Problem with firewall filter to dst-address?

yudigadget · Tue Jan 08, 2008 12:35 pm

Normis ever said, i don't remember when...
/ip firewall filter add chain=forward dst-address=210.210.145.201/32 protocol=tcp action=drop

Non-authoritative answer:
Name: web.cbn.net.id
Address: 210.210.145.202
Aliases: http://www.cbn.net.id

I test it, but i still can access the website (http://www.cbn.net.id), why? and the packets and bytes not counting (increase), still 0 (ZERO).

i curious, then i test to block IRC port:
/ip firewall filter add chain=forward dst-port=6667 action=drop and it works, i can not connect to IRC (i use mIRC ~ windows)!
next, i test to block ICMP (ping) to 210.210.145.202, so i change the protocol=tcp to 1 (icmp), and it works!
I see the packets and bytes are counting.. (increase)

before block ICMP:
C:\Documents and Settings\Yudi Wijaya>ping http://www.cbn.net.id

Pinging web.cbn.net.id [210.210.145.202] with 32 bytes of data:

Reply from 210.210.145.202: bytes=32 time=54ms TTL=246
Reply from 210.210.145.202: bytes=32 time=54ms TTL=246
Reply from 210.210.145.202: bytes=32 time=54ms TTL=246
Reply from 210.210.145.202: bytes=32 time=47ms TTL=246

Ping statistics for 210.210.145.202:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 54ms, Average = 52ms

After block ICMP:

C:\Documents and Settings\Yudi Wijaya>ping http://www.cbn.net.id

Pinging web.cbn.net.id [210.210.145.202] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 210.210.145.202:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Yudi Wijaya>

I really confuse, why mikrotik firewall filter can not detect when i try browsing to that IP? i already use 6 (tcp)...

Please help me..
Yudi

cmit · Tue Jan 08, 2008 12:59 pm

/ip firewall filter add chain=forward dst-address=210.210.145.201/32 protocol=tcp action=drop

Non-authoritative answer:
Name: web.cbn.net.id
Address: 210.210.145.202

It looks like that's the problem: The server has the ip address ending with .202, and you block traffic to the .201 - that's not going to help...

yudigadget · Tue Jan 08, 2008 1:03 pm

/ip firewall filter add chain=forward dst-address=210.210.145.201/32 protocol=tcp action=drop

Non-authoritative answer:
Name: web.cbn.net.id
Address: 210.210.145.202
It looks like that's the problem: The server has the ip address ending with .202, and you block traffic to the .201 - that's not going to help...

No no no.. sorry i'm just typo... what i'm doing still correct! please see attached screenshot, it's 202
I still can not block to access that website... please tell me why?

I can block the ICMP, i can block access IRC, but i can not block access to website

mrz · Tue Jan 08, 2008 1:16 pm

What about nat rules? Probably you are redirecting traffic to web proxy or something.

SurferTim · Tue Jan 08, 2008 2:40 pm

I have not checked the DNS on that server, but is it possible that the DNS on the target machine is redirecting you to another IP address?

My DNS servers show primary DNS on the internet as 68.99.58.115, but my web servers are at 68.99.58.116 and 68.99.58.117. So if you block just my DNS server, my webpages would still get through.

yudigadget · Tue Jan 08, 2008 5:54 pm

What about nat rules? Probably you are redirecting traffic to web proxy or something.

I think you're correct... NAT rules for web-proxy is the problem..

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=dstnat src-address=172.168.100.201 protocol=tcp dst-port=80
action=same to-addresses=202.159.24.36 to-ports=80 same-not-by-dst=no
1 chain=srcnat out-interface=ether1 action=masquerade
2 I chain=srcnat out-interface=abacus1 dst-address=10.51.40.0/24
action=masquerade
3 I chain=srcnat out-interface=abacus2 dst-address=10.51.40.0/24
action=masquerade
4 chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128
5 X chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=3128
6 chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=3128
7 chain=dstnat protocol=tcp dst-port=8081 action=redirect to-ports=3128
8 chain=dstnat protocol=tcp dst-port=9000 action=redirect to-ports=3128
9 chain=dstnat protocol=tcp dst-port=8008 action=redirect to-ports=3128
10 chain=dstnat protocol=tcp dst-port=553 action=redirect to-ports=3128
11 chain=dstnat protocol=tcp dst-port=554 action=redirect to-ports=3128

I see too on RouterOS documentation about Filter, there is notes:
Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules, since the original packets might be already modified by the NAT.

So, is there any solution to fix this problem? thank you very much

butche · Tue Jan 08, 2008 8:49 pm

/ip firewall nat add chain=dstnat action=accept place-before=0 \
     dst-address=210.210.145.202 protocol=tcp

That will cause the tcp traffic destined for that IP to NOT be natted.

