Hi,
I'm new to Mikrotik and trying to block all access from the internet to my router, but I seem to be able to telnet to any port and still get a response..
IPs are obviously not real.
version: 6.45.9 (long-term)
board-name: CCR1009-7G-1C-1S+
I have a drop input for the WAN port, but it doesn't seem to be working? Telnet is a fairly quick and dirty way or testing, but I'm getting to a lot of ports..
An nmap scan is also showing all ports as open..
> /ip address export
add address=213.213.213.213/30 interface=ether6 network=213.213.213.211
<snip>
> /ip firewall filter print
0 chain=input action=drop in-interface=ether6
1 chain=input action=drop dst-address=213.213.213.213
$telnet 213.213.213.213
Trying 213.213.213.213 ...
Connected to 213.213.213.213.
Escape character is '^]'.
$telnet 213.213.213.213 45000
Trying 213.213.213.213 ...
Connected to 213.213.213.213.
Escape character is '^]'.
$telnet 213.213.213.213 21
Trying 213.213.213.213 ...
Connected to 213.213.213.213.
Escape character is '^]'.
Any ideas? it seems super dodgy to me.
Thanks
Pomme de Terre
Re: All ports open? Connectable via telnet
Can you please share your complete config?
Remove serial and any public IP information (as well from your opening post) and any personal information.
Any reason for still running this older LTS version?
By default, everything on the input chain is blocked, except through LAN access. And that should be sufficient:
Code: Select all
/export file=anynameyoulikeRemove serial and any public IP information (as well from your opening post) and any personal information.
Any reason for still running this older LTS version?
By default, everything on the input chain is blocked, except through LAN access. And that should be sufficient:
Code: Select all
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
Re: All ports open? Connectable via telnet
When you are doing your Telnet test, are you running the test from some other internet connection, or are you trying from a LAN connection on the router?
-
-
martinszeltins
just joined
- Posts: 1
- Joined:
Re: All ports open? Connectable via telnet
Did you find the solution? I am having the exact same problem, nmap shows all ports are open and telnet always connects. I am doing this from another internet connection not from inside my local network. I can't figure out what's wrong.
UPDATE: Strange but today I checked again and now the ports are not open. Maybe it was some cache issue. No idea.
Here is my configuration:
UPDATE: Strange but today I checked again and now the ports are not open. Maybe it was some cache issue. No idea.
Here is my configuration:
Code: Select all
# dec/20/2023 00:09:15 by RouterOS 7.6
# software id = XXXX-XXX
#
# model = RBD53G-5HacD2HnD&EG18-EA
# serial number = XXXXXXXXXXXXX
/interface bridge
add admin-mac=48:A9:8A:1F:8D:DF auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=latvia disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=XXXXXXXX wireless-protocol=802.11 \
wps-mode=push-button-5s
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=latvia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=\
XXXXXXXXXX wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name=\
"LMT Internet" use-network-apn=no
add apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lv
add apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lv
add apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lv
add apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lv
add apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=\
LMT-static2.lmt.lv band=""
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=LMT
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface lte settings
set external-antenna=auto
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
192.168.8.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan
add address=212.93.xxx.xxx name=vpn.xxx.xxx
add address=192.168.8.230 name=ssh.xxx.xxx
add address=192.168.8.230 name=server.xxx.xxx
add address=192.168.8.230 disabled=yes name=failiem.xxx.xxx
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept LMT provisioning" \
dst-port=8081 protocol=tcp src-address=212.93.97.83
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="[Hairpin / Loopback NAT] - Allow t\
o access the home server on public IP address from within LAN" \
dst-address=192.168.8.230 dst-port=80 out-interface=bridge protocol=tcp \
src-address=192.168.8.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
"80 -> 192.168.8.230 (Cloudflare forwards to port 80)" dst-address=\
212.93.xxx.xxx dst-port=80 protocol=tcp to-addresses=192.168.8.230 \
to-ports=80
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=router.lan
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add local-address=192.168.8.150 name=xxxxxxxxxx profile=default-encryption
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="LMT LTE18"
/system routerboard reset-button
set enabled=yes hold-time=5s..10s on-event=reset-configuration
/system scheduler
add interval=30m name=LMT on-event=lte_reset_script policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=yes name=reset-configuration owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/system reset-configuration"
add dont-require-permissions=yes name=lte_reset_script owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
\nlocal counter\
\nlocal ifname\
\nlocal addrese\
\n:if ([:len [interface find where type=\"lte\"]] > 1) do={:set \$ifname [\
interface/get value-name=name number=[find where ifname~\"wwan0.0\"]]} els\
e={\
\n:do {\
\nset \$ifname [interface get value-name=name number=[find where type~\"lt\
e\"]]\
\n} on-error={set \$ifname \"no such item\"}\
\n}\
\n\
\nset \$counter [system/scheduler/get LMT comment]\
\n\
\n:if ([interface/lte/get \$ifname value-name=disabled] = true) do={:error\
\_\"lte disabled\"}\
\n:if (([interface lte monitor lte1 once as-value]->\"status\") = \"sim no\
t present\") do={:error \"sim not present\"}\
\n\
\n:if (\$ifname = \"no such item\") do={:error \"no lte interface\"} else=\
{\
\n:do {\
\nset \$addrese [ip address/get value-name=address number=[find where actu\
al-interface~\"\$ifname\"]]\
\n} on-error={set \$addrese \"no such item\"\
\n}\
\n\
\n:if (\$addrese = \"no such item\") do={\
\n/interface lte disable numbers=\$ifname\
\ndelay 2;\
\n/interface lte enable numbers=\$ifname\
\n:local count 0;\
\n:while ([/interface lte get \$ifname value-name=running] = false) do={\
\n :put \$count\
\n :if (\$count = 60) do={\
\n :if (\$counter = \"10\") do={:error \"already rebooted 10 times\"}\
\n :log error \"LTE not running after disable/enable. Rebooting...\";\
\n :if (\$counter = \"\") do={/system/scheduler/set LMT comment=1} else\
={/system/scheduler/set LMT comment=(\$counter + 1)}\
\n /execute script={/system/reboot};\
\n }\
\n :delay 1s; :set count (\$count +1); \
\n}\
\n:log warning \"LTE running after disable/enable\";\
\n/system/scheduler/set LMT comment=\"\"\
\n} else={/system/scheduler/set LMT comment=\"\"}\
\n}}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tr069-client
set acs-url=https://xxx.lmt.lv:xxxx check-certificate=no \
connection-request-port=8081 connection-request-username=xxxxxxxxxx \
enabled=yes periodic-inform-interval=12h username=LMT
Last edited by martinszeltins on Wed Dec 20, 2023 12:07 pm, edited 1 time in total.
Who is online
Users browsing this forum: Snooops and 49 guests