Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Drop all from WAN not DSTNATed

Sun Jul 03, 2022 10:17 am

Hello for all engineers and experts in this mikrotik forum..!
In mikrotik router-v7.4beta4 default configuration.
In IP-firmware i found this rule
Chain:forward
In interface list:WAN
Connection state: new
Connection Nat state: not dstnat
Action:drop
So Anyone can explain to me what this rule mean or what is the benefit of such a rule..?
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Drop all from WAN not DSTNATed

Sun Jul 03, 2022 12:22 pm

Prevents NAT bypass. But you can remove the rule and drop anything in the raw table destined towards RFC6890 subnets directly.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Drop all from WAN not DSTNATed

Sun Jul 03, 2022 12:33 pm

Firewall rules must be seen in a complex as their mutual position is important. This particular rule serves aggregates functionality of multiple separate rules. The basic one is the "default drop" role, meaning that all packets that have not been matched by any previous rule in the same chain will be dropped. But instead of placing separate rules action=accept connection-nat-state=dstnat and action=accept in-interface-list=!WAN before the "default drop" one, match conditions connection-nat-state=!dstnat in-interface-list=WAN (i.e. inverted ones) have been added to the "default drop" one, exempting packets matching any of these (direct, not inverted) conditions from matching it.

The purpose of exempting packets not coming from WAN from getting dropped is clear - in a typical application, you want your LAN clients to be able to connect anywhere in the internet.

The purpose of exempting packets that have been dst-nated from getting dropped is to simplify the firewall - if you want to add some restrictive conditions on the source addresses and/or ports, you add them directly to the action=dst-nat rule(s) in /ip firewall nat, so packets not matching those conditions will not get dst-nated, and hence they will match the connection-nat-state=!dstnat condition in the "default drop" rule and get dropped.

It is probably also important to say that in the default firewall, the "default drop" rule only handles the initial packet of each connection; mid-connection packets are accepted by the first rule, action=accept connection-state=established,related,untracked.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Drop all from WAN not DSTNATed

Sun Jul 03, 2022 3:37 pm

My two cents.
The use of ! is tricky and should be avoided by new users as its a powerful tool (using a chainsaw when a butter knife is needed).
Being cool is not a reason to use it.

thus the typical default rule (which is setup to be safe along with other rules..........as sindy pointed, looking at firewall rules in isolation is a fools game) is attempting to be cute and do two things.
Before proceeding one should note that the default rule set is designed to allow all traffic except for what the admin blocks hence......

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Which basically states.
a. for any new connections (redundant not required)
b. coming in on the WAN interface (limits any dst-nat that may be required on the LAN side - when folks are to use public IP of a router to access a server)
c. drop all traffic that is not dst-natted.

Much better is the following
Clear simple rule allowing dstnat
add chain=forward action=accept connection-nat-state=dstnat

Followed by a better security drop rule. That stops ALL other traffic not matched above, both WAN and LAN
add chain=forward action=drop comment="drop all else"

Note this in effect changes the design of the forward chain rule to one that blocks ALL traffic automatically unless specifically allowed by the admin above the drop rule.
For example you will need to add an internet access rule, as it was allowed before without you really knowing it.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Drop all from WAN not DSTNATed

Sun Jul 03, 2022 5:03 pm

Very thanksful for all i appreciate every single word here..?

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], bpwl, Google [Bot], svh79 and 75 guests