Hi,
I have a NAT rule for SSH server inside a network, but to avoid brute force attacks I have some firewall rules. But it looks like that NAT has a priority over Firewall. Is it possible to change that? To have NAT rule and Firewall rule to block it (if IP is in blacklist).
Thanks.
RB750G OS4.10
-- GrayWolf
Re: Firewall Filter Rule before NAT rule
NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.
If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
Re: Firewall Filter Rule before NAT rule
Here's my NAT rule:
chain=dstnat action=dst-nat to-addresses=192.168.88.120 to-ports=22
protocol=tcp in-interface=ether1-gateway dst-port=122
And I'm trying to secure it in a way as it is described here:
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)
Which works fine for MikroTik's SSH, but not for my NAT rule. I've tried changinf the chain to forward, but no luck.
chain=dstnat action=dst-nat to-addresses=192.168.88.120 to-ports=22
protocol=tcp in-interface=ether1-gateway dst-port=122
And I'm trying to secure it in a way as it is described here:
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)
Which works fine for MikroTik's SSH, but not for my NAT rule. I've tried changinf the chain to forward, but no luck.
Re: Firewall Filter Rule before NAT rule
Changing it to the forward chain is correct. However, your NAT rule forwards to port 122 rather than 22. If that is correct you also have to adjust the destination ports in the filter rules accordingly. If it's a typo in the NAT rule, fix it.
Re: Firewall Filter Rule before NAT rule
According to your NAT rule change to 'dst-port=122' in bruteforce prevention rules.
Regards, Grzegorz.
Regards, Grzegorz.
Re: Firewall Filter Rule before NAT rule
I did, here's how my firewall rules look like:
(It's my recent attempt with chain=forward and connection-state=new on everything.)
(It's my recent attempt with chain=forward and connection-state=new on everything.)
Code: Select all
chain=forward action=drop connection-state=new protocol=tcp src-address-list=ssh_blacklist in-interface=ether1-gateway dst-port=122
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1m in-interface=ether1-gateway dst-port=122
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m in-interface=ether1-gateway dst-port=122
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m in-interface=ether1-gateway dst-port=122
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m in-interface=ether1-gateway dst-port=122
chain=forward action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=122
Re: Firewall Filter Rule before NAT rule
Ok. I get it.
I wasn't suppose to look for port 122 in my filter rules, but 22. The port TO which NAT was forwarding to.
Didn't expect that.
Thanks for the replies.
I wasn't suppose to look for port 122 in my filter rules, but 22. The port TO which NAT was forwarding to.
Didn't expect that.
Thanks for the replies.
Re: Firewall Filter Rule before NAT rule
Fewi, I`m sorry for dropping by to this old post. But what about 1:1 NAT. I have Asterisk server on private IP. I want to be able to just allow specific IP`s input on server from outside without activating Linux firewall. Since DST-NAT happens first there is no way to process it through firewall input rules. I have tried with mangle prerouting chain connection and packet marking and apply it on firewall filter rules, and still nothing. Do you have any recommendation based on this. Thanks in advance.NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.
If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.
Re: Firewall Filter Rule before NAT rule
after dstnat packets to your server which is behind router going to forward chain, not to input.
-
-
jeanericblass
just joined
- Posts: 2
- Joined:
Re: Firewall Filter Rule before NAT rule
Filtered NAT
This parameter determines how the router handles incoming traffic. Secure option provides a secured firewall to protect network computers from Internet attacks, but can lead to the fact that some online games, applications such as "point-to-point" or multimedia applications will not work. On the other hand, the open option provides a much less secure firewall, but allows almost all Internet applications to work.
Here is further details that i found regarding Nat Filtering: https://www.vpnranks.com/nat-filtering/
This parameter determines how the router handles incoming traffic. Secure option provides a secured firewall to protect network computers from Internet attacks, but can lead to the fact that some online games, applications such as "point-to-point" or multimedia applications will not work. On the other hand, the open option provides a much less secure firewall, but allows almost all Internet applications to work.
Here is further details that i found regarding Nat Filtering: https://www.vpnranks.com/nat-filtering/
Re: Firewall Filter Rule before NAT rule
Sorry for necroing an old thread, but it might be useful to mention that it is possible to drop packets before dstnat by using Raw rules in prerouting chain.
