Page 1 of 1

How to automate updating one rule in many mikrotiks?

Posted: Mon May 22, 2006 5:47 pm
by grzesjan
have many mikrotiks with private addresses which act as a nat. However I have several network prefixes (all in my own network) I don't want to nat the traffic to.

I have done it making /ip firewall address-list nonat and defining there some prefixes and one rule in /ip firewall nat which accepts dst-addresses in nonat address-list and then src-nat is done to other addresses.

Everything is fine but the prefixes I don't want to nat change - some network connects and they join the list, some disconnect and they are removed.

Is there a way to automate changing the configuration od 20 mikrotiks?
All 20 mikrotiks have the same /ip firewall address-list nonat and all I want to do is to somehow automate the process of updating the list. It doesn't not to be immidiately, for example the update (if needed) once an hour is OK.

I have thought to put some file on web and that file has all prefixes listed.
Once an hour Mikrotiks downloads the file, update the firewall address-list.
Is it possible to do it?

Thanks in advance for your help.

Gregor

Posted: Mon May 22, 2006 7:00 pm
by Eugene
Better run a bash script from dedicated box, something like:

for i in $ROUTER_ADDRESSES do
ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>";
done

Posted: Mon May 22, 2006 7:30 pm
by grzesjan
Better run a bash script from dedicated box, something like:
for i in $ROUTER_ADDRESSES do
ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>";
done
Yes, I know such solutions - they are good but have one weak point - after compromising one "dedicated box" all my mikrotiks stay open. That is why I prefer web data fetching.

Can you suggest mi something more secure?

Thanks in advance,

Gregor

Posted: Tue May 23, 2006 8:20 pm
by eflanery
Are you suggesting that http is more secure than ssh?

Hint: it isn't.

--Eric

Posted: Tue May 23, 2006 8:23 pm
by changeip
I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.

Another vote for wget : )

Sam

Posted: Tue May 23, 2006 9:12 pm
by eflanery
Ahh, I see.

Sorry, I misunderstood.

I will also echo the request for wget, or even better curl.

One avenue you may wish to explore, would be linking a BGP instance to the address-list(s), with a frequently run script (I use a funky ping, and a firewall rule that detects it, to avoid writing to flash, and to ensure the address ages out correctly). That way, you could keep them updated in near real-time, and a compromise of your route server would only give access to the address-list(s) under it's control. I've been playing with something like this, and it does work, but I haven't actually used it for anything yet.

--Eric

Posted: Tue May 23, 2006 9:22 pm
by grzesjan
One avenue you may wish to explore, would be linking a BGP instance to the address-list(s), with a frequently run script (I use a funky ping, and a firewall rule that detects it, to avoid writing to flash, and to ensure the address ages out correctly). That way, you could keep them updated in near real-time, and a compromise of your route server would only give access to the address-list(s) under it's control. I've been playing with something like this, and it does work, but I haven't actually used it for anything yet.
--Eric
I'm not sure if I have understood - do you suggest that I make bgp route server and announce there routes which I don't want to nat?
And then script on mikrotik which searches for routes received and adds them to firewall address-list?

Gregor

Posted: Wed May 24, 2006 1:36 am
by eflanery
Basically, yes.

What I have been doing is something like this:
/routing filter add chain=rs-bgp-in bgp-communities=65009:666 set-routing-mark=drop-me set-disabled=yes

/ip firewall filter add chain=output src-address=0.0.0.1 action=add-dst-to-address-list address-list=drop-me address-list-timeout=10m

/ip firewall filter add chain=output src-address=0.0.0.1 action=drop

/ip firewall filter add chain=forward src-address-list=drop-me action=drop
And then, a script that runs every 5m:
:foreach X in [/ip route find routing-mark=drop-me] do={
     /ping [/ip route get $X dst-address] count=1 src-address=0.0.0.1]
}
So, any address (/32 route) coming in over BGP instance "rs" with a community of 65009:666 will have all packets sourced from it dropped.

It would be easy enough to replace that last filter, with something that controls NAT. (Or other things, the possibilities are near endless)

--Eric

Posted: Wed May 24, 2006 2:52 am
by changeip
Eric,

Thats a cool idea - I went at it a different way but accomplished the same thing I think.

http://wiki.mikrotik.com/wiki/Generate_ ... ting-marks

I am sure I will find a use for having the MT produce the pings to add rules though, so I'm glad you posted that. I have internal web servers using that ping method to add blocks to the firewalls on the fly, just found more uses for your scripts above : )

Posted: Wed May 24, 2006 11:47 am
by grzesjan
Thanks all for your help. BGP route server is quite resonable idea. I will try to implement this. But I still think that we should have wget :)

Gregor

Posted: Thu May 25, 2006 9:54 pm
by eflanery
Yup, they are quite similar.

