Community discussions

MikroTik App
  4. RouterOS
  5. General

Iptables -> Mikrotik

Post Reply
 
n00del
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2012 11:34 am

Iptables -> Mikrotik

Thu Aug 02, 2012 10:52 am

Hi community,

can somebody help me with that long Iptables rules. I want to change from a susefirewall to a mikrotik system and
I dont know which rule is really need to configure on ROS.
Maybe there is anybody who can convert it?


Output with iptables-save:
Code: Select all
:PREROUTING ACCEPT [469831684:276028598930]
:INPUT ACCEPT [257078384:186737760182]
:FORWARD ACCEPT [209187562:88793219176]
:OUTPUT ACCEPT [301559521:270392267804]
:POSTROUTING ACCEPT [510064487:359153604449]
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 53 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10 
-A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos 0x10 
-A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10 
-A PREROUTING -p udp -m udp --sport 161 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m udp --dport 161 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m udp --sport 162 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m udp --dport 162 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m udp --sport 514 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m udp --dport 514 -j TOS --set-tos 0x04 
-A OUTPUT -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m tcp --sport 53 -j TOS --set-tos 0x10 
-A OUTPUT -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -p udp -m udp --sport 53 -j TOS --set-tos 0x10 
-A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -p udp -m udp --sport 161 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m udp --dport 161 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m udp --sport 162 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m udp --dport 162 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m udp --sport 514 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04 
-A POSTROUTING -o eth2 -p tcp -m length --length 0:64 -j MARK --set-mark 0xa 
-A POSTROUTING -o eth2 -p tcp -m tos --tos Minimize-Delay -m tcp --dport 22 -j MARK --set-mark 0xa 
-A POSTROUTING -o eth2 -p tcp -m tos --tos Minimize-Delay -m tcp --sport 22 -j MARK --set-mark 0xa 
-A POSTROUTING -o eth2 -p udp -m udp --dport 53 -j MARK --set-mark 0xa 
-A POSTROUTING -o eth2 -p tcp -m tcp --dport 53 -j MARK --set-mark 0xa 
-A POSTROUTING -o eth2 -p esp -j MARK --set-mark 0xb 
COMMIT
# Completed on Thu Aug  2 09:27:37 2012
# Generated by iptables-save v1.2.11 on Thu Aug  2 09:27:37 2012
*filter
:INPUT DROP [7:336]
:FORWARD DROP [6:555]
:OUTPUT DROP [44:6484]
:forward_dmz - [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_dmz - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth2 -j input_ext 
-A INPUT -i eth1 -j input_int 
-A INPUT -i eth0 -j input_int 
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options 
-A INPUT -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -i eth2 -j forward_ext 
-A FORWARD -i eth1 -j forward_int 
-A FORWARD -i eth0 -j forward_int 
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options 
-A FORWARD -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p icmp -m limit --limit 3/min -m icmp --icmp-type 11 -j LOG --log-prefix "SFW2-OUT-TRACERT-ATTEMPT " --log-tcp-options --log-ip-options 
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options 
-A forward_dmz -o eth2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT 
-A forward_dmz -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A forward_dmz -m state --state INVALID -j DROP 
-A forward_dmz -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_dmz -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDdmz-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_dmz -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDdmz-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDdmz-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_dmz -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDdmz-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDdmz-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_dmz -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDdmz-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_dmz -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_dmz -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_dmz -j DROP 
-A forward_ext -p icmp -m state --state ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A forward_ext -m state --state INVALID -j DROP 
-A forward_ext -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_ext -o eth2 -j ACCEPT 
-A forward_ext -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_ext -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_ext -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_ext -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-FWDext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_ext -j DROP 
-A forward_int -o eth2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT 
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A forward_int -m state --state INVALID -j DROP 
-A forward_int -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_int -o eth1 -j ACCEPT 
-A forward_int -o eth0 -j ACCEPT 
-A forward_int -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_int -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.6.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.6.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_int -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options 
-A forward_int -s 192.168.5.0/255.255.255.0 -d 192.168.8.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.8.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-FWDint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_int -j DROP 
-A input_dmz -m pkttype --pkt-type broadcast -j DROP 
-A input_dmz -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_dmz -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A input_dmz -m state --state INVALID -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_dmz -p icmp -m limit --limit 3/min -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_dmz -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_dmz -j DROP 
-A input_ext -m pkttype --pkt-type broadcast -j DROP 
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A input_ext -m state --state INVALID -j DROP 
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p udp -m udp --dport 514 -j ACCEPT 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -j DROP 
-A input_int -m pkttype --pkt-type broadcast -j DROP 
-A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A input_int -m state --state INVALID -j DROP 
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_int -p tcp -m tcp --dport 22 -j ACCEPT 
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_int -p tcp -m tcp --dport 53 -j ACCEPT 
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_int -p tcp -m tcp --dport 80 -j ACCEPT 
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 617 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_int -p tcp -m tcp --dport 617 -j ACCEPT 
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 1024:1030 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_int -p tcp -m tcp --dport 1024:1030 -j ACCEPT 
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_int -p tcp -m tcp --dport 3128 -j ACCEPT 
-A input_int -p udp -m udp --dport 22 -j ACCEPT 
-A input_int -p udp -m udp --dport 53 -j ACCEPT 
-A input_int -p udp -m udp --dport 80 -j ACCEPT 
-A input_int -p udp -m udp --dport 514 -j ACCEPT 
-A input_int -p udp -m udp --dport 617 -j ACCEPT 
-A input_int -p udp -m udp --dport 3128 -j ACCEPT 
-A input_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_int -p icmp -m limit --limit 3/min -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options 
-A input_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_int -j DROP 
-A reject_func -p tcp -j REJECT --reject-with tcp-reset 
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable 
-A reject_func -j REJECT --reject-with icmp-proto-unreachable 
COMMIT
# Completed on Thu Aug  2 09:27:37 2012
# Generated by iptables-save v1.2.11 on Thu Aug  2 09:27:37 2012
*nat
:PREROUTING ACCEPT [19736342:2327129806]
:POSTROUTING ACCEPT [78481:19576324]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d ! 10.10.1.32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A POSTROUTING -o eth2 -j MASQUERADE 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Aug  2 09:27:37 2012
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7198
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: Iptables -> Mikrotik

