One of the big reasons I'm moving to a Mikrotik router is that Cisco's base firewall features (without one of their $$$ feature packs) are very limited.
I know the Mikrotik docs state that most ICMP traffic should be blocked, and I'm also interested in pretty blocking all incoming for all but specific ports on our servers (ie. ports 25 and 110 on our mail server, port 80 on web server, etc.) It's probably just me, but I can't figure out how to enter these entries. Does anybody have some examples of how block most of the ICMP stuff (except things like TTL exceeded, echo request and reply, that sort of thing) and block all incoming ports save for specific traffic?
If you are using NAT then it is simply a case of setting up dest-nat to the servers you want public access to on the relevant ports. if you have fully routed network then RTFM I guess 
http://www.mikrotik.com/docs/ros/2.8/ip ... ll.content
http://www.mikrotik.com/docs/ros/2.8/ip ... ll.content
Alright, I think I've figured it out to a point, at least. My big concern is one of our mail servers, which is getting hit pretty hard with some big attacks (I'm not sure what, mind you, doesn't appear to be any sort of ICMP thing). At any rate, here's what I have in the forward chain on the firewall:
0 dst-address=x.y.z.19/32:25 protocol=tcp tcp-options=syn-only action=accept
1 dst-address=x.y.z.19/32:110 protocol=tcp tcp-options=syn-only action=accept
2 dst-address=x.y.z.19/32:80 protocol=tcp tcp-options=syn-only action=accept
3 dst-address=x.y.z.19/32 action=reject
Now the problem here is that this server needs to be able to contact the outside for updates. The above config pretty much blocks all outgoing traffic, though it allows incoming on those ports. Is there any way to permit the server to talk to the outside world while limiting the inside world's ability to create new connections to those three ports (25, 80, 110)?
0 dst-address=x.y.z.19/32:25 protocol=tcp tcp-options=syn-only action=accept
1 dst-address=x.y.z.19/32:110 protocol=tcp tcp-options=syn-only action=accept
2 dst-address=x.y.z.19/32:80 protocol=tcp tcp-options=syn-only action=accept
3 dst-address=x.y.z.19/32 action=reject
Now the problem here is that this server needs to be able to contact the outside for updates. The above config pretty much blocks all outgoing traffic, though it allows incoming on those ports. Is there any way to permit the server to talk to the outside world while limiting the inside world's ability to create new connections to those three ports (25, 80, 110)?
Are your default policies to Deny? You'll need a forward rule that allows the traffic through for you servers.
Perhaps your mail server is being used as a spam relay(?)My big concern is one of our mail servers, which is getting hit pretty hard with some big attacks (I'm not sure what, mind you, doesn't appear to be any sort of ICMP thing).
I'm still trying to figure it out. I'm a whiz at NAT stuff (having done it on a straight Linux iptables setup, Mikrotik and Cisco), but for some reason this firewalling set up has me puzzled.Are your default policies to Deny? You'll need a forward rule that allows the traffic through for you servers.
Let's just say I have the server 10.0.0.19 (public IP, not NATed), and I want to block all incoming traffic save on ports 25,80 and 110, but still allow that server to access the outside world (primarily FTP and WWW, but other protocols as well). How does such a firewall table get constructed?
The mail server in question uses SMTP Auth for outside connections (we have a Postfix server handling MTA traffic), and even so our logs would show people unsuiccessfully trying to relay mail. I think it's some sort of SYN attack, but I'm not sure.Perhaps your mail server is being used as a spam relay(?)
It would depend then on how the Mikrotik is setup...bridged or routed? Is there NAT happening, but a public->private 1-to-1 NAT for the mail server?Let's just say I have the server 10.0.0.19 (public IP, not NATed), and I want to block all incoming traffic save on ports 25,80 and 110, but still allow that server to access the outside world (primarily FTP and WWW, but other protocols as well). How does such a firewall table get constructed?
