Community discussions

MikroTik App
 
engragy
just joined
Topic Author
Posts: 9
Joined: Tue Jan 09, 2018 1:20 am

missed up my firewall filter rules

Mon Jun 29, 2020 2:35 am

i have been trying to secure my router-os a bit so i have followed this guide from mikrotik wiki https://wiki.mikrotik.com/wiki/Tips_and ... f_RouterOS
but once i added the firewall filter rules then the last rules (19, 20) as in following code lost any effect.
i mean before adding the rules from 2 to 18, i was able to allow or restrict access to my lan from outside but now i cant yet iam able to do so by disabling a port forward from nat tab
 ;;; "just trying to block unwanted ips"
 0   chain=input action=drop src-address-list=block-attack 
 1   chain=forward action=drop src-address-list=block-attack 
 
 ;;; following the guide "Tips and Tricks for Beginners and Experienced Users of RouterOS"
 2   chain=input action=accept connection-state=established,related  
 3   chain=input action=accept in-interface=local
 4   chain=input action=accept in-interface=wlan

 5   chain=input action=drop connection-state=invalid
 6   chain=input action=drop dst-address-type=!local
 7   chain=input action=drop src-address-type=!unicast 
 8   chain=input action=drop src-address-list=not_in_internet in-interface=wan
 
 9   chain=forward action=accept connection-state=established,related 
 
10  chain=forward action=drop connection-state=invalid
13  chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=wan
14  chain=forward action=drop src-address-list=not_in_internet in-interface=wan 
15  chain=forward action=drop dst-address-list=not_in_internet in-interface=local  
16  chain=forward action=drop dst-address-list=not_in_internet in-interface=wlan
17  chain=forward action=drop src-address=!192.168.0.0/24 in-interface=local
18  chain=forward action=drop src-address=!192.168.1.0/24 in-interface=wlan

;;; "here i want to allow or strict access to local server but it is not working any more"
19  chain=input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=80 
20  chain=input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=443
so how can i access to restrict access to my nated server again from firewall filter rules or is there another way to achieve that.
 
anav
Forum Guru
Forum Guru
Posts: 4814
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: missed up my firewall filter rules

Mon Jun 29, 2020 3:14 am

Resest back to defaults, as I cannot make heads or tails of the mess you have indeed created.
Then lets focus on what you wish to accomplish
Default Rules + Requirements for DST NAT rules.

By the way you can only limit access to the SERVER on your LAN to specific WANIPs if you know which WANIPs require access.
Typically you would make up a firewall address list for that and place it in the associated dst nat rule.

After we have the above straightened out, if you think you need more rules, feel free to add them.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
engragy
just joined
Topic Author
Posts: 9
Joined: Tue Jan 09, 2018 1:20 am

Re: missed up my firewall filter rules

Mon Jun 29, 2020 3:59 am

Resest back to defaults, as I cannot make heads or tails of the mess you have indeed created.
thank you anav for your reply ,
the rules 0, 1 i added to block attacking ips that is why i set them first but i can delete them.
the rules from 2 to 18 are exactly copy paste of the guide from mikrotik wiki page i mentioned.
last 2 rules are example of what i want (accept or drop connections destined for certain ip with destined port ).
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1789
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: missed up my firewall filter rules

Mon Jun 29, 2020 10:19 am

19 chain=input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=80
20 chain=input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=443
Where are IP 1.2.3.4 located? on the router it self? if not this will do nothing.
Input chain is only used for traffic that are going to the router it self. (Mostly used for management of router. SSH Winbox etc)
I would guess IP 1.2.3.4 are some you have on your inside lan. If so its the forward chain that should be used.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
engragy
just joined
Topic Author
Posts: 9
Joined: Tue Jan 09, 2018 1:20 am

Re: missed up my firewall filter rules

Mon Jun 29, 2020 1:35 pm

Where are IP 1.2.3.4 located? on the router it self? if not this will do nothing.
this ip is one of my public pool ips i get through pppoe from wan interface.
i just noticed that if i disable the dst-nat rule which (translate a public ip to its local one), then filter rules like (19,20) will count some packets
 
anav
Forum Guru
Forum Guru
Posts: 4814
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: missed up my firewall filter rules

Mon Jun 29, 2020 2:37 pm

Like I said, get rid of the wiki rules, put back the approved default rules and we can go from there, if not interested, others will help.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: missed up my firewall filter rules

Mon Jun 29, 2020 2:41 pm

Rules 19 and 20 are wrong anyways...
Input Chain captures traffic destined to the router itself...

