srcnat, masquerade & VPN

pablo · Fri Apr 30, 2010 3:56 am

I have something of a silly question but I just can't figure out what's going on... this is my first time configuring a router/firewall instead of using an off the shelf SOHO router/firewall. I've always had to change some settings to allow VPN Passthrough but with RouterOS and a srcnat masquerade rule on the WAN IP everything is working fine. I have a fairly complete set of firewall rules including dropping PPTP/IPSEC packets on the WAN side.

I'm happy it's working but I'm concerned that I screwed something up. This is my NAT config:

add action=masquerade chain=srcnat comment="Basic NAT" disabled=no out-interface=ether1_wan

And here are my firewall rules. They're a combination of all of the configs I've found as well as some of my own changes... Feedback on those would also be welcome but I guess that's another post.

(I have WAN, LAN and WIFI Interfaces and limit traffic between WIFI and LAN. I haven't decided which outbound services to block so that's kinda open now.)

/ip firewall filter
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input comment="port knocking" disabled=yes dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input comment="port knocking" disabled=yes dst-port=7331 protocol=tcp src-address-list=knock
add action=accept chain=input comment="accept established connection packets" connection-state=established disabled=no
add action=accept chain=input comment="accept related connection packets" connection-state=related disabled=no
add action=jump chain=input comment="drop invalid packets" connection-state=invalid disabled=no jump-target=drop_invalid_input
add action=jump chain=input comment="jump to the *drop* virus chain" disabled=no jump-target=virus
add action=accept chain=input comment="Allow access to router from known network. On Wired-LAN." disabled=no in-interface=ether5_lan2 src-address-list=safe
add action=jump chain=input comment="detect and drop port scan connections" disabled=no jump-target=drop_portscan_input protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 disabled=no protocol=tcp
add action=jump chain=input comment="jump to *allowed* ICMP chain. No return." disabled=no jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to *allowed* chain for external services" disabled=no in-interface=ether1_wan jump-target=services
add action=jump chain=input comment="" disabled=no in-interface=ether3_wifi jump-target=wireless_services
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no dst-address-type=broadcast
add action=log chain=input comment="log dropped input" disabled=no log-prefix="input drop:"
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=yes icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=yes icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=yes icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=yes icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=yes icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=log chain=ICMP comment="log icmp drop" disabled=no log-prefix="icmp drop:"
add action=drop chain=ICMP comment="Drop everything else" disabled=no protocol=icmp
add action=accept chain=services comment="accept localhost" disabled=no dst-address=127.0.0.1 src-address-list=127.0.0.1
add action=accept chain=services comment="allow MACwinbox " disabled=yes dst-port=20561 protocol=udp
add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=yes dst-port=5678 protocol=udp
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port=161 protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
add action=accept chain=services comment="allow DNS request" disabled=yes dst-port=53 protocol=tcp
add action=accept chain=services comment="Allow DNS request" disabled=yes dst-port=53 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
add action=accept chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=return chain=services comment=return disabled=no
add action=accept chain=wireless_services comment="Allow iPhone DNS Requests" disabled=no dst-port=53 protocol=udp src-address-list=iPhone
add action=return chain=wireless_services comment="return from wireless_services" disabled=no
add action=jump chain=forward comment="Sanity Check Forward" disabled=no jump-target=sanity-check
add action=jump chain=forward comment="jump to the *drop* virus chain" disabled=no jump-target=virus
add action=jump chain=forward comment="jump to *drop* invalid local wireless. will not return." disabled=no in-interface=ether3_wifi jump-target=wireless_lan_access out-interface=!ether1_wan
add action=jump chain=forward comment="jump to *allowed* outbound services chain" disabled=no jump-target=outbound-services
add action=log chain=forward comment="drop all other forward" disabled=no log-prefix="forward drop:"
add action=drop chain=forward comment="" disabled=no
add action=jump chain=sanity-check comment="Deny illegal NAT traversal" disabled=no jump-target=drop_sanity packet-mark=nat-traversal
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block port scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Null scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment="" disabled=no jump-target=drop_sanity protocol=tcp src-address-list=blocked-addr
add action=jump chain=sanity-check comment="Drop TCP RST" disabled=no jump-target=drop_sanity protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" disabled=no jump-target=drop_sanity protocol=tcp tcp-flags=fin,syn
add action=accept chain=sanity-check comment="Accepting already established connections" connection-state=established disabled=no
add action=accept chain=sanity-check comment="Also accepting related connections" connection-state=related disabled=no
add action=jump chain=sanity-check comment="Dropping invalid connections at once" connection-state=invalid disabled=no jump-target=drop_sanity
