Hello,

I am new to Mikrotik and I need some help with Firewall Rules.
I read about how to secure the router so I did some basic steps to protect it, such as disable the services, allow connection from
certain ip address only etc...

So what I need now is the "Best practice" firewall rules, plus open for some web servers (80 and 443) and deny the rest...
There is NO nat in the picture because I have official static ip addresses on the server...

I read a lot of articles which are "outdated" and really does not work for me, so what I need now is someone who are willing to help me
of course I will pay via pay-pal for the time used to configure the firewall rules.

Direct access to the router will of course be provided if needed...

So if there is someone who is interested, just let me know...

Thank You

Cheers

Study the rules below which do what you need. Use the GUI tool from here to open ports which is very simple too do. Add custom accept rules above the drop ones shown.

ros code

#Router and internal network protection, no internal servers, LAN is friendly
/ip firewall filter
add chain=input   action=drop   connection-state=invalid                         comment="Disallow weird packets" 
add chain=input   action=accept connection-state=new         in-interface=LAN    comment="Allow LAN access to router and Internet"
add chain=input   action=accept connection-state=established                     comment="Allow connections that originated from LAN"
add chain=input   action=accept connection-state=related                         comment="Allow connections that originated from LAN"
add chain=input   action=accept protocol=icmp                                    comment="Allow ping ICMP from anywhere"
add chain=input   action=drop                                                    comment="Disallow anything from anywhere on any interface" 
add chain=forward action=drop   connection-state=invalid                         comment="Disallow weird packets" 
add chain=forward action=accept connection-state=new         in-interface=LAN    comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-state=established                     comment="Allow connections that originated from LAN"
add chain=forward action=accept connection-state=related                         comment="Allow connections that originated from LAN"
add chain=forward action=drop

hello,

thank you very much for reply.
I have just copied and pasted the rules you wrote, and please see the screen-shot I took from WinBox GUI

What I do not understand here in Mikrotik is why we need allow the traffic from LAN as everything works without any rule ?
I was able to access the internet from the server without any rule in the firewall list, and I am also able to access the server FROM the
internet without any rule because server have the official ip address and do not need a NAT..

I wish that Mikrotik could CLOSE all the traffic default so we can just open what we need instead of opening everything as default, kind of wired if you ask me..
I am aware that mikrotik routerOS is not a firewall but router only, of course it can do many of the firewall features by the way ....

Is this I did correct or ?

Thank you !!

hello,

thank you very much for reply.
I have just copied and pasted the rules you wrote, and please see the screen-shot I took from WinBox GUI

What I do not understand here in Mikrotik is why we need allow the traffic from LAN as everything works without any rule ?
I was able to access the internet from the server without any rule in the firewall list, and I am also able to access the server FROM the
internet without any rule because server have the official ip address and do not need a NAT..

I wish that Mikrotik could CLOSE all the traffic default so we can just open what we need instead of opening everything as default, kind of wired if you ask me..
I am aware that mikrotik routerOS is not a firewall but router only, of course it can do many of the firewall features by the way ....

Is this I did correct or ?

Thank you !!

You did copy the rules, but the order is not really ok.
Your "Disallow weird packages" is below your drop everything, so these rules will never be hit and are useless on the place you have configured them now.
They should be as first rule. Also I recommend that you group the rules on chain type. So group your input and forward chain as two groups. It does not change the working principle of the firewall filter but makes it much more easier to read the list of filter rules.

I have just copied and pasted the rules you wrote, and please see the screen-shot I took from WinBox GUI

I wish that Mikrotik could CLOSE all the traffic default so we can just open what we need instead of opening everything as default, kind of wired if you ask me..

Please delete the rules and then readd them (change WAN and LAN to match your interface names). Do not change the order. They are processed in order (top to bottom) such that they only drop when needed. If MikroTik blocked traffic by default these forums would run over with questions.

thank You ALL very much for helping !!!!

I have deleted all the rules and copied them again, please see attached image again and let me now if the rule sequence is ok now..

What happens now with these rules, the server can access the internet (sporadic only some time when refreshing I cannot access the internet at all from the server) and it loads the web pages from internet very slowly and of course I am not able to access the server from the internet on its port 80. This is what I wanted, close everything and than open needed ports...


BUT, do I need to add some additional rules against the dos protection and virus protections ?
Because some clients can open the Web sites which can return the virus via already opened session by the client from the inside ..
Any best practice on this part with right rule sequence ?