But first, take a look at IP -> Firewall -> Filter Chains and see what the default policies are for the input, output, and forward chains (in particular, the forward). If they are all "drop" switch them to accept and see if it works. If not, then it's got to be a problem with either your firewall rules and/or NAT, or routing. If it does work, switch them back to drop and add a forward rule with the source IP of your server, destination of anything, and optionally the interface (better protection this way). If you're NAT'ed, you'll have to do the same rule, plus a destination NAT rule with the same info. That *should* get you out. If not, double check your server's ip info, subnet, and gateway, and your routes on the MT.
Hope this helps.
No NAT, just a straight routed network with public IPs. I just want to seal off all incoming ports save those for SMTP and POP3. However, I do want the servers to see the outside world, and this is where the trouble seems to start.It would depend then on how the Mikrotik is setup...bridged or routed? Is there NAT happening, but a public->private 1-to-1 NAT for the mail server?
I've tried to use the example found in the Mikrotik manual, but when I set the reject action, basically things start dying. In particular, it doesn't seem that outside connections to those ports I've opened can be completed, signaling that a lot more is being rejected than I want.But first, take a look at IP -> Firewall -> Filter Chains and see what the default policies are for the input, output, and forward chains (in particular, the forward). If they are all "drop" switch them to accept and see if it works. If not, then it's got to be a problem with either your firewall rules and/or NAT, or routing. If it does work, switch them back to drop and add a forward rule with the source IP of your server, destination of anything, and optionally the interface (better protection this way). If you're NAT'ed, you'll have to do the same rule, plus a destination NAT rule with the same info. That *should* get you out. If not, double check your server's ip info, subnet, and gateway, and your routes on the MT.
Hope this helps.
I'll give it another shot, but I feel like I'm missing some key bit of information I see the following line in the manual (for the forward chain):
Code: Select all
add protocol=tcp connection-state=established
i have the same problem and i need help desperately....
i have changed so much i have no idea anymore what's right or wrong....
my mail server is on the private LAN .... 192.168.0.30/32 and trying to NAT to the public ip of 68.150.192.222 but i can't seem to be ableto open port 25 ... it can't seem to get out .... it keeps giving me timeout errors... and BTW i'm using postfix as an MTA also ....
just forget how it is now ..please tell me how to make it work..... i've got rules everywhere now and don't know which i need or don't need anymore
for example... i'm not sure what order these rules should be in and if it has any effect on the proper operation of it.....
ex... should the jump command in forward ------> be before the other rules or not.... and i can't get onto the internet at all unless i have src-nat set up like this.... out-interface=Public action =masquerade... sooooooooo should it be that way or should it be nat or ???? and should there be any other rules?????
please please help me asap.....
signed frustrated....
Sheldon Steele
i have changed so much i have no idea anymore what's right or wrong....
my mail server is on the private LAN .... 192.168.0.30/32 and trying to NAT to the public ip of 68.150.192.222 but i can't seem to be ableto open port 25 ... it can't seem to get out .... it keeps giving me timeout errors... and BTW i'm using postfix as an MTA also ....
just forget how it is now ..please tell me how to make it work..... i've got rules everywhere now and don't know which i need or don't need anymore
for example... i'm not sure what order these rules should be in and if it has any effect on the proper operation of it.....
ex... should the jump command in forward ------> be before the other rules or not.... and i can't get onto the internet at all unless i have src-nat set up like this.... out-interface=Public action =masquerade... sooooooooo should it be that way or should it be nat or ???? and should there be any other rules?????
please please help me asap.....
signed frustrated....
Sheldon Steele
Last edited by ssteele on Sat Dec 04, 2004 12:02 am, edited 1 time in total.
Alright, I think I figured that out. I wasn't attaching the rules to my inside (ether2) interface. Did that, and my rules are now happily working, blocking all but the ports I want on the hosts that I want.
One last question, if anyone can answer. We want to prevent all inside hosts except our mailservers from sending port 25 traffic through the gateway (stop worms trying to spread from local connections dead in their tracks). Would this be going through the outside (ether1) interface or the inside (ether2)?