SurferTim · Tue Jan 08, 2008 9:09 pm

Hi Butch,

Gotta ask...where did you get the "place-before=0" parameter? I have seen other setup commands that I do not see any mention of in the reference manual. If that does what I think it does, that is a handy thing to know! Any other shortcuts like that?

Tim

butche · Tue Jan 08, 2008 10:23 pm

Gotta ask...where did you get the "place-before=0" parameter? I have seen other setup commands that I do not see any mention of in the reference manual. If that does what I think it does, that is a handy thing to know! Any other shortcuts like that?

I didn't know it wasn't in the manual.

From the CLI, you can get "context sensitive help" in one of two ways. For example, if you do:

/ip firewall nat add <TAB><TAB>

You see:

[admin@ButchEvans] interface> /ip firewall nat add                                                                                 
action                connection-mark   dst-address-type  in-interface     out-interface  routing-mark      tcp-mss     
address-list          connection-type   dst-limit         ipv4-options     packet-mark    same-not-by-dst   time        
address-list-timeout  content           dst-port          jump-target      packet-size    src-address       to-addresses
chain                 copy-from         fragment          limit            place-before   src-address-list  to-ports    
comment               disabled          hotspot           log-prefix       protocol       src-address-type  tos         
connection-bytes      dst-address       icmp-options      nth              psd            src-mac-address   
connection-limit      dst-address-list  in-bridge-port    out-bridge-port  random         src-port          
[admin@ButchEvans] interface> /ip firewall nat add

Also, you can do:
/ip firewall nat add ?

That is, type the "?" and you see:

[admin@ButchEvans] interface> /ip firewall nat add                                                                                 
creates new item with specified property values.

chain -- The name of the chain through which packets are traversing
action -- Action to undertake if the packet matches the rule
jump-target -- Name of the target chain, if the action=jump is used
to-addresses -- Address or address range to replace original address of an IP packet with
to-ports -- Port or port range to replace original port of an IP packet with
same-not-by-dst -- Specifies whether to account or not to account for destination IP address when selecting a new source IP address for packets matched by rules with action=same

I snipped the output for brevity's sake. But you get the idea. A couple other "tips" for CLI:
* <tab> at any point will complete the command, if it is unique. If not unique, then it will complete is as far as it is unique
* up and down arrows will recall commands even from the last session - THIS one is a really nice feature

FWIW, this is some of the stuff that I cover at my training classes. I have another one coming up soon...

SurferTim · Wed Jan 09, 2008 2:33 am

Thank you very much! That is what I was missing. I knew about the "?" for help, but was unaware of the double tab. I will give it a try.

yudigadget · Mon Jan 14, 2008 8:45 am

Why doesn't work with forward?? as normis said, his advice is use forward, then set the dst-address
I just curious..

thanks..

I tried below, both working very well:
ip firewall filter
0 chain=input src-address=202.146.255.4 protocol=tcp action=drop
or
0 chain=output dst-address=202.146.255.4 protocol=tcp action=drop

so it will return:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.centrin.net.id/index.shtml

The following error was encountered:

* Connection Failed

The system returned:

(110) Connection timed out

The remote host or network may be down. Please try the request again.

Your cache administrator is yudi.
Generated Mon, 14 Jan 2008 06:42:18 GMT by proxy (squid/2.5.STABLE11)

butche · Mon Jan 14, 2008 9:57 am

Why doesn't work with forward?? as normis said, his advice is use forward, then set the dst-address
I just curious..

Because you are natting (redirect to local proxy service) and that happens before forward. Once that has happened, the forward chain will no longer effect the packet, since it is a packet that originates from the router itself. This would be the output chain of filter. If you apply the rule I suggested above, then the packet is not redirected, and the forward rule will work.

I tried below, both working very well:
ip firewall filter
0 chain=input src-address=202.146.255.4 protocol=tcp action=drop
or
0 chain=output dst-address=202.146.255.4 protocol=tcp action=drop

This works because you are stopping the traffic AFTER the proxy service, which is input (for replies) and output (for the request). If you apply my suggested rule above, you would use the FORWARD chain to stop it. If you don't use my rule above, then you will need to use either INPUT or OUTPUT or both, as you have done above in your working example.

yudigadget · Mon Jan 14, 2008 12:08 pm

yes, you're correct

thanks alot.. now i understand some about firewallling, i'm gonna test the other

Chupaka · Tue Jan 15, 2008 2:11 am

to forbid access to certain proxied websites, use proxy rules, and do not deal with IPs =)

butche · Tue Jan 15, 2008 3:48 am

to forbid access to certain proxied websites, use proxy rules, and do not deal with IPs =)

Certainly. It is my understanding, however, that he wants to redirect traffic from one IP to another IP. This can certainly be done via the proxy rules, but that is not what was asked. Perhaps you can post an example for him?

Problem with firewall filter to dst-address?

Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?

Re: Problem with firewall filter to dst-address?