MikroTik

Posted: **Sat Sep 04, 2010 6:35 pm**

Hi,

I have a NAT rule for SSH server inside a network, but to avoid brute force attacks I have some firewall rules. But it looks like that NAT has a priority over Firewall. Is it possible to change that? To have NAT rule and Firewall rule to block it (if IP is in blacklist).

Thanks.

RB750G OS4.10

-- GrayWolf

Posted: **Sat Sep 04, 2010 9:57 pm**

NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.

If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.

Posted: **Sun Sep 05, 2010 12:31 am**

Here's my NAT rule:

chain=dstnat action=dst-nat to-addresses=192.168.88.120 to-ports=22
protocol=tcp in-interface=ether1-gateway dst-port=122

And I'm trying to secure it in a way as it is described here:
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)

Which works fine for MikroTik's SSH, but not for my NAT rule. I've tried changinf the chain to forward, but no luck.

Posted: **Sun Sep 05, 2010 1:03 am**

Changing it to the forward chain is correct. However, your NAT rule forwards to port 122 rather than 22. If that is correct you also have to adjust the destination ports in the filter rules accordingly. If it's a typo in the NAT rule, fix it.

Posted: **Sun Sep 05, 2010 1:06 am**

According to your NAT rule change to 'dst-port=122' in bruteforce prevention rules.

Regards, Grzegorz.

Posted: **Sun Sep 05, 2010 1:25 am**

I did, here's how my firewall rules look like:

(It's my recent attempt with chain=forward and connection-state=new on everything.)

chain=forward action=drop connection-state=new protocol=tcp src-address-list=ssh_blacklist in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m in-interface=ether1-gateway dst-port=122

chain=forward action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=122

Posted: **Sun Sep 05, 2010 2:07 am**

Ok. I get it.

I wasn't suppose to look for port 122 in my filter rules, but 22. The port TO which NAT was forwarding to.

Didn't expect that.

Thanks for the replies.

Posted: **Fri Apr 15, 2016 4:27 pm**

NAT doesn't have priority over firewalling. Read the wiki manual on packet flow. Destination NAT happens first, then the firewall chains fire like they usually would but they will see the packet with the new destination IP address. Then source NAT changes the source IP address of the packet if warranted.

If you want more specific help post the rules you have and what you are trying to do, and what problem you are experiencing. It is perfectly possible to protect an inside server that you forward traffic to via the router firewall rules.

Fewi, I`m sorry for dropping by to this old post. But what about 1:1 NAT. I have Asterisk server on private IP. I want to be able to just allow specific IP`s input on server from outside without activating Linux firewall. Since DST-NAT happens first there is no way to process it through firewall input rules. I have tried with mangle prerouting chain connection and packet marking and apply it on firewall filter rules, and still nothing. Do you have any recommendation based on this. Thanks in advance.

Posted: **Fri Apr 15, 2016 6:43 pm**

after dstnat packets to your server which is behind router going to forward chain, not to input.

Posted: **Fri Mar 03, 2017 12:44 pm**

Filtered NAT
This parameter determines how the router handles incoming traffic. Secure option provides a secured firewall to protect network computers from Internet attacks, but can lead to the fact that some online games, applications such as "point-to-point" or multimedia applications will not work. On the other hand, the open option provides a much less secure firewall, but allows almost all Internet applications to work.
Here is further details that i found regarding Nat Filtering: https://www.vpnranks.com/nat-filtering/

Posted: **Sat Jun 23, 2018 2:11 am**

Sorry for necroing an old thread, but it might be useful to mention that it is possible to drop packets before dstnat by using Raw rules in prerouting chain.

An example:

/ip firewall raw
add action=drop chain=prerouting dst-port=3389 in-interface=your_wan_interface protocol=tcp src-address-list=\
    !TRUSTED_IP_ADDRESSES

The above rule will drop any connection attempts from IP addresses not in your TRUSTED_IP_ADDRESSES list so they won't even reach dstnat.

Posted: **Fri Jun 14, 2019 10:19 pm**

How about this:

/ip firewall filter
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN

Posted: **Sat Jun 15, 2019 10:32 am**

What about it? Didn't check every detail, but by the looks of it it's a default filter rule...

Posted: **Wed Mar 22, 2023 10:14 pm**

Resurrecting and old thread but couldn't easily find this info anywhere else and wanted to add for others help in the future, this works as of v7.7 in 2023;

Using a RAW rule after adding to blocked list.

Similar issue, want to block brute force. Instead of blocking a single port, if an IP is a bad actor, we want to block the IP completely.

The add to src-address-list rules need to be on forward chain and using the TO port in the NAT rule. So if ext port 999 NAT TO internal 192.168.1.1 port 80, you want port 80 in the rule;

add chain=forward protocol=tcp dst-port=80 connection-state=new action=add-src-to-address-list \
address-list=block_stage1 address-list-timeout=1m comment="" disabled=no

This will add and advance the IP.

Now for blocking, the block rule works on FORWARD chain src-address-list=blocked_addresses.

add chain=forward src-address-list=blocked_addresses action=drop \
comment="drop blocked" disabled=no

But, that IP can still scan/brute ports on the router (port 8291, 22 if open, etc.) So you can add another block rule with chain=input.
We found that adding a RAW rule is much better, it stops any further processing or packets from blocked IPs.

/ip/firewall/raw
add chain=prerouting action=drop in-interface=ether1 src-address-list=blocked_addresses

Does anyone see a problem with doing it that way? Seems most efficient and safe way to block traffic.
Now, you can't specify a connection-state=new in raw rules so you can't build the block rules in raw table (otherwise it would hit on every packet to that port), so ideally you need 2 sets of rules to add FORWARD and INPUT to blocked_addresses;

add chain=input protocol=tcp dst-port=80 connection-state=new action=add-src-to-address-list \
address-list=block_stage1 address-list-timeout=1m comment="" disabled=no

Another idea would be to add multiple ports to capture "bad" scanners, such as ports 21,22,80,etc INPUT and add to blocked_addresses escalation lists.

Any problems with assumptions and rules above? Any more efficient way to do this?

Thanks and hope this helps someone.

Posted: **Fri Mar 24, 2023 1:47 pm**

I will look at this sorry thread later but its clear that HAVING SAFELY SETUP SERVERS is a very important consideration for many many mikrotik users.

Thus Mikrotik MUST PROVIDE the Zerotrust Cloudflare tunnel in an options package for all users!!!

MikroTik

Firewall Filter Rule before NAT rule

Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule

Re: Firewall Filter Rule before NAT rule