A good starting point is the default firewall, so i ll aggree with anav.
The next step is to study how the firewall works, about chains etc....
 
engragy
just joined
Topic Author
Posts: 9
Joined: Tue Jan 09, 2018 1:20 am

Re: missed up my firewall filter rules

Tue Jun 30, 2020 5:44 pm

thank you guys for pointing me to resetting the router (it felt like an os fresh install which is better than upgrade over upgrade), i did the reset with the default configs then configured the router as i want but left the firewall filter default rules and it looks like this
 
 0  chain=forward action=passthrough 

 1  chain=input action=accept connection-state=established,related,untracked 

 2  chain=input action=drop connection-state=invalid 

 3  chain=input action=accept protocol=icmp 

 4  chain=input action=accept dst-address=127.0.0.1 

 5  chain=input action=drop in-interface-list=!LAN 

 6  chain=forward action=accept ipsec-policy=in,ipsec 

 7  chain=forward action=accept ipsec-policy=out,ipsec 

 8  chain=forward action=fasttrack-connection connection-state=established,related 

 9  chain=forward action=accept connection-state=established,related,untracked 

10  chain=forward action=drop connection-state=invalid 

11  chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

i am using nat to translate a public ip (i use for ex: 1.2.3.4) to a lan ip ( i use ex subnet: 192.168.0.0/24 ) like this
 0    ;;; port forward - server SMTP 25
      chain=dstnat action=dst-nat to-addresses=192.168.0.101 to-ports=25 protocol=tcp dst-address=1.2.3.4 dst-address-type=local in-interface=pppoe-out1 dst-port=25 

 1 X  ;;; port forward - server HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.101 to-ports=80 protocol=tcp dst-address=1.2.3.4 dst-address-type=local in-interface=pppoe-out1 dst-port=80 

 2 X  ;;; port forward - server HTTPS
      chain=dstnat action=dst-nat to-addresses=192.168.0.101 to-ports=443 protocol=tcp dst-address=1.2.3.4 dst-address-type=local in-interface=pppoe-out1 dst-port=443 

 3    ;;; forward server traffic via pub_ip
      chain=srcnat action=src-nat to-addresses=1.2.3.4 src-address=192.168.0.101 out-interface=pppoe-out1 

 4    ;;; Default Masquerade Rule for LAN
      chain=srcnat action=masquerade out-interface=pppoe-out1 

so what is the best way to achieve :
  • block connection from wan side to reach my web server port ex: 8000 , should i disable or delete such a rule from nat or filter or both
  • there are some peoble that are trying to access my web site from the public ip adress is there a method to black this from router os
  • is there a method to block access to my website.com/admin from wan side but not from my lan

and lastly thank you for your time and support ...
Last edited by engragy on Wed Jul 01, 2020 1:07 am, edited 1 time in total.
 
anav
Forum Guru
Forum Guru
Posts: 4814
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: missed up my firewall filter rules

Tue Jun 30, 2020 7:40 pm

(1) The default rules are a good start. However your source nat and destination nat rules are in need of extreme modification.

(2) Not sure why you have a src-address-list for masquerade outbound? Normally one just identifies the outbound WAN interface or WAN-interface list. (Assuming dynamic WANIP)
Assuming you are using this for some reason but its not clear?

(3) For Hairpin Nat you need to add another masquerade rule.
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade (use your appropriate subnet)

(4) This rule makes little sense to me?? It says port forwarding but you have sourcnat in your rule????????????
What use case are you trying to achieve, without any mention of the config?

3 ;;; port forward - server via pub_ip
chain=srcnat action=src-nat to-addresses=1.2.3.4 src-address=192.168.0.101 out-interface=pppoe-out1


(5) What is dst-address 1.2.3.4?? Do you have a fixed static WANIP or a dynamic WANIP?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
engragy
just joined
Topic Author
Posts: 9
Joined: Tue Jan 09, 2018 1:20 am

Re: missed up my firewall filter rules

Wed Jul 01, 2020 1:34 am

thank you anav for your feedback and sorry if my config wan't clear enough

(2) from the previous configurations i have had multiple subnets and i created an address list for one of them that would have internet access, that is why i used src-adrress-list but i only have one subnet now and i didn't think it would make an issue with the rule.

(4) i am really sorry for the misleading port forward comment.

(5) i do have a pool of static ip addresses assigned to the pppoe interface, and with the misleading src-nat rule i needed to forward the traffic of that specific server to one of them (i think this is 1:1 natting not sure ... )

please don't forget source nat and destination nat extreme modification of the rules, and give advise about what i want to achieve items

Who is online

Users browsing this forum: blimbach, cdiedrich, Google [Bot], rushlife and 130 guests