Hello
In fact my knowledge od Linux itself is limited
I am curious: how it is really done: limiting access by IP adress to Mikrotik router services.
I suspect that propper entries are done in IPtables ( in fact firewall )
Am I right ?

If you want to limit access to only whitelist certain IPs or subnets, it's best to do them in "/ip service", via the "address" property.

In any other scenario (e.g. if you want to limit by input interface OR if you want to blacklist, rather than whitelist), you need to use "/ip firewall filter", which yes, works similarly to Linux's IPtables.

Thanks but, how IP/Services/ Availabile physically works ? Through IP tables or another way ?

And 2nd question arise upon your answer: which method is safer ( limiting service avalability or setting filters on firewall ) and why ?

RouterOS is a closed source piece of software, so no one (other than the developers) can know for sure, but I'm guessing...

Other than the Linux kernel, almost everything is used as a library (in the "included C code" sense), and not as a "custom UI on top". Therefore, unless the Linux program in question can be used as a library, it's unfair to say that anything is being done "through" said Linux program. One example where a project is indeed used by RouterOS in the library sense is OpenSSL, for all crypto related stuff supported by RouterOS.

AFAIK, the Linux kernel contains network filtering functionality, but it's up to programs to leverage it in order to make it useful. IPtables is merely the simplest, and therefore the most popular way to configure the kernel in most Linux distributions. RouterOS has its own implementation, which happens to be very close to IPtables in the functionality it allows the user to do.


So strictly speaking, both filters work through the Linux kernel, but are configured by two separate RouterOS subprograms (the firewall and the service manager).

As for which one is safer... They're equally safer for the "IP whitelist" scenario, but like I said, other scenarios require the use of the firewall. Those other features, if used correctly, are likely to ultimately make your router more secure, so with those in the mix, the firewall is not only the better, but in fact the only way.

RouterOS is a closed source piece of software, so no one (other than the developers) can know for sure, but I'm guessing...

So I am not going to offend you in any way but: you do not know, you are guessing ?

Iptables is just a frontend for manipulating the kernel tables. So yes, we are guessing, but it would be very strange to use a command line frontend as an additional layer, if it can be done e.g. via ioctl and netlink sockets directly by the configuration tools.
Again, just guessing, who knows
Anyway, there's no access to a system console, so it isn't really relevant.

Thank you for sharing your knowledge.
Which method consumes less resources ? Filtering on firewall or service access whitelisting ?