An example:
The above rule will drop any connection attempts from IP addresses not in your TRUSTED_IP_ADDRESSES list so they won't even reach dstnat.
An example:
Code: Select all
/ip firewall raw
add action=drop chain=prerouting dst-port=3389 in-interface=your_wan_interface protocol=tcp src-address-list=\
!TRUSTED_IP_ADDRESSES
-
-
craigreilly
newbie
- Posts: 46
- Joined:
Re: Firewall Filter Rule before NAT rule
How about this:
/ip firewall filter
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
/ip firewall filter
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
Re: Firewall Filter Rule before NAT rule
What about it? Didn't check every detail, but by the looks of it it's a default filter rule...
Re: Firewall Filter Rule before NAT rule
Resurrecting and old thread but couldn't easily find this info anywhere else and wanted to add for others help in the future, this works as of v7.7 in 2023;
Using a RAW rule after adding to blocked list.
Similar issue, want to block brute force. Instead of blocking a single port, if an IP is a bad actor, we want to block the IP completely.
The add to src-address-list rules need to be on forward chain and using the TO port in the NAT rule. So if ext port 999 NAT TO internal 192.168.1.1 port 80, you want port 80 in the rule;
This will add and advance the IP.
Now for blocking, the block rule works on FORWARD chain src-address-list=blocked_addresses.
But, that IP can still scan/brute ports on the router (port 8291, 22 if open, etc.) So you can add another block rule with chain=input.
We found that adding a RAW rule is much better, it stops any further processing or packets from blocked IPs.
Does anyone see a problem with doing it that way? Seems most efficient and safe way to block traffic.
Now, you can't specify a connection-state=new in raw rules so you can't build the block rules in raw table (otherwise it would hit on every packet to that port), so ideally you need 2 sets of rules to add FORWARD and INPUT to blocked_addresses;
Another idea would be to add multiple ports to capture "bad" scanners, such as ports 21,22,80,etc INPUT and add to blocked_addresses escalation lists.
Any problems with assumptions and rules above? Any more efficient way to do this?
Thanks and hope this helps someone.
Using a RAW rule after adding to blocked list.
Similar issue, want to block brute force. Instead of blocking a single port, if an IP is a bad actor, we want to block the IP completely.
The add to src-address-list rules need to be on forward chain and using the TO port in the NAT rule. So if ext port 999 NAT TO internal 192.168.1.1 port 80, you want port 80 in the rule;
Code: Select all
add chain=forward protocol=tcp dst-port=80 connection-state=new action=add-src-to-address-list \
address-list=block_stage1 address-list-timeout=1m comment="" disabled=noNow for blocking, the block rule works on FORWARD chain src-address-list=blocked_addresses.
Code: Select all
add chain=forward src-address-list=blocked_addresses action=drop \
comment="drop blocked" disabled=noWe found that adding a RAW rule is much better, it stops any further processing or packets from blocked IPs.
Code: Select all
/ip/firewall/raw
add chain=prerouting action=drop in-interface=ether1 src-address-list=blocked_addressesNow, you can't specify a connection-state=new in raw rules so you can't build the block rules in raw table (otherwise it would hit on every packet to that port), so ideally you need 2 sets of rules to add FORWARD and INPUT to blocked_addresses;
Code: Select all
add chain=input protocol=tcp dst-port=80 connection-state=new action=add-src-to-address-list \
address-list=block_stage1 address-list-timeout=1m comment="" disabled=no
Any problems with assumptions and rules above? Any more efficient way to do this?
Thanks and hope this helps someone.
Last edited by bobbyeng on Wed Mar 22, 2023 10:26 pm, edited 1 time in total.
Re: Firewall Filter Rule before NAT rule
I will look at this sorry thread later but its clear that HAVING SAFELY SETUP SERVERS is a very important consideration for many many mikrotik users.
Thus Mikrotik MUST PROVIDE the Zerotrust Cloudflare tunnel in an options package for all users!!!
Thus Mikrotik MUST PROVIDE the Zerotrust Cloudflare tunnel in an options package for all users!!!