Hi Guys,

I have a MikroTik router on a Public IP acting as a DNS server as well. Now I am noticing the DNS server is being abused by people on the internet, as it is handling DNS requests for them as well.

I want to restrict the DNS server to only handle DNS queries from requests coming from a specific Private IP (192.168.1.x) subnet only. How can I achieve this with the firewall? How to create rules which only allow DNS queries from my designated subnet, and drop DNS queries from all other IPs?


Thanks.

Build a standard stateful firewall will be the best thing you can do.
Before you have the final drop rules in each chain, make sure you have explicit allow rules for what you want to allow. Otherwise you will lock yourself out.

Build a standard stateful firewall will be the best thing you can do.

Code: Select all

/ip firewall filter
add chain=input comment="Accept Established" connection-state=established
add chain=input comment="Accept related" connection-state=related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add chain=input comment="Accept from known" src-address-list=known
add chain=input comment="Accept local connections LAN" in-interface=<LAN Interface>
add action=drop chain=input comment="Drop everything else"
add chain=forward comment="Accept Established" connection-state=established
add chain=forward comment="Accept Related" connection-state=related
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add chain=forward comment="Allow LAN to WAN" in-interface=<LAN Interface> out-interface=<WAN Interface>
add action=drop chain=forward comment="Drop everything else"

Before you have the final drop rules in each chain, make sure you have explicit allow rules for what you want to allow. Otherwise you will lock yourself out.

Thanks Feklar for your reply,. However, I think that the rules you suggested above are too much to achieve the purpose? I don't want to build a stateful firewall as you mentioned. Just the necessary rules to achieve the desired outcome? Which I think can be achieved with 2 rules? i.e. one to accept and one to drop?

A stateful firewall is the way to do it.

There is by default an accept all in a Mikrotik, so you could just use one rule if that's what you really want
The idea though is to protect the router a bit more, as well as anyone using it to access the internet. Hence the input and the forward chains. It doesn't really cost any more resources to have it setup as a stateful firewall, and the setup is a lot more secure.

Minimal solution is to drop tcp/udp port 53 input chain on wan interface.

Minimal solution is to drop tcp/udp port 53 input chain on wan interface.

I did the above and it is successfully dropping DNS queries from the internet now. I created two rules to drop tcp 53 and udp 53 as there is no way to select both tcp/udp in the protocol field? Or is it possible?

Thanks to all for the help.

You need two rules. Unfortunately it is so. I would also like multiple choices in other fields...

Hi,

@jarda

You need two rules. Unfortunately it is so. I would also like multiple choices in other fields...

I guess ROS is using iptables as firewall and iptables does not support specifying multiple protocols. It also would be very difficult to implement because many other options of a firewall rule depend on the chosen protocol.

@MTusewk

I don't want to be rude, but you're acting completly careless.
It is a very bad idea to connect any unprotected device to a network.
Even if you don't care, other people / networks can be harmed from your unprotected device.

Leaving network devices unprotected is like advertising that you're going in vacation and you're to lazy to lock your appartement.

Please do yourself a favour and implement proper firewall rules. The one and only truth is:

A stateful firewall is the way to do it.

If you're unsure - we're here to help you.

Ape

A stateful firewall is in fact the way of protecting more, with less rules.

Hi,

@jarda

You need two rules. Unfortunately it is so. I would also like multiple choices in other fields...

I guess ROS is using iptables as firewall and iptables does not support specifying multiple protocols. It also would be very difficult to implement because many other options of a firewall rule depend on the chosen protocol.

@MTusewk

I don't want to be rude, but you're acting completly careless.
It is a very bad idea to connect any unprotected device to a network.
Even if you don't care, other people / networks can be harmed from your unprotected device.

Leaving network devices unprotected is like advertising that you're going in vacation and you're to lazy to lock your appartement.

Please do yourself a favour and implement proper firewall rules. The one and only truth is:

A stateful firewall is the way to do it.

If you're unsure - we're here to help you.

Ape

Thanks for your input Ape and for clarifying why it is not possible to select multiple protocols in the protocol field.

Regarding the stateful firewall, I am not sure why it is needed. Can you explain how is it unprotected device without a stateful firewall and what harm can be done to others on the internet? Sorry, but I am new into this, so will appreciate if you can explain it.

Secondly since we are on topic. I want to know is it possible to log every connection attempt of users to anywhere on the internet in MikroTik? Regardless of whether it was failed/successful connection attempt? If it is possible then how can I do it?


Thanks a lot to everyone for help!

Hi,

Secondly since we are on topic. I want to know is it possible to log every connection attempt of users to anywhere on the internet in MikroTik? Regardless of whether it was failed/successful connection attempt? If it is possible then how can I do it?

Yes, it is possible.

You can configure firewall rules that log connections of the state "new".
You also can configure firewall rules that log conections that get dropped.
So you log the successful and the dropped connection attempts to the router's log. As there will be many log entries, it may be useful for you to use syslog to let your router log this messages to a syslog server in your network.

Regarding the stateful firewall, I am not sure why it is needed. Can you explain how is it unprotected device without a stateful firewall and what harm can be done to others on the internet? Sorry, but I am new into this, so will appreciate if you can explain it.

You already gave an example for this:

I have a MikroTik router on a Public IP acting as a DNS server as well. Now I am noticing the DNS server is being abused by people on the internet, as it is handling DNS requests for them as well.

This is a very bad thing, because someone can spoof his source address making your router's DNS answer the request to someone who has not requested anything. This is called "source address spoofing" which can be used to perform DOS / DDOS attacks. For the victim it will look like your IP is the attacker. It is not exactly you attacking the victim, but you made this possible for an attacker. It's like leaving the key plugged in your car and someone using it for a robbery.

