Hi all,

My ftp-NAS has from time-to-time brute-force attacks that makes exploding the log file. Most of the time from China.
Anyway I only want to grant ftp-access from Belgium.
So I have created & uploaded a white-list from https://mikrotikconfig.com/firewall/ (great tool btw). The (white) list is called "CountryIPAllow".

I have masquerade on port 21 to access the ftp from inside LAN & dynamic hairpin (wich updates my WAN-IP) to access ftp from WAN.
Other ports than 21 are forwarded to other devices so those should not be blocked.

I've seen examples to drop requests from a blacklist, but my blacklist if to heavy, so I need to do the inversed rule.
How should I configure the firewall allow "CountryIPAllow" and drop all orther port-21-access ?

Many thanks in advance!

Update

I found the solution :

• create a white-list (for me I used this tool : https://mikrotikconfig.com/firewall/ and renamed the list CountryIPAllow

• Install the list following the instructions in the video (found on the same page)

• Then add 2 rules to the firewall:
  • /ip firewall filter add chain=forward action=accept protocol=tcp dst-address-list=CountryIPAllow src-port=21 log=no log-prefix=""
  • /ip firewall filter add chain=forward action=drop protocol=tcp src-port=21 log=no log-prefix=""

Warning : the last rule also drops connections from inside to external ftp-servers.So I added a new rule to allow ftp-outgoing traffic.

There are better options than FTP, but it is your choice. Port 21 is not sufficient for FTP, if it is working (the data part) you might want to investigate why.

It is working in that sense that the login-screen is not showing anymore for other IP's than BE. My goal was achieved.
I'm not an expert in this domain, and more than happy to accept other/better solutions.

For data you have to forward a passive port range (configured in the FTP server). You might want to consider SFTP (from a security perspective).

Ah now I understand.
Unfortunately my NAS does not support SFTP.

What NAS are you using? FTPS might be an option...

It's a DNS-320L
No sftp possible.

FTPS is not the same as SFTP.
According to this forum you should be able to use SSL/TLS:
http://forums.dlink.com/index.php?topic=60539.0

Thanks for the tip - I'll give it a try later on.

Given how buggy various NAS appliances seem to be, and that regular FTP sends your credentials in plaintext which anyone can snoop, allowing access from even some of the internet is a bad idea - using a VPN would help.

I see, but that is impossible. I have about 50 customers needing to access the ftp from several places. Moreover : my customers do not have IT-department able to setup a vpn. It's not worth it.

Let me blunt, if you run an ftp server plain you will get hacked. Its like a beacon on the internet.
Now I dont know crap about that stuff, but If I suspect that anybody using your server if hacked would then become vulnerable as well through their FTP connection.........not funny!!

Recommend some form of encryption as indicated so at least passwords are protected somewhat.
Now in terms of users, why is it public to the internet? I am assuming you have either family or a close knit group of friends that do so.
Well thats easy then.
All you need to do is insist to use your server they need to provide you with a domain name that you can put in your firewall address list.

Such that your dstnat rule for the server looks like this.
add action=dst-nat chain=dstnat comment="Access To My NAS"
dst-port=portX,portY,portZ in-interface-list=WAN log=yes \
protocol=tcp src-address-list=Authorized_Users to-addresses=local_server_ip

where your firewall address list for external users looks like.

/ip firewall address-list
add address=mydomain.net comment=george Authorized_Users
add address=new.home.net comment=sally Authorized_Users
add address=freedomain.net comment=mom-dad Authorized_Users
add address=signme.up.org comment=cousin Authorized_Users
add address=free.dyn.org comment=frank Authorized_Users

There are many free domain name services out there.
The beauty about the above is that the router will resolve them to IP addresses for you.