Community discussions

MikroTik App
  4. RouterOS
  5. General

simplest home firewall

Post Reply
 
pgh321
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Fri Jan 03, 2014 7:35 pm

simplest home firewall

Sun Feb 09, 2014 10:51 am

I moved from post below from beginner basics to here since it got no replies there
Obviously I deleted original post to not have duplicates :-) Thank you for your help


Hi, I will install in a few days a new rb2011 as a home router, and I looked into its setup.
Most stuff should be already ok in the default settings, but I've read default setup doesn't have rules on the forward chain, so I've looked a bit into firewalling

I'd like to have a simple firewall (the less I write, the less I write wrong stuff) and found one here on the forums, and I modified it a bit.
Since the rules were duplicated I jumped from input and forward to one chain only (am I wrong doing this?), I removed icmp from WAN, and I set bridge-local as interface name.
Specifying in-interface, I don't need to write LAN ip addresses, correct?

ros code

#Router and internal network protection, no internal servers, LAN is friendly
#http://forum.mikrotik.com/viewtopic.php?f=13&t=76314
#modified jumping to mainrules chain, not allowing icmp, bridge-local as in-interface

/ip firewall filter

add chain=input action=jump jump-target=mainrules
add chain=forward action=jump jump-target=mainrules

add chain=mainrules action=drop connection-state=invalid comment="Block invalid connections" 
add chain=mainrules action=accept connection-state=new in-interface=bridge-local comment="Allow access to router and Internet only from LAN"
add chain=mainrules action=accept connection-state=established comment="Allow established connections"
add chain=mainrules action=accept connection-state=related comment="Allow related connections"
add chain=mainrules action=drop comment="drop everything else"
Then, I'll have some ip cams...
May I just use, separately from the above firewall, something like the basic example of the wiki, obviously changing ip and ports?

ros code

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
Then, I'll have to setup many other things, but that will be a separate post :-)
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: simplest home firewall

Sun Feb 09, 2014 3:33 pm

I moved from post below from beginner basics to here since it got no replies there
Obviously I deleted original post to not have duplicates :-) Thank you for your help


Hi, I will install in a few days a new rb2011 as a home router, and I looked into its setup.
Most stuff should be already ok in the default settings, but I've read default setup doesn't have rules on the forward chain, so I've looked a bit into firewalling

I'd like to have a simple firewall (the less I write, the less I write wrong stuff) and found one here on the forums, and I modified it a bit.
Since the rules were duplicated I jumped from input and forward to one chain only (am I wrong doing this?), I removed icmp from WAN, and I set bridge-local as interface name.
Specifying in-interface, I don't need to write LAN ip addresses, correct?

ros code

#Router and internal network protection, no internal servers, LAN is friendly
#http://forum.mikrotik.com/viewtopic.php?f=13&t=76314
#modified jumping to mainrules chain, not allowing icmp, bridge-local as in-interface

/ip firewall filter

add chain=input action=jump jump-target=mainrules
add chain=forward action=jump jump-target=mainrules

add chain=mainrules action=drop connection-state=invalid comment="Block invalid connections" 
add chain=mainrules action=accept connection-state=new in-interface=bridge-local comment="Allow access to router and Internet only from LAN"
add chain=mainrules action=accept connection-state=established comment="Allow established connections"
add chain=mainrules action=accept connection-state=related comment="Allow related connections"
add chain=mainrules action=drop comment="drop everything else"
Then, I'll have some ip cams...
May I just use, separately from the above firewall, something like the basic example of the wiki, obviously changing ip and ports?

ros code

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
Then, I'll have to setup many other things, but that will be a separate post :-)
Personally I would leave the chains separate. And yes you can use that DST-NAT... but you also need to allow it on your forward chain if you use a default drop.

If that wasn't your question then clarify it a bit...
Top
 
pgh321
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Fri Jan 03, 2014 7:35 pm

Re: simplest home firewall

Sun Feb 09, 2014 4:26 pm

but you also need to allow it on your forward chain if you use a default drop
Sorry, I don't understand...
I thought that inserting NAT rule would automatically open port in firewall...
If I use dst-nat for port 1234, should I manually open that port in firewall?
Can you provide me an example?

Sorry for dumb questions, but I'll have little time to test my setup in the real world, so I need to "be prepared" :-)

EDIT: as seen on http://forum.mikrotik.com/viewtopic.php?f=13&t=74024
you should also create allow rules before the drop rule for the system that needs to be access from the outside.
Keep in mind that dst-nat will occur before filter, so your filter should contain the dst-nat rule to-address IP.
...
chain=forward action=accept protocol=tcp dst-address=192.168.1.3 dst-port=22 in-interface=<your incoming>
So:

ros code

# Router and internal network protection, no internal servers, LAN is friendly
# forum.mikrotik.com/viewtopic.php?f=13&t=76314
# modified not allowing icmp, bridge-local as in-interface, added logging