So in short words what I need now is to open port 80 to the server for example ip address 8.8.8.8
and of course if I need more protections such as ddos, virus etc...

I think I am beginning to understand the rule sequence but not completely yet ..


THANK YOU ALL AGAIN !!!

can someone please help with my previous post ?
Now I have the correct order for these rules, but when accessing the internet from server`s desktop
all the pages loads to slow and sometimes it just times out with a message the page cannot be displayed ...?

Also I need an example rule for opening a port to Web server (80) from certain ip address only at the begining
so I can modify it later...

Thank you

I need an example rule for opening a port to Web server (80) from certain ip address only at the begining so I can modify it later ...

See here. Note that the router itself listens on port 80, thus you'll need to change that.

thank you for very quick response, will check it and let you know

BTW: I have stooped port 80 www on IP services in Mikrotik, only WinBox and SSH are opened from certain ip address only...

please see the attached screen-shot below, as you can see I have added the rule for the Web server but it`s not being read at all
and I am not able to access the server from internet.. any idea why ?

I have used example ip 8.8.8.8, so let`s say this is the ip address of the web server..
I am not using NAT, because there is a public IP on both WAN and LAN interfaces so the server uses the LAN interface ip as its gateway
to internet...

I am not using NAT, because there is a public IP on both WAN and LAN interfaces so the server uses the LAN interface ip as its gateway to internet ...

Okay, that changes things ... someone else will have to help you then. I don't know how to route that kind of traffic. Get terminal command prompt and run the command: /export compact file=a_setup_file. Get that file from the Files menu, remove any personal information, and post it here. Make sure it contains the following information for someone to help you:

/interface ethernet
/ip address
/ip route
/ip firewall filter
/ip firewall mangle
/ip firewall nat
/ip service

ok, below is the configuration which is exported from the router...

ISSUES:
- What I need is to add open a port 80 to web server which I did, BUT I still cannot open the web server from the internet
- and when I am on the server desktop, I am able to access the internet open the web pages, but it`s too slow and somethimes
it just times out and I receive the message "The page cannot be displayed"

****************************************************************
NOTE, these ip addresses are not the real ones, for example on my
router these ip addresses for LAN and WAN interface are the real official ip addresses:

add address=172.12.34.53/29 interface=WAN network=172.12.34.48
add address=172.12.34.54/32 interface=LAN network=172.12.34.48

Also assume that Web Server uses this ip address 172.12.34.50

****************************************************************

ros code

# sep/06/2013 19:50:52 by RouterOS 6.2
# software id = xxxx-xxxx
#
/interface ethernet
set 0 name=LAN
set 1 name=WAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
    permissions=owner signup-allowed=no time-zone=-00:00
/ip address
add address=172.12.34.53/29 interface=WAN network=172.12.34.48
add address=172.12.34.54/32 interface=LAN network=172.12.34.48
/ip firewall address-list
add address=47.2x.xx.xx list=my_ip_address
/ip firewall filter
add chain=input comment="Allow access to router from known network" \
    src-address-list=my_ip_address
add action=drop chain=input comment="Disallow weird packets" \
    connection-state=invalid
add chain=input comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=LAN
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=established
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment=\
    "Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" \
    connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=LAN
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=established
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=related
add chain=forward comment="Open port 80 for Web Server" \
   dst-address=172.12.34.50 dst-port=80 protocol=tcp
add action=drop chain=forward
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add distance=1 gateway=172.12.34.49
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=47.2x.xx.xx/32 disabled=yes
set ssh address=47.2x.xx.xx/32
set api disabled=yes
set winbox address=47.2x.xx.xx/32
set api-ssl disabled=yes
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
/tool bandwidth-server
set enabled=no

Thank You all for helping !!!

can someone help me on this one?

can someone from Mikrotik support help me on this one ?

can someone from Mikrotik support help me on this one ?

ros code

add chain=forward comment="Open port 80 for Web Server" \
   dst-address=8.8.8.8 dst-port=80 protocol=tcp

Why is your dst-address=8.8.8.8? ... unless your Googles DNS server that line is most likely wrong. dst-address should be whatever the server you are running on port 80 is... In your case likely something in 172.12.34.53/29

thank you for reply.

I am aware that ip address 8.8.8.8 is google DNS server I just used it as an example ip address,
in short words "let`s say my server have an ip address 8.8.8.8" I wrote about this in my previous posts on this thread.