The major difference is that the bogon one modifies the config, and does not break on non-/32 routes; while the ping-based one is just the opposite. I wanted to avoid modifying the config, and take advantage of the address-list-timeout option. But, you can't ping a /24 as a whole; and if it looped through sending pings to each address, as the address-list could grow huge and inefficient. :(

I suppose one could make a hybrid, where it would ping if a /32, and manually add if not, but that could be confusing (and inconsistent in it's timeout method). :?

Slightly different tools for slightly different tasks, I guess.

Unless, of course, MT wanted to add a direct path between BGP and address-lists, bypassing the need for a script entirely. Something like:
/routing filter add chain=rs-bgp-in bgp-communities=65009:666 mirror-dst-in-address-list=drop-me set-disabled=yes
Or, something to that effect. Another feature suggestion, MikroTik guys. :D

--Eric

Posted: Thu May 25, 2006 10:45 pm
by changeip
/routing filter add chain=rs-bgp-in bgp-communities=65009:666 mirror-dst-in-address-list=drop-me set-disabled=yes

That would be handy. Being able to use address-list for BGP annoucements / filters would be nice : ) We plan on providing BGP feeds as a public service shortly... subscribe to a feed of known zombies, port scanners, rbls, etc. Somewhat like the Cymru bogons bgp feed. It would be nice to use mikrotik for this.

Sam

Posted: Thu May 25, 2006 11:00 pm
by eflanery
Distributed real-time multi-ISP firewall, I like it. :twisted:

--Eric

Posted: Fri May 26, 2006 6:40 pm
by Eugene
I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.

Another vote for wget : )

Sam

Well, if the box they pull data from is compromised, the result is the same.

Posted: Fri May 26, 2006 6:40 pm
by Eugene
I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.

Another vote for wget : )

Sam

Well, if the box they pull data from is compromised, the result is the same.

Posted: Fri May 26, 2006 11:35 pm
by grzesjan
Well, if the box they pull data from is compromised, the result is the same.
No, becouse we can filter pulled data. Some checking can be done. Some damage can be done if main box is compromised (for example they can turn off nat for everyone), but they can not _compromise_ the rest of boxes, for example they can not steal data from them.

Gregor

Posted: Sat May 27, 2006 7:51 am
by sten
I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.
Haha, wget would be cool but consider if someone compromises the webserving server?

Talk about shooting yourself in the foot.

And injecting text into http tcp connections is among the easier things to do with . All the hacker would need to be doing is be connected to the same bridged/switched/hubbed network. Doesn't have to be the same access point event!

Ettercap actually comes with a GUI now :D

Re: How to automate updating one rule in many mikrotiks?

Posted: Tue Aug 18, 2009 4:36 pm
by davidw
Hi Gregor, not sure if you found a decent solution but... you could try http://www.routertools.com.au. We wrote this software after trying to manage 400 routers became near impossible doing it 1 by 1.
have many mikrotiks with private addresses which act as a nat. However I have several network prefixes (all in my own network) I don't want to nat the traffic to.

I have done it making /ip firewall address-list nonat and defining there some prefixes and one rule in /ip firewall nat which accepts dst-addresses in nonat address-list and then src-nat is done to other addresses.

Everything is fine but the prefixes I don't want to nat change - some network connects and they join the list, some disconnect and they are removed.

Is there a way to automate changing the configuration od 20 mikrotiks?
All 20 mikrotiks have the same /ip firewall address-list nonat and all I want to do is to somehow automate the process of updating the list. It doesn't not to be immidiately, for example the update (if needed) once an hour is OK.

I have thought to put some file on web and that file has all prefixes listed.
Once an hour Mikrotiks downloads the file, update the firewall address-list.
Is it possible to do it?

Thanks in advance for your help.

Gregor

Re:

Posted: Thu Sep 03, 2009 6:23 pm
by m4rk0
Better run a bash script from dedicated box, something like:

for i in $ROUTER_ADDRESSES do
ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>";
done
Do You have full script which will send specified command to all routers in $ROUTER_ADDRESSES?