NAT Rules changing

Lebzul · Wed Mar 17, 2021 8:07 pm

Hi there,

Is it common to find

nat rule changed by admin

in log whether I have not changed anything?

This is the second time I found this. I use UPnP but I do not have any port forwarding rules to the world.

The log registers this in a specific time of the day which I was not even touching my computer.

anav · Wed Mar 17, 2021 8:50 pm

Why not post your config and let us know which nat rules changed or were added.

Sounds like being hacked as I am not aware of UPNP changing any rules in NAT.

Lebzul · Wed Mar 17, 2021 11:24 pm

/ip firewall nat
add action=redirect chain=dstnat comment="Transparent Web Proxy" dst-address-type=!local \
    dst-port=80 protocol=tcp src-address-list="Allowed LAN" to-ports=8080
add action=dst-nat chain=dstnat comment="Transparent Pi-hole DNS Redirection #1" dst-address=\
    !10.50.10.5 dst-port=53 in-interface=!WAN1 protocol=tcp src-address=!10.50.10.5 \
    src-address-list="!UBNT - Devices" to-addresses=10.50.10.5
add action=dst-nat chain=dstnat comment="Transparent Pi-hole DNS Redirection #2" dst-address=\
    !10.50.10.5 dst-port=53 in-interface=!WAN1 protocol=udp src-address=!10.50.10.5 \
    src-address-list="!UBNT - Devices" to-addresses=10.50.10.5
add action=masquerade chain=srcnat comment="Pi-hole Masquerade #1" dst-address=10.50.10.5 \
    dst-port=53 protocol=tcp src-address-list="Allowed LAN"
add action=masquerade chain=srcnat comment="Pi-hole Masquerade #2" dst-address=10.50.10.5 \
    dst-port=53 protocol=udp src-address-list="Allowed LAN"
add action=masquerade chain=srcnat comment="Internet - WAN1" out-interface=WAN1


