MikroTik

Hello,

I have a CRS125 that I have removed the individual ports from the switch and I'm using them as individual interfaces. I have an uplink interface, and I'm using a half dozen other interfaces as the gateway for smaller subnets. Everything in use is all publicly addressable IPs.. no internal IPs or NAT.

I have created a firewall rule which detects hosts which are connecting to ports on interfaces that they shouldn't and puts them into a blacklist which tarpits the traffic for 14 days. For instance, if someone tries to connect to my router's IP Address on port 5060, I put them in the blacklist and their traffic is tarpitted for 14 days.

This part is working....

HOWEVER, the firewall isn't blocking the traffic to ANY of the other interfaces or IP addresses. I need to block this traffic from passing through the router, not just blocking it to my router.

What am I doing incorrectly, which would allow me to use the firewall to block the traffic to all of the public subnets on the other interfaces with public subnets and IP Addresses?

Without looking at your firewall rules it is hard to tell what is wrong. Did you use "forward" chain to block traffic from one interface to another?

No.... I'm relatively new at this, so I am probably doing something incorrectly. I tried to base my rule off of other rules that I found.

I'll have to research the "forward" option.... however, it sounds like I may need to use multiple rules somehow?? One to add things to the blacklist and then another that uses the forward option to keep the traffic from passing between interfaces?

Here are the two relevant rules that I have currently:

add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2w chain=input comment=\
"add crap to blacklist" dst-address=XX.XXX.129.1 \
dst-port=5060 protocol=udp

add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=black_list

To block traffic to your device you use chain "INPUT" to block traffic passing thorough the device you need use chain "FORWARD"

here is a RouterOS wiki page about firewall: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter and here you will find some examples: http://wiki.mikrotik.com/wiki/Firewall

Ok thanks... Here's what I have working (I've left out other rules that I'm using for simplicity).

This one is at the top:
add action=drop chain=forward comment="Drop everything from the black list" src-address-list=black_list
add action=drop chain=input src-address-list=black_list

Then I have this to catch junk that I don't want:
add action=add-src-to-address-list address-list=black_list address-list-timeout=3w chain=input comment="Honeypot to fake IP and add to blacklist" dst-address=X.X.X.1 dst-port=\
22,23,25,69,139,445,1433,2323,4004,5060,5900,6789,7547,21320,23231 protocol=udp
add action=add-src-to-address-list address-list=black_list address-list-timeout=3w chain=input dst-address=X.X.X.1 dst-port=\
22,23,25,69,139,445,1433,2323,4004,5060,5900,6789,7547,21320,23231 protocol=tcp
add action=add-src-to-address-list address-list=black_list address-list-timeout=3w chain=forward dst-address-list=honeypot_ips dst-port=\
22,23,25,69,139,445,1433,2323,4004,5060,5900,6789,7547,21320,23231 protocol=udp
add action=add-src-to-address-list address-list=black_list address-list-timeout=3w chain=forward dst-address-list=honeypot_ips dst-port=\
22,23,25,69,139,445,1433,2323,4004,5060,5900,6789,7547,21320,23231 protocol=tcp

I have a bunch of IP's in the "honeypot_ips" list which these rules use.

So far it's blocking about 80 IPs a minute....