Community discussions

 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Firewall Filter Rule before NAT rule

Sat Sep 04, 2010 6:35 pm

Hi,

I have a NAT rule for SSH server inside a network, but to avoid brute force attacks I have some firewall rules. But it looks like that NAT has a priority over Firewall. Is it possible to change that? To have NAT rule and Firewall rule to block it (if IP is in blacklist).

Thanks.

RB750G OS4.10


-- GrayWolf
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall Filter Rule before NAT rule

Sat Sep 04, 2010 9:57 pm

NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.

If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 12:31 am

Here's my NAT rule:

chain=dstnat action=dst-nat to-addresses=192.168.88.120 to-ports=22
protocol=tcp in-interface=ether1-gateway dst-port=122


And I'm trying to secure it in a way as it is described here:
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)

Which works fine for MikroTik's SSH, but not for my NAT rule. I've tried changinf the chain to forward, but no luck.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 1:03 am

Changing it to the forward chain is correct. However, your NAT rule forwards to port 122 rather than 22. If that is correct you also have to adjust the destination ports in the filter rules accordingly. If it's a typo in the NAT rule, fix it.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 1:06 am

According to your NAT rule change to 'dst-port=122' in bruteforce prevention rules.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 1:25 am

I did, here's how my firewall rules look like:

(It's my recent attempt with chain=forward and connection-state=new on everything.)
chain=forward action=drop connection-state=new protocol=tcp src-address-list=ssh_blacklist in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=122
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 2:07 am

Ok. I get it.

I wasn't suppose to look for port 122 in my filter rules, but 22. The port TO which NAT was forwarding to.

Didn't expect that.

Thanks for the replies.
 
Milos
just joined
Posts: 16
Joined: Tue May 19, 2009 10:25 pm

Re: Firewall Filter Rule before NAT rule

Fri Apr 15, 2016 4:27 pm

NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.

If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
Fewi, I`m sorry for dropping by to this old post. But what about 1:1 NAT. I have Asterisk server on private IP. I want to be able to just allow specific IP`s input on server from outside without activating Linux firewall. Since DST-NAT happens first there is no way to process it through firewall input rules. I have tried with mangle prerouting chain connection and packet marking and apply it on firewall filter rules, and still nothing. Do you have any recommendation based on this. Thanks in advance.
 
sash7
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Mar 20, 2016 10:39 pm

Re: Firewall Filter Rule before NAT rule

Fri Apr 15, 2016 6:43 pm

after dstnat packets to your server which is behind router going to forward chain, not to input.
 
jeanericblass
just joined
Posts: 3
Joined: Fri Mar 03, 2017 12:37 pm

Re: Firewall Filter Rule before NAT rule

Fri Mar 03, 2017 12:44 pm

Filtered NAT
This parameter determines how the router handles incoming traffic. Secure option provides a secured firewall to protect network computers from Internet attacks, but can lead to the fact that some online games, applications such as "point-to-point" or multimedia applications will not work. On the other hand, the open option provides a much less secure firewall, but allows almost all Internet applications to work.
Here is further details that i found regarding Nat Filtering: https://www.vpnranks.com/nat-filtering/
 
levicki
just joined
Posts: 10
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: Firewall Filter Rule before NAT rule

Sat Jun 23, 2018 2:11 am

Sorry for necroing an old thread, but it might be useful to mention that it is possible to drop packets before dstnat by using Raw rules in prerouting chain.

An example:
/ip firewall raw
add action=drop chain=prerouting dst-port=3389 in-interface=your_wan_interface protocol=tcp src-address-list=\
    !TRUSTED_IP_ADDRESSES
The above rule will drop any connection attempts from IP addresses not in your TRUSTED_IP_ADDRESSES list so they won't even reach dstnat.
 
craigreilly
newbie
Posts: 41
Joined: Mon Jan 26, 2015 7:04 pm

Re: Firewall Filter Rule before NAT rule

Fri Jun 14, 2019 10:19 pm

How about this:

/ip firewall filter
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
 
mkx
Forum Guru
Forum Guru
Posts: 2252
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall Filter Rule before NAT rule

Sat Jun 15, 2019 10:32 am

What about it? Didn't check every detail, but by the looks of it it's a default filter rule...
BR,
Metod

Who is online

Users browsing this forum: No registered users and 14 guests