Without firewall rules, anybody can access the management services of the router (api, winbox, www, ssh) and trying to bruteforce the accounts. Once someone gets access, he can use your device to source traffic from it, steal data from it, sniff traffic and so on. Even if you use strong passwords / ssh key, the attacker wastes (your) bandwidth and cpu cycles - this is also a harm.

This is only the obvious stuff, there might be other things that could be exploited over the network, and nobody knows about it (like a bug in an accessible network service.) With a properly configured firewall, you do not fix the bug, but you make it very unlikely that someone will be able to exploit that.

This type of thinking is not limited to firewall configs, IMHO it is a basic principle in IT. It does not cost you any money and just 10 minutes of yout time, so there is no excuse to not do it.

Conclusion: It is highly recommended to secure your device at least with some input rules (drop invalid, accept related, accept established, accept new from the desired sources and to the desired services, drop all the rest) to only allow access from the desired sources / interfaces. It will not affect the routing performance of the device but will you make sleep calmly.

Ape

Ok, so regarding the requirement of logging all connection attempts to anywhere on the internet, I am successfully logging the connections with state of "New". Since they are being logged to router's memory (log), to forward these to syslog server instead I have to configure the Memory Action to "remote" right?

Is there any other way also to achieve the above? Like with Traffic Flow? Will that be able to achieve the same purpose?

Secondly is there anyway to block the P2P traffic of users? For things like Torrents and other dozens of file sharing programs? And thanks for describing the disadvantages. I have created some rules to mitigate some attacks now.

Hi,

yes, to log messages remotely you need to create a logging action "remote" with the correct settings for your syslog server. Afterwards you can copy an existing or create a new log rule with the desired topic and the remote action.

To address your filesharing problem:

It is not that easy. In general there are two approaches: Whitelist only the desired connections, like say port 25, 80 and 443 (just as example) or blacklist all known file sharing protocols. Neither way will guarantee you 100% freedom of filesharing.

Ape

MTusewk:

You can use TrafficFlow, it's in IP > Traffic Flow.

Blocking P2P is a lost battle. Even worse, is battling your users. A better approach is a well polished QoS (Queue Tree).

Why? because you don't want an user "stealing" all the bandwidth, but won't mind a p2p user using all the spare bandwidth available nobody else is using, isn't it? (while accordingly limited to suscribed plan) That's the way to go IMHO.

The aproach is similar to Ape advice, create several child queues per most globally used traffic patterns, with decreasing priority: Essential (DNS, ICMP), Management (winbox, RDP, VNC, SSH...), VoIP, interactive (HTTP/S), File downloads and youtube (HTTP/S setting connection-bytes, maybe two ranges), then the rest.

By setting priorities and limit-at and max-limit, and setting these queues as PCQ you will be able to control exactly how bandwidth is shared, and ensure fairness for all your users.

Are you already limiting users by simple-queues?

No, I am not using Simple Queues at the moment. I understand blocking P2P is a lost battle. At the minimum I am looking for a way to block torrenting. Is there anyway to achieve this atleast?

Hi MTusewk,

I cannot give you a walk-through for your torrent blocking task, but I want to share some thoughts:

- devices using torrent file sharing typically open many connections in a short time period on specific ports (these port numbers are AFAIK client software dependant), this should be detectable
- devices using torrent file sharing need to have connections to a "tracker", this should be detectable too
- the tracker protocol is AFAIK HTTP/HTTPs, so it should be possible to block it with a proxy (Have a look into the torrent protocol specification I found at this URL: https://wiki.theory.org/BitTorrentSpecification)
- your users can evade all your attempts by e.g. using a VPN service...

With some effort, using torrent can be made more difficult - but as pukkita already said - blocking file sharing really is a lost battle.
If your concern is bandwidth - use queues to prioritize desired services.

Ape

here's how we block p2p in our routers....it's not 100% foolproof, but it blocks the majority of it:

/ip firewall filter
add action=add-dst-to-address-list address-list=FILESHARING address-list-timeout=10m chain=forward comment=P2P_QUEUEING dst-address-list=!P2PEXEMPT p2p=all-p2p
add action=add-src-to-address-list address-list=FILESHARING address-list-timeout=10m chain=forward comment=P2P_QUEUEING p2p=all-p2p src-address-list=!P2PEXEMPT
add action=drop chain=input comment=P2P_DROP p2p=all-p2p
add action=drop chain=forward comment=P2P_DROP p2p=all-p2p
add action=drop chain=output comment=P2P_DROP p2p=all-p2p

/ip firewall mangle
add action=mark-connection chain=prerouting comment=P2P_QUEUEING dst-address-list=FILESHARING new-connection-mark=FILESHARING
add action=mark-connection chain=prerouting comment=P2P_QUEUEING new-connection-mark=FILESHARING src-address-list=FILESHARING
add action=mark-packet chain=prerouting comment=P2P_QUEUEING connection-mark=FILESHARING new-packet-mark=FILESHARING

/ip firewall address-list
add address=10.59.0.0/21 list=P2PEXEMPT

/queue simple
add comment=P2P_QUEUEING dst=10.59.0.0/21 limit-at=5k/5k max-limit=5k/5k name=P2P_QUEUE packet-marks=FILESHARING queue=ethernet-default/ethernet-default total-queue=ethernet-default

basically, if the packet drop rules don't catch it, the queue rule kicks in and throttles them down to only 5k speed....not just for p2p, but for everything on their connection. so if they fire up their bittorrent app and get put on the FILESHARING list, their whole connection gets slowed to 5k, with basically makes the internet unusable, even for web browsing. the timeout is set to 10mins, so if they stop the p2p app and let 10mins pass, their connection goes back to normal.

just change the "10.59.0.0/21" in the lines above to the subnet(s) you are using on your LAN