Page 1 of 1
Question about ports
Posted: Wed Jun 11, 2008 8:51 am
by eric.m
Hi all, i must say you do a great job on this forum.
I was hoping that someone can help me about configuring my mikrotik 150 v 2.9.
How can i close all inbound ports except: 53, 80, 443, 25, 110.
Is there any script that i can put into firewall from terminal to close all other ports or something else, just to solve this problem.
Thank you all ppl, eric.
Re: Question about ports
Posted: Wed Jun 11, 2008 10:18 am
by hilton
Remember that there are two firewall chains to consider, 'input' which is anything INTO your router and 'forward' which is anything INTO or OUT of your LAN.
So assuming you want to block ports for traffic destined to your LAN (e.g a Server on the LAN), you need to do something like this;
-------------------
/ ip firewall filter
add chain=forward connection-state=established comment="Accept established connections"
add chain=forward connection-state=related comment="Accept related connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
add chain=forward protocol=tcp dst-port=25 action=accept comment="Allow SMTP"
repeat for the other ports, then continue with;
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow UDP"
add chain=forward action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=forward action=drop comment="Drop everything else"
--------------------
This should get you started, it's not perfect but it should work. There's more work to do with regards to ICMP but a little bit of searching will reveal this.
Hope this helps.
But this should get you started.
Re: Question about ports
Posted: Sat Jun 14, 2008 5:42 pm
by eric.m
Can i do like this ?
chain=forward protocol=tcp dst-port="[i]my ports that i wont to block from incoming trafic[/i]" action=drop
And:
chain=forward protocol=udp dst-port="[i]my ports that i wont to block from incoming trafic[/i]" action=drop
If this will work well, how can i create script that i put in terminal to create range for blocking ports like this example:
chain=forward protocol=tcp dst-port=56 action=drop
chain=forward protocol=tcp dst-port=57 action=drop
chain=forward protocol=tcp dst-port=58 action=drop
chain=forward protocol=tcp dst-port=59 action=drop
chain=forward protocol=tcp dst-port=60 action=drop
chain=forward protocol=tcp dst-port=61 action=drop
...
And:
chain=forward protocol=udp dst-port=56 action=drop
chain=forward protocol=udp dst-port=57 action=drop
chain=forward protocol=udp dst-port=58 action=drop
chain=forward protocol=udp dst-port=59 action=drop
chain=forward protocol=udp dst-port=60 action=drop
chain=forward protocol=udp dst-port=61 action=drop
...
Thank you all ppl, Eric.
Re: Question about ports
Posted: Sat Jun 14, 2008 8:39 pm
by netrat
Is the final desnation the Mikrotik box or are you port forwarding the ports to another box behind the router?
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow Related connections" connection-state=related disabled=no
add action=accept chain=input comment="Allow access to smtp" disabled=no dst-port=25 protocol=tcp
add action=accept chain=input comment="Allow access to DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow access to DNS" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Allow access to http" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="Allow access to pop3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=input comment="Allow access to https" disabled=no dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow access from known network" disabled=no src-address=10.0.0.0/24
add action=drop chain=input comment="Drop everything else" disabled=no
Re: Question about ports
Posted: Sun Jun 15, 2008 7:57 pm
by eric.m
Yes its a final destionation mikrotik.
And its NOT work!
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow Related connections" connection-state=related disabled=no
add action=accept chain=input comment="Allow access to smtp" disabled=no dst-port=25 protocol=tcp
add action=accept chain=input comment="Allow access to DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow access to DNS" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Allow access to http" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="Allow access to pop3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=input comment="Allow access to https" disabled=no dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow access from known network" disabled=no src-address=10.0.0.0/24
add action=drop chain=input comment="Drop everything else" disabled=no
Re: Question about ports
Posted: Sun Jun 15, 2008 8:09 pm
by hilton
Give us all your firewall rules as I'm not sure what else is happening.
Re: Question about ports
Posted: Mon Jun 16, 2008 1:34 am
by netrat
Yes its a final destionation mikrotik.
And its NOT work!
Why would you be allowing pop3 input traffic to the Mikrotik router? The pop3 traffic isn't forwarded to a server? That should probably be put in the FORWARD chain instead of the INPUT chain.
Re: Question about ports
Posted: Mon Jun 16, 2008 4:40 am
by eric.m
Am but you wrote that to me, to do like that...
@Hilton....
I only have that rules...nothing more...
Thanks ppl, eric.m
Re: Question about ports
Posted: Mon Jun 16, 2008 11:35 am
by hilton
Can i do like this ?
chain=forward protocol=tcp dst-port="[i]my ports that i wont to block from incoming trafic[/i]" action=drop
And:
chain=forward protocol=udp dst-port="[i]my ports that i wont to block from incoming trafic[/i]" action=drop
I don't think so. That nice option {!} is really designed for a single port or range, so unless your ports just happen to be sequential, then it wont work. Rather allow what you want and drop everything else, way less work in the long run. Change all your rules to forward chains as I mentioned in the beginning.
Re: Question about ports
Posted: Mon Jun 16, 2008 5:42 pm
by netrat
If you are forwarding these ports from an external to internal IP address you'll have to add destination NAT rules.
Re: Question about ports
Posted: Mon Jun 16, 2008 7:21 pm
by msorensen
one other thought is that if you are bridging, you must enable the firewall rules on the bridge, before they will apply to the bridge.
From WinBox/Bridge, Bridge Tab, Settings button, check "use IP firewall"
I know that this issue applies for forewarded packets.... I do not know if the "input" rules apply with or without this feature enabled.
It took me a while to discover this change from v2 to v3 !!!!
I kept wondering why firewall rules and queues were not being applied to bridged traffic.... this was why... by default, "use IP firewall" is not enabled.
Re: Question about ports
Posted: Mon Jun 16, 2008 8:45 pm
by hilton
one other thought is that if you are bridging, you must enable the firewall rules on the bridge, before they will apply to the bridge.
I know that this issue applies for forewarded packets.... I do not know if the "input" rules apply with or without this feature enabled.
This is surely only for rules that specifically reference the bridge interface? I have several NAT forward rules that work but I don't have the bridge firewall setting enabled.
I also have this rule working;
;;; From our LAN
chain=input action=accept in-interface=bridge
and again, the ip firewall bridge setting is not enabled.
Strange.
Re: Question about ports
Posted: Mon Jun 16, 2008 10:49 pm
by msorensen
This was a change with version 3.0 vs earlier versions....
as I recall..... on an AP that I coverted from v2.9.51 to v3.something where (in this case) the Ethernet was bridged to the wireless interface....
... suddenly the queues no longer applied (or at the least the traffic counters did not advance) and forward firewall rules were not being applied.
........after extensive beating of head against my desk, and searching this forum, that was the answer that I found.
Checked the box, and both issues were corrected.....
I've read the docs which try to cover this question a couple of times...
http://www.mikrotik.com/testdocs/ros/3.0/qos/flow.php
I can read the words, but can not quite understand what they're saying about the subject....
The v3 docs do not yet even cover the bridge configuration attributes.
Perhaps a future version of the docs will better define the situation.