Community discussions

MikroTik App
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Firewall Filter Rule before NAT rule

Sat Sep 04, 2010 6:35 pm

Hi,

I have a NAT rule for SSH server inside a network, but to avoid brute force attacks I have some firewall rules. But it looks like that NAT has a priority over Firewall. Is it possible to change that? To have NAT rule and Firewall rule to block it (if IP is in blacklist).

Thanks.

RB750G OS4.10


-- GrayWolf
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall Filter Rule before NAT rule

Sat Sep 04, 2010 9:57 pm

NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.

If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 12:31 am

Here's my NAT rule:

chain=dstnat action=dst-nat to-addresses=192.168.88.120 to-ports=22
protocol=tcp in-interface=ether1-gateway dst-port=122


And I'm trying to secure it in a way as it is described here:
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)

Which works fine for MikroTik's SSH, but not for my NAT rule. I've tried changinf the chain to forward, but no luck.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 1:03 am

Changing it to the forward chain is correct. However, your NAT rule forwards to port 122 rather than 22. If that is correct you also have to adjust the destination ports in the filter rules accordingly. If it's a typo in the NAT rule, fix it.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 1:06 am

According to your NAT rule change to 'dst-port=122' in bruteforce prevention rules.

Regards, Grzegorz.
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 1:25 am

I did, here's how my firewall rules look like:

(It's my recent attempt with chain=forward and connection-state=new on everything.)
chain=forward action=drop connection-state=new protocol=tcp src-address-list=ssh_blacklist in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=122
 
GrayWolf
just joined
Topic Author
Posts: 8
Joined: Mon Aug 30, 2010 5:51 pm

Re: Firewall Filter Rule before NAT rule

Sun Sep 05, 2010 2:07 am

Ok. I get it.

I wasn't suppose to look for port 122 in my filter rules, but 22. The port TO which NAT was forwarding to.

Didn't expect that.

Thanks for the replies.
 
Milos
just joined
Posts: 16
Joined: Tue May 19, 2009 10:25 pm

Re: Firewall Filter Rule before NAT rule

Fri Apr 15, 2016 4:27 pm

NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.

If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
Fewi, I`m sorry for dropping by to this old post. But what about 1:1 NAT. I have Asterisk server on private IP. I want to be able to just allow specific IP`s input on server from outside without activating Linux firewall. Since DST-NAT happens first there is no way to process it through firewall input rules. I have tried with mangle prerouting chain connection and packet marking and apply it on firewall filter rules, and still nothing. Do you have any recommendation based on this. Thanks in advance.
 
sash7
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Sun Mar 20, 2016 10:39 pm

Re: Firewall Filter Rule before NAT rule

Fri Apr 15, 2016 6:43 pm

after dstnat packets to your server which is behind router going to forward chain, not to input.
 
jeanericblass
just joined
Posts: 2
Joined: Fri Mar 03, 2017 12:37 pm

Re: Firewall Filter Rule before NAT rule

Fri Mar 03, 2017 12:44 pm

Filtered NAT
This parameter determines how the router handles incoming traffic. Secure option provides a secured firewall to protect network computers from Internet attacks, but can lead to the fact that some online games, applications such as "point-to-point" or multimedia applications will not work. On the other hand, the open option provides a much less secure firewall, but allows almost all Internet applications to work.
Here is further details that i found regarding Nat Filtering: https://www.vpnranks.com/nat-filtering/
 
levicki
newbie
Posts: 30
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: Firewall Filter Rule before NAT rule

Sat Jun 23, 2018 2:11 am

Sorry for necroing an old thread, but it might be useful to mention that it is possible to drop packets before dstnat by using Raw rules in prerouting chain.

An example:
/ip firewall raw
add action=drop chain=prerouting dst-port=3389 in-interface=your_wan_interface protocol=tcp src-address-list=\
    !TRUSTED_IP_ADDRESSES
The above rule will drop any connection attempts from IP addresses not in your TRUSTED_IP_ADDRESSES list so they won't even reach dstnat.
 
craigreilly
newbie
Posts: 46
Joined: Mon Jan 26, 2015 7:04 pm

Re: Firewall Filter Rule before NAT rule

Fri Jun 14, 2019 10:19 pm

How about this:

/ip firewall filter
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall Filter Rule before NAT rule

Sat Jun 15, 2019 10:32 am

What about it? Didn't check every detail, but by the looks of it it's a default filter rule...
 
bobbyeng
just joined
Posts: 1
Joined: Wed Mar 22, 2023 9:57 pm

Re: Firewall Filter Rule before NAT rule

Wed Mar 22, 2023 10:14 pm

Resurrecting and old thread but couldn't easily find this info anywhere else and wanted to add for others help in the future, this works as of v7.7 in 2023;

Using a RAW rule after adding to blocked list.

Similar issue, want to block brute force. Instead of blocking a single port, if an IP is a bad actor, we want to block the IP completely.

The add to src-address-list rules need to be on forward chain and using the TO port in the NAT rule. So if ext port 999 NAT TO internal 192.168.1.1 port 80, you want port 80 in the rule;
add chain=forward protocol=tcp dst-port=80 connection-state=new action=add-src-to-address-list \
address-list=block_stage1 address-list-timeout=1m comment="" disabled=no
This will add and advance the IP.

Now for blocking, the block rule works on FORWARD chain src-address-list=blocked_addresses.
add chain=forward src-address-list=blocked_addresses action=drop \
comment="drop blocked" disabled=no
But, that IP can still scan/brute ports on the router (port 8291, 22 if open, etc.) So you can add another block rule with chain=input.
We found that adding a RAW rule is much better, it stops any further processing or packets from blocked IPs.
/ip/firewall/raw
add chain=prerouting action=drop in-interface=ether1 src-address-list=blocked_addresses
Does anyone see a problem with doing it that way? Seems most efficient and safe way to block traffic.
Now, you can't specify a connection-state=new in raw rules so you can't build the block rules in raw table (otherwise it would hit on every packet to that port), so ideally you need 2 sets of rules to add FORWARD and INPUT to blocked_addresses;
add chain=input protocol=tcp dst-port=80 connection-state=new action=add-src-to-address-list \
address-list=block_stage1 address-list-timeout=1m comment="" disabled=no
Another idea would be to add multiple ports to capture "bad" scanners, such as ports 21,22,80,etc INPUT and add to blocked_addresses escalation lists.

Any problems with assumptions and rules above? Any more efficient way to do this?

Thanks and hope this helps someone.
Last edited by bobbyeng on Wed Mar 22, 2023 10:26 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Filter Rule before NAT rule

Fri Mar 24, 2023 1:47 pm

I will look at this sorry thread later but its clear that HAVING SAFELY SETUP SERVERS is a very important consideration for many many mikrotik users.

Thus Mikrotik MUST PROVIDE the Zerotrust Cloudflare tunnel in an options package for all users!!!

Who is online

Users browsing this forum: No registered users and 34 guests