Page 1 of 1
FW rule to block port 22, but still can ssh in
Posted: Tue Nov 01, 2016 6:32 pm
by RonJohn63
Hi,
I can still remotely ssh in, even though I've got this set of rules:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
3 XI ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
7 XI ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
8 ;;; block remote ssh
chain=forward action=drop connection-state=new protocol=tcp in-interface=ether1 out-interface=ether2-master dst-port=22 log=yes
What have I done wrong?
Re: FW rule to block port 22, but still can ssh in
Posted: Tue Nov 01, 2016 7:02 pm
by AndreaTIK
Flags XI mean "Disabled" and "Invalid".
Maybe you need to check the interface names...
Re: FW rule to block port 22, but still can ssh in
Posted: Tue Nov 01, 2016 7:22 pm
by RonJohn63
Flags XI mean "Disabled" and "Invalid".
Maybe you need to check the interface names...
The WAN cable is definitely plugged into ether1, and the LAN cable is definitely in ether2-master.
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1598 4074 6C:3B:6B:2F:7F:5B
1 R ether2-master ether 1500 1598 4074 6C:3B:6B:2F:7F:5C
2 S ether3 ether 1500 1598 4074 6C:3B:6B:2F:7F:5D
3 S ether4 ether 1500 1598 4074 6C:3B:6B:2F:7F:5E
4 S ether5 ether 1500 1598 4074 6C:3B:6B:2F:7F:5F
Re: FW rule to block port 22, but still can ssh in
Posted: Tue Nov 01, 2016 7:40 pm
by AndreaTIK
OK, I was in a hurry and did not read properly you post.
Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block.
Rule 8 blocks all tcp traffic on port 22 that comes into from ether1 and goes to ether2-master, and it is enabled.
To block all incoming ssh traffic coming from ether1 I would put
/ip firewall filter
add chain=input action=drop in-interface=ether1 protocol=tcp dst-port=22 comment="drop ssh" disabled=no
Re: FW rule to block port 22, but still can ssh in
Posted: Tue Nov 01, 2016 7:59 pm
by RonJohn63
OK, I was in a hurry and did not read properly you post.
Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block.
When first installing, the router didn't pick up an address ISP, and I thought that rule 3 was the culprit. Apparently not. Thus, I've enabled Rule 3 and temporarily disabled the specific port blocks.
Re: FW rule to block port 22, but still can ssh in
Posted: Mon Nov 07, 2016 7:59 am
by craigroser
as per AndreaTIK config line.
your issue is here chain=forward vs chain=input
input chain = stuff coming in to the router it self
forward chain = stuff going through the router to something else
you're blocking port 22 through the router but not blocking 22 to the router itself
or you could disable ssh service on the router, but i probably wouldn't do that. (/ip service set ssh disabled=yes)
Re: FW rule to block port 22, but still can ssh in
Posted: Mon Nov 07, 2016 9:49 am
by scampbell
I would enable rules 3 and 8. These will block all internet access to your router and protect your LAN.
Do check that e1 is your wan interface as it may not be if you run pppoe or a vlan to get to the internet.
Sent from my iPhone using Tapatalk
Re: FW rule to block port 22, but still can ssh in
Posted: Mon Nov 07, 2016 9:52 am
by RonJohn63
Here's my current filter set:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="IP address of public bandwidth tester" protocol=udp src-address=207.32.195.2
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 log-prefix="WANDrop " tcp-flags=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=not_DSTNATed
Re: FW rule to block port 22, but still can ssh in
Posted: Tue Nov 08, 2016 10:56 am
by scampbell
Your default input drop rule has a setting of tcp-flags=""
This is probably the problem. Remove any reference to tcp-flags and it should then catch anything not specifically allowed before that.
Sent from my iPhone using Tapatalk
Re: FW rule to block port 22, but still can ssh in
Posted: Tue Nov 08, 2016 4:35 pm
by RonJohn63
Your default input drop rule has a setting of tcp-flags=""
This is probably the problem. Remove any reference to tcp-flags and it should then catch anything not specifically allowed before that.
The current rule set works.
Re: FW rule to block port 22, but still can ssh in
Posted: Wed Nov 09, 2016 12:19 am
by scampbell
The current rule set works.
You are correct it works - but I would still recommend removing that section of the rule as it is not required
WithTcpFlag.PNG
It is common when rules have been checked in Winbox and options opened but not actually filled in for entries like that to get left behind as orphans.
In this case nothing is active but I have seen connection state rules left open but with nothing ticked so the rule looks for connections that are neither invalid, established, related or new and never catch traffic so best practice is to remove such entries.
Re: FW rule to block port 22, but still can ssh in
Posted: Wed Nov 09, 2016 1:05 am
by RonJohn63
The current rule set works.
You are correct it works - but I would still recommend removing that section of the rule as it is not required
<snip>
It is common when rules have been checked in Winbox and options opened but not actually filled in for entries like that to get left behind as orphans.
In this case nothing is active but I have seen connection state rules left open but with nothing ticked so the rule looks for connections that are neither invalid, established, related or new and never catch traffic so best practice is to remove such entries.
Ok. I don't recall fiddling with that rule except to disable and then enable it. Thus, I presume that it's how the people at Mikrotik defined the default rule.