IP Firewall rules, need help with optimization

ChrisVanMeer · Fri Jul 29, 2016 2:34 pm

I have three questions:

1 > Can I use a port-range in a filter-rule? Right now I have:

/ip firewall filter
add chain=input dst-port=22,2248,2249,2250,2251,2252,2253,2254 in-interface=ether1 protocol=tcp src-address=z.z.z.z

Can I do something like dst-port=22,2248-2254?

2 > Can I optimze these rules? For every rule, x.x.x.X matches with y.y.y.X.
I now have several rules for every host, both for icmp and certain dst-port. Can this be optimized in less rules?

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.248 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.248
add action=dst-nat chain=dstnat dst-address=x.x.x.249 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.249
add action=dst-nat chain=dstnat dst-address=x.x.x.250 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.250
add action=dst-nat chain=dstnat dst-address=x.x.x.251 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.251
add action=dst-nat chain=dstnat dst-address=x.x.x.252 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.252
add action=dst-nat chain=dstnat dst-address=x.x.x.253 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.253
add action=dst-nat chain=dstnat dst-address=x.x.x.254 protocol=icmp src-address=zz.zz.0.0/12 to-addresses=y.y.y.254
add action=dst-nat chain=dstnat dst-address=x.x.x.248 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.248
add action=dst-nat chain=dstnat dst-address=x.x.x.249 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.249
add action=dst-nat chain=dstnat dst-address=x.x.x.250 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.250
add action=dst-nat chain=dstnat dst-address=x.x.x.251 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.251
add action=dst-nat chain=dstnat dst-address=x.x.x.252 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.252
add action=dst-nat chain=dstnat dst-address=x.x.x.253 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.253
add action=dst-nat chain=dstnat dst-address=x.x.x.254 dst-port=22,80,443 protocol=tcp src-address=zz.zz.0.0/12 to-addresses=y.y.y.254

3 > I map certain outside ports to inside ports, in this case, the dst-port = 2+the last number of y.y.y.X.
For example, 2248 corresponds with y.y.y.248. And the ports are always forwarded to 22 on the inside. Can we use a regex or something to optimize these rules?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=2248 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.248 to-ports=22
add action=dst-nat chain=dstnat dst-port=2249 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.249 to-ports=22
add action=dst-nat chain=dstnat dst-port=2250 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.250 to-ports=22
add action=dst-nat chain=dstnat dst-port=2251 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.251 to-ports=22
add action=dst-nat chain=dstnat dst-port=2252 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.252 to-ports=22
add action=dst-nat chain=dstnat dst-port=2253 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.253 to-ports=22
add action=dst-nat chain=dstnat dst-port=2254 in-interface=ether1 protocol=tcp src-address=z.z.z.z to-addresses=y.y.y.254 to-ports=22

Thanks,
Chris

pe1chl · Fri Jul 29, 2016 3:39 pm

1: yes
2 and 3: yes, you can use "netmap" as an action to translate a range of addresses in a single rule

however, note that netmap is stateless so you need to do it in two directions

ChrisVanMeer · Fri Jul 29, 2016 5:10 pm

Ok, could you give me an example?

pe1chl · Fri Jul 29, 2016 6:26 pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Fri Jul 29, 2016 11:35 pm

If you're always mapping a public IP to the same private IP, and not changing the ports at all, (I only glanced over the given rules, and saw that Pe1chl has already recommended the same thing I would - netmap) you can do all of it with just one pair of rules:

action=netmap dst-address=o.o.o.0/27 to-address=i.i.i.0/27
action=netmap src-address=i.i.i.0/27 to-address=o.o.o.0/27

don't mention ports or anything - this just means "if you see a dst IP of o.o.o.X, then make it i.i.i.X and leave the ports alone"

There's no need to specify each port if the ports aren't going to get modified by NAT rules. If you're trying to limit access to all but certain desired ports, then you should use the filter table to block undesired ports - don't "block" them by failing to nat them consistently - that's broken behavior, and mixes the functionality of the two tables in a way that's not straightforward.

netmap is a stateless NAT - it doesn't create table entries like dstnat / srcnat rules do - so these packets do get compared to the nat rule chain every time. However, it's able to scale to a larger number of addresses since it's a simple rule, and it is less "intrusive" to the host behind the NAT because it never "times out" due to inactivity. This stateless nature is the reason you need a rule for the inbound AND a rule for the outbound.

ChrisVanMeer · Sat Jul 30, 2016 7:58 am

Ok guys, thanks!
I have one and two covered now.
I'm still struggling with 3:

add action=dst-nat chain=dstnat dst-port=2248 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.248 to-ports=22
add action=dst-nat chain=dstnat dst-port=2249 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.249 to-ports=22
add action=dst-nat chain=dstnat dst-port=2250 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.250 to-ports=22
add action=dst-nat chain=dstnat dst-port=2251 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.251 to-ports=22
add action=dst-nat chain=dstnat dst-port=2252 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.252 to-ports=22
add action=dst-nat chain=dstnat dst-port=2253 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.253 to-ports=22
add action=dst-nat chain=dstnat dst-port=2254 in-interface=ether1 protocol=tcp src-address=1.1.1.1 to-addresses=192.168.0.254 to-ports=22

In this case there is a correlation between the last octet of the destination ip (.248-.254) and the dst-port (2+last octet of the destination IP).
That destination port is always converted to port 22.
Can we optimize these rules, or do I have to leave them as is?

Sun Jul 31, 2016 5:47 pm

You could squeeze a touch more performance by moving these rules to a custom chain - call it SSH_Pinholes
Then make a single rule that checks the range and jumps to ssh_pinholes if the port is in that range...

chain=dstnat protocol=tcp dst-port=2248-2254 action=jump jump-target=SSH_Pinholes

... however, I don't see much benefit in doing this because dstnat chain only has to be checked against new connections (or every packet in stateless connections).
If you are using netmap targets, I suggest placing those rules before these ssh pinhole rules so they're matched quickly, and then the ssh pinhole rules will only ever be checked whenever there are new stateful connection attempts.

IP Firewall rules, need help with optimization

IP Firewall rules, need help with optimization

Re: IP Firewall rules, need help with optimization

Re: IP Firewall rules, need help with optimization

Re: IP Firewall rules, need help with optimization

Re: IP Firewall rules, need help with optimization

Re: IP Firewall rules, need help with optimization

Re: IP Firewall rules, need help with optimization