Community discussions

 
ChrisVanMeer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Jul 03, 2016 2:29 pm
Location: The Netherlands

IP Firewall rules, need help with optimization

Fri Jul 29, 2016 2:34 pm

I have three questions:

1 > Can I use a port-range in a filter-rule? Right now I have:
/ip firewall filter
add chain=input dst-port=22,2248,2249,2250,2251,2252,2253,2254 in-interface=ether1 protocol=tcp src-address=z.z.z.z
Can I do something like dst-port=22,2248-2254?

2 > Can I optimze these rules? For every rule, x.x.x.X matches with y.y.y.X.
I now have several rules for every host, both for icmp and certain dst-port. Can this be optimized in less rules?
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.248 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.248
add action=dst-nat chain=dstnat dst-address=x.x.x.249 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.249
add action=dst-nat chain=dstnat dst-address=x.x.x.250 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.250
add action=dst-nat chain=dstnat dst-address=x.x.x.251 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.251
add action=dst-nat chain=dstnat dst-address=x.x.x.252 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.252
add action=dst-nat chain=dstnat dst-address=x.x.x.253 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.253
add action=dst-nat chain=dstnat dst-address=x.x.x.254 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.254
add action=dst-nat chain=dstnat dst-address=x.x.x.248 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.248
add action=dst-nat chain=dstnat dst-address=x.x.x.249 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.249
add action=dst-nat chain=dstnat dst-address=x.x.x.250 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.250
add action=dst-nat chain=dstnat dst-address=x.x.x.251 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.251
add action=dst-nat chain=dstnat dst-address=x.x.x.252 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.252
add action=dst-nat chain=dstnat dst-address=x.x.x.253 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.253
add action=dst-nat chain=dstnat dst-address=x.x.x.254 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.254
3 > I map certain outside ports to inside ports, in this case, the dst-port = 2+the last number of y.y.y.X.
For example, 2248 corresponds with y.y.y.248. And the ports are always forwarded to 22 on the inside. Can we use a regex or something to optimize these rules?
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=2248 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.248 to-ports=22
add action=dst-nat chain=dstnat dst-port=2249 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.249 to-ports=22
add action=dst-nat chain=dstnat dst-port=2250 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.250 to-ports=22
add action=dst-nat chain=dstnat dst-port=2251 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.251 to-ports=22
add action=dst-nat chain=dstnat dst-port=2252 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.252 to-ports=22
add action=dst-nat chain=dstnat dst-port=2253 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.253 to-ports=22
add action=dst-nat chain=dstnat dst-port=2254 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.254 to-ports=22
Thanks,
Chris
 
pe1chl
Forum Guru
Forum Guru
Posts: 5532
Joined: Mon Jun 08, 2015 12:09 pm

Re: IP Firewall rules, need help with optimization

Fri Jul 29, 2016 3:39 pm

1: yes
2 and 3: yes, you can use "netmap" as an action to translate a range of addresses in a single rule

however, note that netmap is stateless so you need to do it in two directions
 
ChrisVanMeer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Jul 03, 2016 2:29 pm
Location: The Netherlands

Re: IP Firewall rules, need help with optimization

Fri Jul 29, 2016 5:10 pm

Ok, could you give me an example?
 
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: IP Firewall rules, need help with optimization

Fri Jul 29, 2016 11:35 pm

If you're always mapping a public IP to the same private IP, and not changing the ports at all, (I only glanced over the given rules, and saw that Pe1chl has already recommended the same thing I would - netmap) you can do all of it with just one pair of rules:

action=netmap dst-address=o.o.o.0/27 to-address=i.i.i.0/27
action=netmap src-address=i.i.i.0/27 to-address=o.o.o.0/27

don't mention ports or anything - this just means "if you see a dst IP of o.o.o.X, then make it i.i.i.X and leave the ports alone"

There's no need to specify each port if the ports aren't going to get modified by NAT rules. If you're trying to limit access to all but certain desired ports, then you should use the filter table to block undesired ports - don't "block" them by failing to nat them consistently - that's broken behavior, and mixes the functionality of the two tables in a way that's not straightforward.

netmap is a stateless NAT - it doesn't create table entries like dstnat / srcnat rules do - so these packets do get compared to the nat rule chain every time. However, it's able to scale to a larger number of addresses since it's a simple rule, and it is less "intrusive" to the host behind the NAT because it never "times out" due to inactivity. This stateless nature is the reason you need a rule for the inbound AND a rule for the outbound.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
ChrisVanMeer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Jul 03, 2016 2:29 pm
Location: The Netherlands

Re: IP Firewall rules, need help with optimization

Sat Jul 30, 2016 7:58 am

Ok guys, thanks!
I have one and two covered now.
I'm still struggling with 3:
add action=dst-nat chain=dstnat dst-port=2248 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.248 to-ports=22
add action=dst-nat chain=dstnat dst-port=2249 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.249 to-ports=22
add action=dst-nat chain=dstnat dst-port=2250 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.250 to-ports=22
add action=dst-nat chain=dstnat dst-port=2251 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.251 to-ports=22
add action=dst-nat chain=dstnat dst-port=2252 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.252 to-ports=22
add action=dst-nat chain=dstnat dst-port=2253 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.253 to-ports=22
add action=dst-nat chain=dstnat dst-port=2254 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.254 to-ports=22
In this case there is a correlation between the last octet of the destination ip (.248-.254) and the dst-port (2+last octet of the destination IP).
That destination port is always converted to port 22.
Can we optimize these rules, or do I have to leave them as is?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: IP Firewall rules, need help with optimization

Sun Jul 31, 2016 5:47 pm

You could squeeze a touch more performance by moving these rules to a custom chain - call it SSH_Pinholes
Then make a single rule that checks the range and jumps to ssh_pinholes if the port is in that range...

chain=dstnat protocol=tcp dst-port=2248-2254 action=jump jump-target=SSH_Pinholes

... however, I don't see much benefit in doing this because dstnat chain only has to be checked against new connections (or every packet in stateless connections).
If you are using netmap targets, I suggest placing those rules before these ssh pinhole rules so they're matched quickly, and then the ssh pinhole rules will only ever be checked whenever there are new stateful connection attempts.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 20 guests