add action=jump chain=sanity-check comment="Drop all traffic that goes to multicast or broadcast addresses" disabled=no dst-address-type=broadcast,multicast jump-target=drop_sanity
add action=jump chain=sanity-check comment="Drop all traffic that comes from multicast or broadcast addresses" disabled=no jump-target=drop_sanity src-address-type=broadcast,multicast
add action=jump chain=sanity-check comment="Drop illegal destination addresses" disabled=no dst-address-list=illegal-addr dst-address-type=!local in-interface=ether5_lan2 jump-target=drop_sanity
add action=jump chain=sanity-check comment="Drop everything that goes from local interface but not from local address" disabled=no in-interface=ether5_lan2 jump-target=drop_sanity src-address-list=!local_addr
add action=jump chain=sanity-check comment="Drop illegal destination addresses" disabled=no dst-address-list=illegal-addr dst-address-type=!local in-interface=ether3_wifi jump-target=drop_sanity
add action=jump chain=sanity-check comment="Drop everything that goes from local interface but not from local address" disabled=no in-interface=ether3_wifi jump-target=drop_sanity src-address-list=!local_addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" disabled=no in-interface=ether1_wan jump-target=drop_sanity src-address-list=illegal-addr
add action=jump chain=sanity-check comment="Drop everything that goes from public interface but not to local address" disabled=no dst-address-list=!local_addr in-interface=ether1_wan jump-target=drop_sanity
add action=jump chain=sanity-check comment="Drop all traffic that comes from multicast or broadcast addresses" disabled=no jump-target=drop_sanity src-address-type=broadcast,multicast
add action=return chain=sanity-check comment="" disabled=no
add action=jump chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 jump-target=drop_virus protocol=udp
add action=jump chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 jump-target=drop_virus protocol=udp
add action=jump chain=virus comment="mblast worm" disabled=no dst-port=593 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment=________ disabled=no dst-port=1024-1030 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop MyDoom" disabled=no dst-address-list=!safe_port1080 dst-port=1080 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment=________ disabled=no dst-port=1214 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="ndm requester" disabled=no dst-port=1363 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="ndm server" disabled=no dst-port=1364 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="screen cast" disabled=no dst-port=1368 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment=hromgrafx disabled=no dst-port=1373 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment=cichlid disabled=no dst-port=1377 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment=Worm disabled=no dst-port=1433-1434 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Bagle Virus" disabled=no dst-port=2745 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Beagle" disabled=no dst-port=2535 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop MyDoom" disabled=no dst-port=3127-3128 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="mblast worm" disabled=no dst-port=4444 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment=Worm disabled=no dst-port=4444 jump-target=drop_virus protocol=udp
add action=jump chain=virus comment="Drop Sasser" disabled=no dst-port=5554 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop NetBus" disabled=no dst-port=12345 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="witty worm" disabled=no dst-port=4000 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="SoBig.f worm" disabled=no dst-address-list=!safe_pop_servers dst-port=995-999 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="SoBig.f worm" disabled=no dst-port=8998 jump-target=drop_virus protocol=tcp
add action=jump chain=virus comment="beagle worm" disabled=no dst-port=4751 jump-target=drop_virus protocol=tcp
add action=return chain=virus comment="return from virus chain" disabled=no
add action=accept chain=outbound-services comment="Allow HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=outbound-services comment="Allow SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=outbound-services comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=outbound-services comment="allow ping" disabled=no protocol=icmp
add action=accept chain=outbound-services comment="allow udp" disabled=no protocol=udp
add action=return chain=outbound-services comment="return from allow outbound services chain" disabled=no
add action=accept chain=wireless_lan_access comment="allow rsyslog" disabled=no dst-address-list=internal_services dst-port=514 protocol=udp
add action=accept chain=wireless_lan_access comment="allow communication to soundbridge" disabled=no dst-address-list=soundbridge dst-port=4444 protocol=tcp src-address-list=iPhone
add action=accept chain=wireless_lan_access comment="allow communication to roku soundbridge" disabled=no dst-address-list=soundbridge dst-port=5555 protocol=tcp src-address-list=iPhone
add action=log chain=wireless_lan_access comment="" disabled=no log-prefix="wireless drop:"
add action=drop chain=wireless_lan_access comment="return from wireless" disabled=no
add action=log chain=drop_invalid_input comment="invalid input drop:" disabled=no log-prefix="Invalid Input:"
add action=drop chain=drop_invalid_input comment="" disabled=no
add action=log chain=drop_portscan_input comment="" disabled=no log-prefix="input port scan drop:"
add action=drop chain=drop_portscan_input comment="" disabled=no
add action=log chain=drop_virus comment="" disabled=no log-prefix="virus drop:"
add action=drop chain=drop_virus comment="" disabled=no
add action=log chain=drop_sanity comment="" disabled=no log-prefix="forward sanity drop:"
add action=drop chain=drop_sanity comment="" disabled=no