Community discussions

MikroTik App
 
minist@r
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2005 10:08 am
Location: Serbia

Help for Firewall

Sun Mar 12, 2006 8:30 pm

Hi All
Sorry for my bad English.

I have problems with firewall. I have 2 connestions 1 Public 1 private. I enabled massguarade on public interface, and i enabled http proxy. I want to all only thease ports to go out and go in. Tcp 21,23,25,53,80,110,443,1863,3389,5190. I configured on this way:

/ ip firewall nat
add chain=srcnat action=src-nat to-addresses=87.116.*.* to-ports=0-65535 \
comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 \
comment="" disabled=no
add chain=dstnat in-interface=SBB protocol=tcp dst-port=3000 action=netmap \
to-addresses=192.168.0.1 to-ports=3000 comment="" disabled=no
add chain=dstnat in-interface=SBB protocol=tcp dst-port=3389 action=netmap \
to-addresses=192.168.0.1 to-ports=3389 comment="" disabled=no
add chain=dstnat in-interface=SBB protocol=tcp dst-port=21 action=netmap \
to-addresses=192.168.0.1 to-ports=21 comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Firewall za \
ruter" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input src-address=192.168.0.0/24 action=accept comment="Allow access \
to router from known network" disabled=no
add chain=input protocol=tcp dst-port=8291 action=accept comment="" \
disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp dst-port=21 action=accept comment="Firewall" \
disabled=no
add chain=forward protocol=tcp dst-port=23 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=25 action=passthrough comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=53 action=accept comment="" \
disabled=no
add chain=forward protocol=udp dst-port=53 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=443 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=1863 action=passthrough comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=3375 action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=3389 action=passthrough comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=5190 action=accept comment="" \
disabled=no
add chain=forward dst-address=192.168.0.1 p2p=all-p2p action=accept comment="" \
disabled=no
add chain=forward p2p=all-p2p action=drop comment="P2p Saobracaj" disabled=yes
add chain=forward in-interface=SBB protocol=tcp action=drop comment="" \
disabled=yes

When i Enable last rule all trafic stop. What is the problem?
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Sun Mar 12, 2006 9:25 pm

i would suggest a closer look to the demo-system at mikrotik: http://demo.mt.lv/ there are some firewall-rules.
 
minist@r
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2005 10:08 am
Location: Serbia

Sun Mar 12, 2006 10:42 pm

Demo-system dont work. Any other ideas?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Mar 12, 2006 11:31 pm

Use demo2.mt.lv
 
User avatar
jager
Trainer
Trainer
Posts: 296
Joined: Mon Oct 31, 2005 2:44 am
Location: Sierra Leone
Contact:

Mon Mar 13, 2006 1:32 am

Well .... if you enable your last rule:
add chain=forward in-interface=SBB protocol=tcp action=drop comment="" \
disabled=yes 
in that case all tcp traffic to and from your cable provider will be dropped. It means no traffic. You are cutting the tree you are sitting on :)

majku mu ... ;)
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Mon Mar 13, 2006 9:45 am

But that is not the problem and correct for a default-deny strategy.
The problem here is, that only one one way is configured yet, e.g. client-connections and server-answers are missing. (Quite basic IP-knowledge, though;-)
 
minist@r
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2005 10:08 am
Location: Serbia

Mon Mar 13, 2006 10:41 am

Ok. I see that. I enabled only for time when i export list. But i still dont know how to permit only ports that i selected. Jager radio sam ovo zato sto sam mislio da ide po onom nacinu, odozgo na dole po izvrsavanju pravila. Pa znas ono ovo je dozvoljeno ali ono ne.
 
minist@r
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2005 10:08 am
Location: Serbia

Thu Mar 16, 2006 10:27 pm

Again problem. See my config in attached picture. When i enable jump to firewall. Everything stop. What is wrong?

http://img367.imageshack.us/my.php?imag ... all8tr.jpg
 
User avatar
jager
Trainer
Trainer
Posts: 296
Joined: Mon Oct 31, 2005 2:44 am
Location: Sierra Leone
Contact:

Fri Mar 17, 2006 1:37 am

Jager radio sam ovo ...zato sto sam mislio da ide po onom nacinu, odozgo na dole po izvrsavanju pravila. Pa znas ono ovo je dozvoljeno ali ono ne.
Shvatam :) I ja sam se već ovako zajebao :)

OK, moving back to English, for others to understand too ....
I understand that is is easy to track, and the list looks nice if it is sorted by ports.... but! :)
All you have to do is to move to the top ALL the accept rules. They must be right one after another. Only after that, can come your drop rules.
Somebody correct me if I`m wrong.
 
sarenos
newbie
Posts: 42
Joined: Fri Feb 11, 2005 7:36 pm

demo.mt.lv

Mon Apr 10, 2006 11:47 pm

Could you tell me the login and pass for accessing the demo.mt.lv and demo2.mt.lv?

regards
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Apr 11, 2006 8:21 am

login:demo without password
for demo2.

Who is online

Users browsing this forum: Google [Bot], inteq, olgale, Quasar and 213 guests