I am just hiding my official ip address and therefore using 8.8.8.8 "as it was my server ip address"

Have corrected the config now, please see my previous post:

http://forum.mikrotik.com/viewtopic.php ... 32#p385132

now I have changed the ip address of the server, NOTE all these ip addresses I used in this config example are the INTERNAL
ip address just because I will hide my real official ip addresses, BUT in my real configuration I am using official ip addresses, so NO NAT is used at all in my case..

for some reason my Firewall rule does not forward the traffic to the server:

ros code

add chain=forward comment="Open port 80 for Web Server" \
   dst-address=172.12.34.50 dst-port=80 protocol=tcp

OK. So I see one other problem. Based on the way you have your interfaces assigned and your subnets the router thinks your server is within the subnet on the wan port, not the lan port. So when it gets a packet for 50 it goes out the wan and not the lan. I think you need to fix your subnets and create some static routes.

Sent from my SCH-I545 using Tapatalk 4

Assuming your isp is just sending you a block of IP's and not routing one range to a specific ip. What you want to do is get rid of the /32 address. Bridge the wan and lan ports and then turn on bridge firewall. Oh, and make sure that your lan machines use your isp as the gateway not the router.

I can explain more when I get to a computer

You could alternatively drop the /32 and use a private range for your lan and so dst/src nat.

Sent from my SCH-I545 using Tapatalk 4

thank you very much for reply efaden, I think you may have a point here..
because the router does not read my firewall rule for the web server, which means what you said...

Hm I was also thinking about NAT solution, but there is some applications that does not like NAT so well
and on the other hand, NAT-in will slow the traffic down I think.

So if it`s not so practical for you to write from the tablet/mobile phone, I can wait until you have an pc...
In the main time I will think about the solution, but perhaps you could modify my configuration in previous
post ? make 2 examples:

1. use the bridge interfaces
2. or choose the NAT anyway

not sure..

Will run some voice servers, and as far as we know NAT and voice are as cat and mouse game in most cases..

thank you very much again !!!

See below. Basically the changes are
1) Create a bridge "bridge-wan"
2) Add interfaces WAN & LAN to bridge-wan
3) Add IP to bridge-wan and remove from WAN & LAN
4) Enable bridge filtering.
5) Change the firewall rule to use in-bridge-port instead of in-interface since the interface is bridge-wan, but you really want to match which port it entered the bridge (e.g. LAN)

DON'T FORGET - Your LAN computers should use your ISPs gateway and not the routerboard.

I can do a NAT style one too I suppose. But try that first and see if it will work for you. The NAT version involves
1) Remove /32 from LAN. Add Class C to LAN.
2) Assign LAN computers IPs in Class C
3) Use NAT to assign LAN Class C addresses to WAN bridged addresses.

ros code

# sep/06/2013 19:50:52 by RouterOS 6.2
# software id = xxxx-xxxx
#
/interface ethernet
set 0 name=LAN
set 1 name=WAN
/interface bridge
add name=bridge-wan
/interface bridge port
add interface=WAN bridge=bridge-wan
add interface=LAN bridge=bridge-lan
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
    permissions=owner signup-allowed=no time-zone=-00:00
/ip address
add address=172.12.34.53/29 interface=bridge-wan network=172.12.34.48
/ip firewall address-list
add address=47.2x.xx.xx list=my_ip_address
/ip firewall filter
add chain=input comment="Allow access to router from known network" \
    src-address-list=my_ip_address
add action=drop chain=input comment="Disallow weird packets" \
    connection-state=invalid
add chain=input comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=LAN
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=established
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment=\
    "Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" \
    connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-bridge-port=LAN
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=established
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=related
add chain=forward comment="Open port 80 for Web Server" \
   dst-address=172.12.34.50 dst-port=80 protocol=tcp
add action=drop chain=forward
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add distance=1 gateway=172.12.34.49
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=47.2x.xx.xx/32 disabled=yes
set ssh address=47.2x.xx.xx/32
set api disabled=yes
set winbox address=47.2x.xx.xx/32
set api-ssl disabled=yes
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
/tool bandwidth-server
set enabled=no

thank you very much for configuration and suggestion !
think I understand the problem now.

Will test both options and will let you know..
and yes I understood the part regarding the default gateway for the servers...

thank you very much for configuration and suggestion !
think I understand the problem now.

Will test both options and will let you know..
and yes I understood the part regarding the default gateway for the servers...

No problem. Forgot to mention if you want to use the NAT method then I believe given how your IPs are setup you would actually need to assign all of the IPs you are assigned to your WAN interface.

