wed,tue,mon,sun psd=21,3s,3,1 src-address-type="" dst-address-type="" comment="Allow RIP" disabled=yes

add chain=RouterServices action=accept dst-port=179 protocol=tcp comment="Allow BGP" disabled=yes
add chain=RouterServices action=accept dst-port=3128 protocol=tcp comment="Allow web-proxy "If we are running web-proxy - DEFAULT PORT" disabled=yes

add chain=RouterServices action=accept src-address=127.0.0.1 dst-address=127.0.0.1 comment="Allow localhost comms to work" disabled=no
add chain=RouterServices action=accept dst-port=2000 protocol=tcp comment="Allow TCP bandwidth test" disabled=no
add chain=RouterServices action=accept dst-port=2000 protocol=udp comment="Allow UDP bandwidth test" disabled=no
add chain=RouterServices action=accept dst-port=5678 protocol=udp comment="Allow Mikrotik router discovery" disabled=no

add chain=RouterServices action=accept dst-port=1701 protocol=udp comment="Allow L2TP" disabled=yes
add chain=RouterServices action=accept dst-port=1701 protocol=tcp comment="Allow L2TP" disabled=yes

add chain=RouterServices action=accept dst-port=1723 protocol=tcp comment="Allow PPTP" disabled=no
add chain=RouterServices action=accept protocol=gre comment="Allow GRE - for PPtP and EoIP" disabled=no

add chain=RouterServices action=accept dst-port=500 protocol=tcp comment="Allow ISAKMP - for IPSEC" disabled=yes
add chain=RouterServices action=accept dst-port=500 protocol=udp comment="Allow ISAKMP - for IPSEC" disabled=yes
add chain=RouterServices action=accept protocol=ipsec-esp comment="Allow protocol 50 - IPSEC" disabled=yes
add chain=RouterServices action=accept protocol=ipsec-ah comment="Allow protocol 51 - IPSEC" disabled=yes
add chain=RouterServices action=accept protocol=vrrp comment="Allow VRRP" disabled=yes

add chain=input action=accept dst-port=80 protocol=tcp src-address-list=webadmin comment="Allow webadmins access to webbox - DISABLED BY DEFAULT - example for how to limit access for certain admin types" disabled=yes
add chain=input action=accept src-address=10.10.100.101 dst-port=161 protocol=udp src-address-list=MONITORS comment="Allow the NMS to monitor SNMP on this machine - DISABLED BY DEFAULT - use only if you have an SNMP monitoring machine" disabled=yes

add chain=hackertraps action=add-src-to-address-list dst-port=22 protocol=tcp address-list=hacker address-list-timeout=10s comment="Add SSH attempts to hacker list" disabled=no
add chain=hackertraps action=add-src-to-address-list dst-port=21 protocol=tcp address-list=hacker address-list-timeout=10s comment="Add FTP attempts to hacker list" disabled=no
add chain=hackertraps action=add-src-to-address-list dst-port=23 protocol=tcp address-list=hacker address-list-timeout=1m comment="Add telnet attempts to hacker list" disabled=no
add chain=hackertraps action=add-src-to-address-list protocol=tcp psd=15,3s,3,1 address-list=hacker address-list-timeout=0s comment="Add port scanners to hacker list - DISABLED BY DEFAULT" disabled=no

add chain=traphackers action=return src-address-list=LOCALIP comment="Insure we do not drop our local IPs if they get added to the hacker list accidentally" disabled=no

add chain=input action=accept connection-state=established comment="Accept Established" disabled=no
add chain=input action=accept connection-state=related comment="Accept Related" disabled=no
add chain=input action=accept src-address-list=fulladmin comment="Accept ALL from fulladmin address list" disabled=no

add chain=input action=jump jump-target=RouterServices comment="Jump to Router Services chain" disabled=no
add chain=forward action=jump jump-target=traphackers comment="Jump to traphackers chain "Check to see if we have detected a hacker" disabled=no
add chain=forward action=jump jump-target=known_viruses comment="Jump to known_viruses chain "Check for Virus Traffic" disabled=no

add chain=input action=jump jump-target=hackertraps comment="Jump to hackertraps chain "trap Hacker Behavior" disabled=no
add chain=input action=log log-prefix="INPUTFW:" comment="" disabled=no

add chain=traphackers action=drop src-address-list=hacker comment="Protect customers from known hackers" disabled=no

add chain=forward action=drop tcp-flags=syn protocol=tcp connection-limit=21,32 comment="allow only 20 simultaneous connections from each of the clients" disabled=no

add chain=input action=drop connection-state=invalid comment="Drop invalid" disabled=no

add chain=forward action=drop dst-port=25 protocol=tcp src-address-list=spammer comment="BLOCK SPAMMERS OR INFECTED USERS" disabled=no
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers" disabled=no
add chain=forward action=drop p2p=all-p2p comment="DROP Most popular p2p protocols recognized by the MirkoTik RouterOS" disabled=no

add chain=known_viruses action=drop dst-port=135-139 protocol=tcp comment="Windows Netbios" disabled=no
add chain=known_viruses action=drop dst-port=135-139 protocol=udp comment="Windows Netbios" disabled=no
add chain=known_viruses action=drop dst-port=445 protocol=tcp comment="Windows Netbios" disabled=no
add chain=known_viruses action=drop dst-port=445 protocol=udp comment="Windows Netbios" disabled=no

add chain=input action=drop comment="Drop all remaining traffic" disabled=no

/ ip firewall address-list
add list=fulladmin address=xx.xx.xxx.xx comment="Access for Butch home" disabled=no
add list=fulladmin address=xx.xxxx.xxx.xxx/28 comment="Access for Jim" disabled=no
add list=fulladmin address=10.1.3.0/24 comment="Access from private network" disabled=no
add list=fulladmin address=xx.xx.xx.xx/27 comment="Access from public range" disabled=no
add list=LOCALIP address=10.0.0.0/8 comment="Private Range" disabled=no
add list=LOCALIP address=192.168.0.0/16 comment="Private Range" disabled=no
add list=LOCALIP address=172.16.0.0/20 comment="Private Range" disabled=no
add list=LOCALIP address=xx.xx.xx.xx/27 comment="Public Range" disabled=no
add list=MONITORS address=10.11.1.3 comment="This is for monitoring servers" disabled=no
add list=MONITORS address=10.13.1.3 comment="This is for monitoring servers" disabled=no
add list=fulladmin address=192.168.200.1 comment="Allow from Border MT" disabled=no

/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
[admin@Fairgrounds_Tower] ip firewall>

It's kinda hard to track all the rules by looking at the exports. As far as i can see you need to move 2 rules you added to the top in the forw2ard chain (the spammers one). All they do is adding the abuse of port 25 to some host and drop it in the next rule so they cannot affect other "normal" rules. BTW, if you have local mail server you may want to put "allow" rule for that ip above those 2.

I have a customer who I suspect has a virus. Its opening a hundred or more connections on port 25. Is there a way to either rate limit or block a port based on a customers IP address?

Ok...so I'm about 2 months behind in the forums.

I have a script that does this as well. It uses a different approach than the other wiki post mentioned. You can contact me via email or phone at website below.