FW rule to block port 22, but still can ssh in

RonJohn63 · Tue Nov 01, 2016 6:32 pm

Hi,

I can still remotely ssh in, even though I've got this set of rules:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3 XI  ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix="" 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7 XI  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix="" 
 8    ;;; block remote ssh
      chain=forward action=drop connection-state=new protocol=tcp in-interface=ether1 out-interface=ether2-master dst-port=22 log=yes

What have I done wrong?

AndreaTIK · Tue Nov 01, 2016 7:02 pm

Flags XI mean "Disabled" and "Invalid".
Maybe you need to check the interface names...

RonJohn63 · Tue Nov 01, 2016 7:22 pm

Flags XI mean "Disabled" and "Invalid".
Maybe you need to check the interface names...

The WAN cable is definitely plugged into ether1, and the LAN cable is definitely in ether2-master.

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1598       4074 6C:3B:6B:2F:7F:5B
 1  R  ether2-master                       ether            1500  1598       4074 6C:3B:6B:2F:7F:5C
 2   S ether3                              ether            1500  1598       4074 6C:3B:6B:2F:7F:5D
 3   S ether4                              ether            1500  1598       4074 6C:3B:6B:2F:7F:5E
 4   S ether5                              ether            1500  1598       4074 6C:3B:6B:2F:7F:5F

AndreaTIK · Tue Nov 01, 2016 7:40 pm

OK, I was in a hurry and did not read properly you post.

Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block.
Rule 8 blocks all tcp traffic on port 22 that comes into from ether1 and goes to ether2-master, and it is enabled.

To block all incoming ssh traffic coming from ether1 I would put

/ip firewall filter
add chain=input action=drop in-interface=ether1 protocol=tcp dst-port=22 comment="drop ssh" disabled=no

RonJohn63 · Tue Nov 01, 2016 7:59 pm

OK, I was in a hurry and did not read properly you post.

Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block.

When first installing, the router didn't pick up an address ISP, and I thought that rule 3 was the culprit. Apparently not. Thus, I've enabled Rule 3 and temporarily disabled the specific port blocks.

craigroser · Mon Nov 07, 2016 7:59 am

as per AndreaTIK config line.

your issue is here chain=forward vs chain=input

input chain = stuff coming in to the router it self
forward chain = stuff going through the router to something else

you're blocking port 22 through the router but not blocking 22 to the router itself

or you could disable ssh service on the router, but i probably wouldn't do that. (/ip service set ssh disabled=yes)

scampbell · Mon Nov 07, 2016 9:49 am

I would enable rules 3 and 8. These will block all internet access to your router and protect your LAN.

Do check that e1 is your wan interface as it may not be if you run pppoe or a vlan to get to the internet.

Sent from my iPhone using Tapatalk

RonJohn63 · Mon Nov 07, 2016 9:52 am

Here's my current filter set:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="IP address of public bandwidth tester" protocol=udp src-address=207.32.195.2
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 log-prefix="WANDrop " tcp-flags=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=not_DSTNATed

scampbell · Tue Nov 08, 2016 10:56 am

Your default input drop rule has a setting of tcp-flags=""

This is probably the problem. Remove any reference to tcp-flags and it should then catch anything not specifically allowed before that.

Sent from my iPhone using Tapatalk

RonJohn63 · Tue Nov 08, 2016 4:35 pm

Your default input drop rule has a setting of tcp-flags=""

This is probably the problem. Remove any reference to tcp-flags and it should then catch anything not specifically allowed before that.

The current rule set works.

scampbell · Wed Nov 09, 2016 12:19 am

The current rule set works.

You are correct it works - but I would still recommend removing that section of the rule as it is not required

WithTcpFlag.PNG

It is common when rules have been checked in Winbox and options opened but not actually filled in for entries like that to get left behind as orphans.

In this case nothing is active but I have seen connection state rules left open but with nothing ticked so the rule looks for connections that are neither invalid, established, related or new and never catch traffic so best practice is to remove such entries.

RonJohn63 · Wed Nov 09, 2016 1:05 am

The current rule set works.
You are correct it works - but I would still recommend removing that section of the rule as it is not required

<snip>

It is common when rules have been checked in Winbox and options opened but not actually filled in for entries like that to get left behind as orphans.

In this case nothing is active but I have seen connection state rules left open but with nothing ticked so the rule looks for connections that are neither invalid, established, related or new and never catch traffic so best practice is to remove such entries.

Ok. I don't recall fiddling with that rule except to disable and then enable it. Thus, I presume that it's how the people at Mikrotik defined the default rule.

FW rule to block port 22, but still can ssh in

FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Re: FW rule to block port 22, but still can ssh in

Who is online