/ip firewall filter
add action=reject chain=forward comment="Avoid Google DNS" dst-address-list="Google DNS" \
    in-interface=VRRP reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Avoid QUIC" dst-port=80,443-444 protocol=udp
add action=accept chain=input comment="Accept \"Established and Related\" Connections" \
    connection-state=established,related
add action=drop chain=input comment="Drop Invalid Packets" connection-state=invalid
add action=accept chain=input comment="Allow LAN access to Router and Internet" in-interface=\
    VRRP
add action=accept chain=input comment="Allow Ping (Limited)" limit=5,10:packet protocol=icmp
add action=drop chain=input comment="Drop Ping" protocol=icmp
add action=accept chain=input comment="Allow LAN DNS (Limited)" dst-port=53 in-interface=VRRP \
    limit=500/1m,1500:packet protocol=tcp
add action=accept chain=input dst-port=53 in-interface=VRRP limit=500/1m,1500:packet \
    protocol=udp
add action=reject chain=input comment="Drop DNS Attacks from Outside" dst-port=53 \
    in-interface=WAN1 protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface=WAN1 protocol=udp reject-with=\
    icmp-port-unreachable
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=yes \
    dst-address-type=broadcast
add action=accept chain=input comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add action=accept chain=input disabled=yes dst-port=5000-5100 protocol=udp
add action=accept chain=input comment="Allow OSPF" disabled=yes protocol=ospf
add action=accept chain=input comment="Allow IPIP" disabled=yes protocol=ipencap
add action=accept chain=input comment="Allow RIP" disabled=yes dst-port=520-521 protocol=udp
add action=accept chain=input comment="Allow SNMP" disabled=yes dst-port=161 protocol=tcp
add action=accept chain=input comment="Bandwidth server" disabled=yes dst-port=2000 protocol=\
    tcp
add action=accept chain=input comment=" MT Discovery Protocol" disabled=yes dst-port=5678 \
    protocol=udp
add action=accept chain=input comment=" Allow UPnP TCP-UDP" dst-port=1900,2828 log-prefix=\
    UPnP protocol=tcp src-address-list="UPnP Devices"
add action=accept chain=input dst-port=1900 log-prefix=UPnP protocol=udp src-address-list=\
    "UPnP Devices"
add action=accept chain=input comment="Allow IKEv2 VPN" disabled=yes ipsec-policy=in,ipsec \
    src-address-list="Allowed LAN"
add action=accept chain=input comment="Allow OVPN VPN" disabled=yes dst-port=1194 protocol=\
    tcp src-address-list=!Blacklist
add action=accept chain=input disabled=yes dst-port=1194 protocol=udp src-address-list=\
    !Blacklist
add action=accept chain=input disabled=yes protocol=ipsec-ah src-address-list=!Blacklist
add action=accept chain=input comment="Allow DNS Server for OVPN" disabled=yes dst-port=53 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input disabled=yes dst-port=53 protocol=udp src-address-list=\
    "Allowed LAN"
add action=accept chain=input comment="Allow L2TP VPN" dst-port=500,1701,4500 protocol=udp \
    src-address-list=!Blacklist
add action=accept chain=input protocol=ipsec-esp src-address-list=!Blacklist
add action=accept chain=input protocol=ipsec-ah src-address-list=!Blacklist
add action=accept chain=input comment="Allow DNS Server for L2TP" disabled=yes dst-port=53 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input disabled=yes dst-port=53 protocol=udp src-address-list=\
    "Allowed LAN"
add action=accept chain=input comment="Allow PPTP VPN" disabled=yes dst-port=1723 protocol=\
    udp src-address-list=!Blacklist
add action=accept chain=input disabled=yes protocol=gre src-address-list=!Blacklist
add action=accept chain=input comment="Allow DNS Server for PPTP" disabled=yes dst-port=53 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input disabled=yes dst-port=53 protocol=udp src-address-list=\
    "Allowed LAN"
add action=accept chain=input comment="Allow Winbox from OVPN" disabled=yes dst-port=9989 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input comment="Allow Winbox from L2TP" disabled=yes dst-port=9989 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input comment="Allow Winbox from PPTP" disabled=yes dst-port=9989 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input comment="Allow Winbox from Specific LAN" dst-port=9989 \
    protocol=tcp src-address-list="Allowed LAN"
add action=accept chain=input comment="Accept VRRP" dst-address=224.0.0.18 protocol=vrrp
add action=accept chain=input comment="Allow Mikrotik Web Proxy" dst-port=8080 protocol=tcp \
    src-address-list="Allowed LAN"
add action=drop chain=input comment="Block Web Proxy Cache Attacks" dst-port=8080 \
    in-interface=WAN1 protocol=tcp
add action=add-src-to-address-list address-list="DoS Blocked Addresses" address-list-timeout=\
    1h chain=input comment=\
    "DoS Attack Protection - Limit Incomming Connections (Use in Case of Attack)" \
    connection-limit=150,32 disabled=yes protocol=tcp
add action=tarpit chain=input comment="DoS Attack Protection - Hold Connections with Tarpit" \
    connection-limit=3,32 disabled=yes protocol=tcp src-address-list="DoS Blocked Addresses"
add action=jump chain=forward comment="DoS Attack Protection - SYN Filtering" \
    connection-state=new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=yes limit=400,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=yes protocol=tcp tcp-flags=\
    syn
add action=drop chain=input comment="Block Blacklist" in-interface=WAN1 src-address-list=\
    Blacklist
add action=drop chain=input comment="Drop All Not Coming from LAN" in-interface=!VRRP \
    log-prefix="Input Drop"
add action=accept chain=forward comment="Forward IPsec IN / OUT" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "Accept Port Forwards if Configured (Needed for UPnP)" connection-nat-state=dstnat \
    connection-state=""
add action=fasttrack-connection chain=forward comment="Forward \"Speedtest Fasttracking\" Exce\
    pt IPsec (Must Be Set Before General Established and Related Connections)" \
    connection-mark=!IPsec connection-state=established,related dst-address-list=\
    "Speedtest Proxy" dst-port=8080 protocol=tcp
add action=accept chain=forward comment="Forward \"Established and Related\" Connections" \
    connection-state=established,related
add action=drop chain=forward comment="Drop Invalid Packets" connection-state=invalid
add action=accept chain=forward comment="Allow \"New\" Connections from LAN" \
    connection-state=new in-interface=VRRP
add action=accept chain=forward comment="Allow LAN Traffic out WAN (if not VPN fails)" \
    out-interface=WAN1 src-address-list="Allowed LAN"
add action=drop chain=forward comment="Protect Clients from DNS Attacks" dst-port=53 \
    in-interface=WAN1 protocol=tcp
add action=drop chain=forward dst-port=53 in-interface=WAN1 protocol=udp
add action=accept chain=forward comment=" Forward Switch Lan Play - Rpi" disabled=yes \
    dst-address=10.50.10.5 dst-port=11451 protocol=tcp
add action=accept chain=forward comment=" Forward Switch Lan Play - HP PC" disabled=yes \
    dst-address=10.50.10.236 dst-port=11451 protocol=tcp
add action=reject chain=forward comment="Adblock - TCP-Reset" connection-state=new \
    dst-address=240.0.0.1 log-prefix=ADBLOCK protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment="Adblock - UDP-Unreachable" connection-state=new \
    dst-address=240.0.0.1 log-prefix=ADBLOCK protocol=udp reject-with=\
    icmp-network-unreachable
add action=drop chain=forward comment="Adblock - Drop" dst-address=240.0.0.1 log-prefix=\
    ADBLOCK
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input \
    comment="Rust to \"blacklist\"" connection-state=new disabled=yes dst-port=11451 \
    in-interface=WAN1 log=yes log-prefix="Rust Blacklist" protocol=tcp src-address-list=\
    "!Allowed LAN" src-port=!80,443-444,11451-11453,11456
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=\
    forward connection-state=new disabled=yes dst-port=11451 in-interface=WAN1 log=yes \
    log-prefix="Rust Blacklist" protocol=tcp src-address-list="!Allowed LAN" src-port=\
    !80,443-444,11451-11453,11456
add action=drop chain=forward comment="Block Dynamic Blacklist" disabled=yes in-interface=\
    WAN1 src-address-list=Blacklist
add action=jump chain=forward comment="DDoS Attack Protection" connection-state=new \
    jump-target=Detect-DDoS
add action=return chain=Detect-DDoS dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoSed address-list-timeout=10m chain=\
    Detect-DDoS
add action=add-src-to-address-list address-list=DDoSer address-list-timeout=10m chain=\
    Detect-DDoS
add action=drop chain=forward connection-state=new dst-address-list=DDoSed src-address-list=\
    DDoSer
add action=drop chain=forward comment="Drop Bogon Forward -> WAN1" in-interface=WAN1 log=yes \
    log-prefix="Bogon Forward Drop" src-address-list=Bogons
add action=drop chain=forward comment="Drop All from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface=WAN1
add action=drop chain=forward comment="Drop Everything Else" disabled=yes