# forum.mikrotik.com/viewtopic.php?f=13&t=74024
# dst-nat will occur before filter, so filter should contain the dst-nat rule to-address IP

/ip firewall filter

add chain=input action=drop connection-state=invalid comment="Block invalid connections" 
add chain=input action=accept connection-state=new in-interface=bridge-local comment="Allow access to router and Internet only from LAN"
add chain=input action=accept connection-state=established comment="Allow established connections"
add chain=input action=accept connection-state=related comment="Allow related connections"
add chain=input action=log log-prefix="FW INPUT DROP: " disabled=yes comment="Log everything else" 
add chain=input action=drop comment="Drop everything else"

add chain=forward action=drop connection-state=invalid comment="Block invalid connections" 
add chain=forward action=accept connection-state=new in-interface=bridge-local comment="Allow access to router and Internet only from LAN"
add chain=forward action=accept connection-state=established comment="Allow established connections"
add chain=forward action=accept connection-state=related comment="Allow related connections"
add chain=forward action=accept protocol=tcp dst-address=ADDRESS_TO_DSTNAT dst-port=PORT_TO_DSTNAT in-interface=ether1-gateway comment="Allow NAT"
add chain=input action=log log-prefix="FW FORWARD DROP: " disabled=yes comment="Log everything else" 
add chain=forward action=drop comment="Drop everything else"

# dstnat for cameras
/ip firewall nat add chain=dstnat dst-port=PORT_ON_WAN action=dst-nat protocol=tcp to-address=IP_ON_LAN to-port=PORT_ON_LAN
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: simplest home firewall

Sun Feb 09, 2014 6:29 pm

but you also need to allow it on your forward chain if you use a default drop
Sorry, I don't understand...
I thought that inserting NAT rule would automatically open port in firewall...
If I use dst-nat for port 1234, should I manually open that port in firewall?
Can you provide me an example?

Sorry for dumb questions, but I'll have little time to test my setup in the real world, so I need to "be prepared" :-)

EDIT: as seen on http://forum.mikrotik.com/viewtopic.php?f=13&t=74024
you should also create allow rules before the drop rule for the system that needs to be access from the outside.
Keep in mind that dst-nat will occur before filter, so your filter should contain the dst-nat rule to-address IP.
...
chain=forward action=accept protocol=tcp dst-address=192.168.1.3 dst-port=22 in-interface=<your incoming>
So:

ros code

# Router and internal network protection, no internal servers, LAN is friendly
# forum.mikrotik.com/viewtopic.php?f=13&t=76314
# modified not allowing icmp, bridge-local as in-interface, added logging

# forum.mikrotik.com/viewtopic.php?f=13&t=74024
# dst-nat will occur before filter, so filter should contain the dst-nat rule to-address IP

/ip firewall filter

add chain=input action=drop connection-state=invalid comment="Block invalid connections" 
add chain=input action=accept connection-state=new in-interface=bridge-local comment="Allow access to router and Internet only from LAN"
add chain=input action=accept connection-state=established comment="Allow established connections"
add chain=input action=accept connection-state=related comment="Allow related connections"
add chain=input action=log log-prefix="FW INPUT DROP: " disabled=yes comment="Log everything else" 
add chain=input action=drop comment="Drop everything else"

add chain=forward action=drop connection-state=invalid comment="Block invalid connections" 
add chain=forward action=accept connection-state=new in-interface=bridge-local comment="Allow access to router and Internet only from LAN"
add chain=forward action=accept connection-state=established comment="Allow established connections"
add chain=forward action=accept connection-state=related comment="Allow related connections"
add chain=forward action=accept protocol=tcp dst-address=ADDRESS_TO_DSTNAT dst-port=PORT_TO_DSTNAT in-interface=ether1-gateway comment="Allow NAT"
add chain=input action=log log-prefix="FW FORWARD DROP: " disabled=yes comment="Log everything else" 
add chain=forward action=drop comment="Drop everything else"

# dstnat for cameras
/ip firewall nat add chain=dstnat dst-port=PORT_ON_WAN action=dst-nat protocol=tcp to-address=IP_ON_LAN to-port=PORT_ON_LAN

Seems about right.
Top
 
pgh321
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Fri Jan 03, 2014 7:35 pm

Re: simplest home firewall

Sun Feb 09, 2014 6:39 pm

Ok, so with these rules I'm just blocking everything incoming, directed to router or to LAN machines, except for the camera exceptions I'll add... Shortly speaking, are these rules enough to protect my own network or should I look elsewhere?
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: simplest home firewall

Sun Feb 09, 2014 7:35 pm

Ok, so with these rules I'm just blocking everything incoming, directed to router or to LAN machines, except for the camera exceptions I'll add... Shortly speaking, are these rules enough to protect my own network or should I look elsewhere?
It's all relative. Thats about what I use for my house... but there is no such thing as secure... its just "secure enough".
Top
Post Reply
  4. RouterOS
  5. General