There are basically two ways your ISP can provide you IPs... via routing (e.g. they give you an IP inside of one range, and then route another range to that one)... or just give you a bunch of IPs in a bridged mode. It seems like yours are bridged. Therefore on the inside of your Modem/CPE or whatever you have all you just have a pile of IPs to assign to machines. Thats why I recommended using the bridge setup. Good luck.

-Eric

I understand what You mean yes, just for to clear whole scenario a bit I made a network drawing as You can see below.
The words can never describe what the pictures can

I assume that You will understand this scenario once You see the drawing.

Ah. Now I get it. Yes you want to run in bridged mode now and then routed mode when you replace the pfsense box.

Sent from my SCH-I545 using Tapatalk 4

have just tested the bridged mode, and it works just fine
Will run it in bridge mode until I remove the pfSense, then I will run a routing on MikroTik just as I do now on the pfSense.

THANK YOU very much again for helping and very good suggestions, I hope that other will learn about this now.

Karma will of course be given, no doubt about that

have just tested the bridged mode, and it works just fine
Will run it in bridge mode until I remove the pfSense, then I will run a routing on MikroTik just as I do now on the pfSense.

THANK YOU very much again for helping and very good suggestions, I hope that other will learn about this now.

Karma will of course be given, no doubt about that

No problem. Just let me know if you have problems when you convert over. Basically you want to configure the ips just like the PFsense box, and remove the bridge and set it back up like you had it in the original config.

will do, no problems!

do You have any other good suggestions to these firewall rules, note, these are the only rules I have added
on the MikroTik so far, of course web server port opening rule is an addition, but other "security" rules You can suggest in addition to these below
and of course in the right sequence ... ?

ros code

#Router and internal network protection, no internal servers, LAN is friendly
/ip firewall filter
add chain=input   action=drop   connection-state=invalid                         comment="Disallow weird packets"
add chain=input   action=accept connection-state=new         in-interface=LAN    comment="Allow LAN access to router and Internet"
add chain=input   action=accept connection-state=established                     comment="Allow connections that originated from LAN"
add chain=input   action=accept connection-state=related                         comment="Allow connections that originated from LAN"
add chain=input   action=accept protocol=icmp                                    comment="Allow ping ICMP from anywhere"
add chain=input   action=drop                                                    comment="Disallow anything from anywhere on any interface"
add chain=forward action=drop   connection-state=invalid                         comment="Disallow weird packets"
add chain=forward action=accept connection-state=new         in-interface=LAN    comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-state=established                     comment="Allow connections that originated from LAN"
add chain=forward action=accept connection-state=related                         comment="Allow connections that originated from LAN"
add chain=forward action=drop

My point is to BLOCK just EVERYTHING except the web server ports or other ports that I will use later...

My point is to BLOCK just EVERYTHING except the web server ports or other ports that I will use later...

Not really. That's basically what I do also. I have allow related/established, drop invalid, allow stuff I want, then default drop. The only thing you may want to add is some limits on what ICMPs you allow, throttle connections to also limit DOS attacks, drop bogons (private/invalid addresses), etc.

Checkout these for examples.
http://wiki.mikrotik.com/wiki/Manual:IP ... c_examples
http://wiki.mikrotik.com/wiki/Securing_ ... A_Firewall

They have some examples of limiting ICMP, etc.

Also... in your rules you have "in-interface"... when you are bridged that should be "in-bridge-port" ...

ok I understand Your point, and yes I was also thinking about dos, bogon and ICMP limit protections as well..
But tell me one thing about the bogon and ICMP limitation rules, what about their sequences in my case ?

can I add all additional rules below all my rules I have now as long as all of the rules are above this one ?
of course some rules are special and has to be placed in the right sequence.. and I am aware that all the rules
are read from top to bottom in MikroTik

ros code

add chain=forward action=drop

ok I understand Your point, and yes I was also thinking about dos, bogon and ICMP limit protections as well..
But tell me one thing about the bogon and ICMP limitation rules, what about their sequences in my case ?

can I add all additional rules below all my rules I have now as long as all of the rules are above this one ?
of course some rules are special and has to be placed in the right sequence.. and I am aware that all the rules
are read from top to bottom in MikroTik

ros code

add chain=forward action=drop

In theory you want to place things like DOS at the top to drop them with as little processing as possible. Same with bogons etc... that said you could make the argument that placing related and established should be at the top because that allows your traffic you already have seen (e.g. established connections) to bypass the rest of the firewall. I'm not entirely sure there is a "right" answer to that question. Personally I have my DOS, Bogons, and ICMP above my related and established.