One last question, if anyone can answer. We want to prevent all inside hosts except our mailservers from sending port 25 traffic through the gateway (stop worms trying to spread from local connections dead in their tracks). Would this be going through the outside (ether1) interface or the inside (ether2)?
The best way to set up rules for servers IMO is to have special chains for each server. For example in an email server setup.
add a chain for the server:
In the forward chain you would have this rule:
Then move to the mail chain and add these rules:
You can add any other ports you need open for this server.
This is the last rule that should be in the chain.....
If you don't want to accept ping you can remove the "protocol="!icmp" in this last rule.
I am sure that there are other ways to do this, but this way works for us and it keeps all the firewall rules organized.
You can do the same for other server's, it all works the same.
Dan
add a chain for the server:
Code: Select all
ip firewall>add name=mail
Code: Select all
ip firewall rule forward>src-address="0.0.0.0/0" dst-address="mail.server.ip" action=jump jump-target="mail"
Then move to the mail chain and add these rules:
Code: Select all
ip firewall rule mail> out-interface="interface connected to mail server" connection-state=established action=accept
ip firewall rule mail> dst-port=25 out-interface="interface connected to mail server" protocol=tcp action=accept
ip firewall rule mail> dst-port=110 out-interface="interface connected to mail server" protocol=tcp action=accept
This is the last rule that should be in the chain.....
Code: Select all
ip firewall rule mail>out-interface="interface connected to mail server" protocol=!icmp action=reject
I am sure that there are other ways to do this, but this way works for us and it keeps all the firewall rules organized.
You can do the same for other server's, it all works the same.
Dan
In a Nat'd environment forget about the firewall rules and the chains...you need to look in the dst-nat table and punch holes throught the nat'd firewall.i have the same problem and i need help desperately....
i have changed so much i have no idea anymore what's right or wrong....
my mail server is on the private LAN .... 192.168.0.30/32 and trying to NAT to the public ip of 68.150.192.222 but i can't seem to be ableto open port 25 ... it can't seem to get out .... it keeps giving me timeout errors... and BTW i'm using postfix as an MTA also ....
You need something like this for it to work.
Code: Select all
ip firewall dst-nat> add address=68.150.192.222/32 in-interface="public interface" dst-port=25 protocol=tcp action=nat to-dst-address=192.168.0.30/32 to-dst-port=25
ip firewall dst-nat> add address=68.150.192.222/32 in-interface="public interface" dst-port=110 protocol=tcp action=nat to-dst-address=192.168.0.30/32 to-dst-port=110
Dan
Firewall and FTP
Just spotted a big problem. How do I get FTP up and running properly, or are users forced to use passive FTP with firewalling in place?
The best way to set up rules for servers IMO is to have special chains for each server. For example in an email server setup.
add a chain for the server:how do i activate it once it's entered ......Code: Select allip firewall>add name=mail
In the forward chain you would have this rule:
Code: Select allip firewall rule forward>src-address="0.0.0.0/0" dst-address="mail.server.ip" action=jump jump-target="mail"
should this rule be the first one ... there is another one ....
Then move to the mail chain and add these rules:
iassume you mean "Local" with ip address of 192.168.0.1 right...??? that's the one that it's directly connected to.... when you say "interface it's connected to because when i set it up this way it did not work at all! not data flows thru it at all....
You can add any other ports you need open for this server.Code: Select allip firewall rule mail> out-interface="interface connected to mail server" connection-state=established action=accept ip firewall rule mail> dst-port=25 out-interface="interface connected to mail server" protocol=tcp action=accept ip firewall rule mail> dst-port=110 out-interface="interface connected to mail server" protocol=tcp action=accept
This is the last rule that should be in the chain.....
If you don't want to accept ping you can remove the "protocol="!icmp" in this last rule.Code: Select allip firewall rule mail>out-interface="interface connected to mail server" protocol=!icmp action=reject
I am sure that there are other ways to do this, but this way works for us and it keeps all the firewall rules organized.
You can do the same for other server's, it all works the same.
i like the idea of keeping it seperate but it doesn't seem to work for me ...any ideas why ?
Dan