This is the screenshot. I am the only admin and I was not logged it at that time.

anav · Thu Mar 18, 2021 1:59 am

So you have no ideas which NAT RUles you didnt create that are there?
No idea which nAT rules you made and were modified but not by you??

gotsprings · Thu Mar 18, 2021 2:59 am

Look in scripts or schedulers?

anav · Thu Mar 18, 2021 1:44 pm

The best move to remove any doubt and breath easiier is download the current config so you have a reference to go from.
Then netinstall a clean version of the latest LONG firmware version back into the router.
https://help.mikrotik.com/docs/display/ROS/Netinstall

Use the config as a I guide to add back the configuration slowly of ONLY the rules you requiire.

Lebzul · Thu Mar 18, 2021 2:09 pm

Look in scripts or schedulers?

I think you're close. I have a script running to deactivate the Pi's NAT rules in case it goes down so I can use Mk's DNS server.

:local piholeDown [/ip firewall nat get value-name=disabled [find comment="Transparent Pi-hole DNS Redirection #1"]]
:local piholeDNS "10.50.10.5"
:local testDomain "1.1.1.1"


:if ($piholeDown = false) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
		/ip firewall nat;
			disable [find comment="Transparent Pi-hole DNS Redirection #1"];
			disable [find comment="Transparent Pi-hole DNS Redirection #2"];
			disable [find comment="Pi-hole Masquerade #1"];
			disable [find comment="Pi-hole Masquerade #2"];
    		}
} else={
    :do {
        :resolve $testDomain server $piholeDNS;
		/ip firewall nat;
			enable [find comment="Transparent Pi-hole DNS Redirection #1"];
			enable [find comment="Transparent Pi-hole DNS Redirection #2"];
			enable [find comment="Pi-hole Masquerade #1"];
			enable [find comment="Pi-hole Masquerade #2"];
    } on-error={}
}

But maybe it deactivates and activates them sparingly which I am not sure why.

Lebzul · Thu Mar 18, 2021 2:12 pm

So you have no ideas which NAT RUles you didnt create that are there?
No idea which nAT rules you made and were modified but not by you??

Not sure how to dissect them.

The best move to remove any doubt and breath easiier is download the current config so you have a reference to go from.
Then netinstall a clean version of the latest LONG firmware version back into the router.
https://help.mikrotik.com/docs/display/ROS/Netinstall

Use the config as a I guide to add back the configuration slowly of ONLY the rules you requiire.

Will keep an eye. Thanks

NAT Rules changing [SOLVED]

NAT Rules changing

Re: NAT Rules changing

Re: NAT Rules changing

Re: NAT Rules changing

Re: NAT Rules changing [SOLVED]

Re: NAT Rules changing

Re: NAT Rules changing

Re: NAT Rules changing

Who is online