But as you said... make sure they are above your drop or really anything else that accepts traffic... e.g accepting port 80. Because your goal is to protect port 80 from those attacks. Established and related are kind of special cases.

-Eric

sure I see the point yes, I agree with You, it`s best to stop dos, bogon and limit the ICMP at he top because in this case this
traffic is stopped right away and will not be processed while the rest of the ACL`s are processed..

will check a bit on MikroTik wiki and I will build a good solution, I will share it with You when I get the MikroTik in the production.
but the most important thing for me is the LAST rule which denies everything else.. this is the "real security" rule ...

I am aware that all the rules are read from top to bottom in MikroTik

This is true for each chain. Top to bottom for the input chain, and top to bottom for anything that gets into the forward chain. So where you place your rules depends on which chain you suspect your traffic will appear.

ok, I think I understand it now, thank You for clearing out this

actually regarding the bogon rules in the firewall rule, I am not sure if this rule is needed because
I think that only Border Routers that runs the BGP protocol should filter these networks so they are not
distributed out and filter incoming BGP so we cannot accept them if someone distributes them out..

In this case it`s ISP who stops these networks on their Border Routers that runs the BGP...

actually regarding the bogon rules in the firewall rule, I am not sure if this rule is needed because
I think that only Border Routers that runs the BGP protocol should filter these networks so they are not
distributed out and filter incoming BGP so we cannot accept them if someone distributes them out..

In this case it`s ISP who stops these networks on their Border Routers that runs the BGP...

Yeah. That is true. Just depends where you operate your router.

Sent from my SCH-I545 using Tapatalk 4

in my case I am not running any BGP sessions so this rule is not needed..

in my case I am not running any BGP sessions so this rule is not needed..

Then you are correct. Glad we got it all working.

Hello and sorry to pick up old topic, but My problem is very similar.

I just got Mikrotik routers for My work so i have just started to work whit Mikrotik routers and, as You know, they are much more complex than every consumer grade router.

My scenario is to create network whit one main router (RB2011U) and bunch of APs (wAP) and hEX poE Lite series routers if needed as bridges. I am learning from the ground and I know how to setup basic router functionality like configuring DHCP client for WAN, DHCP Server for LAN, address list, basic firewall security etc. so that router can function as basic router whit 1 WAN input and 1LAN (as i don't need more right now). I have setup Spiceworks IT management program whit PDQ Deploy, PDQ Inventory and VNC client on every computer for remote assistance in cases.

Problem starts whit port forwarding and opening. My next task is to open and forward ports to My server PC (Running Win 8.1 Pro and We cant afford proper server version) so I can reach server from outside internal network. I need to open ports 80, 443 and 5900. When i open ports ether in WinBox or thou ssh I have the same problems as this topics author - internet on internal router network (LAN) becomes slow and times out and I cant connect to My server from from LAN. Problem and solution is described here but now it looks so in cosmos that I'm slowly just getting use to this router configuration. I will post My "/export compact file=a_setup_file" file and can someone please point Me what is needed to change so I can accomplish this? Code is simple as i stated. Any info or learning information is good.

I setup my mikrotik and was looking for how to put a security on the router for LAN connections. I now saw a rule on the internet. After setting it up, the router will not allow any LAN traffic to pass through.

Please how do I stop or correct this?

This is the rule I implemented:
/ip firewall filter add chain=input src-address=192.168.88.180 \
src-mac-address=!60:E3:27:12:56:E6 action=drop disabled=no

/ip firewall filter add chain=input src-address=!A.B.C.D \
src-mac-address=1A:2B:3C:4D:5E:6F action=drop disabled=no


How do I correct this?

i need some help to.

i have /28 public adresses. all adresses are set to Wan interface, i have net map 1:1 (for example 10.1.1.2 to X.X.X.131, 10.1.1.3 to X.X.X.132 and etc.)

and i want to "open" particular tcp ports from outside and block all other incoming traffic.

but when i add rule in firewall for example:

it doesn`t match incoming ping packets from outside. and i`m bit confused.

That is because the dst-nat rule is carried out before the filter rule is applied, and after the dst-nat rule is applied your dst-address is not your public IP anymore but the 10.x.y.z. address.
Also you have to handle the filter rules on your forward chain instead of your input because of this dst-address.