Thu Aug 02, 2012 11:32 am

Go through the available parameters in RouterOS firewall and convert rules one by one:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall

For example:
*nat
:PREROUTING ACCEPT [19736342:2327129806]
:POSTROUTING ACCEPT [78481:19576324]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d ! 10.10.1.32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE

In ROS will be:
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=!10.10.1.32 protocol=tcp dst-port=80 action=redirect to-ports=3128
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether1 action=masquerade
Top
 
n00del
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2012 11:34 am

Re: Iptables -> Mikrotik

Thu Aug 02, 2012 1:13 pm

Okay thanks for your reply, but the other parts are very confused.
I dont know, how this will be configured or what the susefirewall means with:
Code: Select all
Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-OUT-TRACERT-ATTEMPT ' 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp port-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed 
ACCEPT     icmp --  anywhere             anywhere            icmp network-prohibited 
ACCEPT     icmp --  anywhere             anywhere            icmp host-prohibited 
ACCEPT     icmp --  anywhere             anywhere            icmp communication-prohibited 
DROP       icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Top
 
djdrastic
Member
Member
Posts: 368
Joined: Wed Aug 01, 2012 2:14 pm

Re: Iptables -> Mikrotik

Sat Aug 04, 2012 3:27 pm

Can you do a iptables -L -v -n --line-numbers ?

I'm no iptables expert but judging from those rules


Line Number 1 accepts all traffic from the host outbound originating from it
Line Number 2 seems to be logging traceroute attempts from the host
Line Numbers 3-8 seems to accept various icmp messages originating from the host
Line Number 9 seems to deny icmp destination unreachable messages coming from the host
Line 10 accepts all traffic in the connection tracking state of the machine being NEW,RELATED,ESTABLISHED
Line 11 seems to be logging all traffic in warning level to syslog

The top OUTPUT rule will pretty much catch anything at the moment I would bet,rendering the ones below it pretty useless.
Top
Post Reply
  4. RouterOS
  5. General