MikroTik

Community discussions
https://forum.mikrotik.com/

block an ip to go in internet

https://forum.mikrotik.com/viewtopic.php?t=108425

Page 1 of 1

block an ip to go in internet

Posted: Mon May 16, 2016 2:52 pm
by aresmt
Hi,

Would you please help me with some info?

I have an RB2011UiAS-2HnD-IN.

these subnets configured on it:

192.168.10.0/24
192.168.12.0/24
192.168.16.0/24

3 separate DHCP servers for each.

I just want to prevent specific IPs to go on internet but in the same time to be contacted from internet with port forward.

for example:

IP 192.168.10.100 to ONLY be blocked to go on internet not on all the subnets.


Thanks in advance,
N

Re: block an ip to go in internet

Posted: Mon May 16, 2016 2:59 pm
by mrz
Set up rules in ip firewalls forward chain, to block or accept whatever addresses you need.

Re: block an ip to go in internet

Posted: Mon May 16, 2016 3:15 pm
by aresmt
Set up rules in ip firewalls forward chain, to block or accept whatever addresses you need.

I know that i need to set up an firewall rule, but i don't know how to block that ip to go in internet but in the same time to be accessed from internet via port forward on port 80 for example.

Thanks,
N

Re: block an ip to go in internet

Posted: Mon May 16, 2016 3:16 pm
by dgnevans
You will need to add rules allowing communication between the 3 subnets then directly below you will need to create a forward rule that drops traffic with a source of the server 192.168.10.100 destination 0.0.0.0/0. this will drop the traffic from that server to anything that has not matched the rules above.
Code: Select all
 ip firewall filter add chain=forward src-address=192.168.8.0/21 dst-address=192.168.8.0/21 actio
n=accept
ip firewall filter add chain=forward src-address=192.168.10.100 dst-adress=0.0.0.0/0 action=drop

Re: block an ip to go in internet

Posted: Mon May 16, 2016 3:21 pm
by dgnevans
Code: Select all
ip firewall filter add chain=forward src-address=192.168.10.100 protocol=tcp src-port=80 action=
accept
ip firewall filter add chain=forward dst-address=192.168.10.100 protocol=tcp dst-port=80 action=
accept
place these rules above the drop rule.

Re: block an ip to go in internet

Posted: Mon May 16, 2016 7:06 pm
by ZeroByte
Set up rules in ip firewalls forward chain, to block or accept whatever addresses you need.

I know that i need to set up an firewall rule, but i don't know how to block that ip to go in internet but in the same time to be accessed from internet via port forward on port 80 for example.

Thanks,
N
Use connection state, src-address, and out-interface as your keys:
action=drop src-address=192.168.10.100 out-interface=wan

As long as this rule comes after "accept connection-state=established,related" then you'll be fine because an incoming connection from the WAN will cause the replies from this host to be in the "established" state of the router's connection tracking, so these replies will not reach this new rule.

New connections from the host to the Internet, however, will NOT match the established,realted rule, so the packet will continue down the chain until it reaches this rule, where it will be dropped. Since it's your own server, you may want things to fail quickly instead of waiting for a timeout - so you should probably use one of the reject actions instead of a drop.

Furthermore, you would probably be better off matching the src-mac-address of the host instead of its IP address - that way, if the host's address changes, it won't magically get allowed on the Internet.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/