I am learning RouterOS with the Steve Discher book and tried to setup a simple firewall configuration suggested in that book.
Rules 7 thru 10 (below) forward new traffic from the LAN, then accept established and related packets. When I enable rule 10 to block everything else, all traffic from my server that has been dst-nat(ted) thru the firewall gets blocked.
I thought that the dst-natted traffic becomes established and related and should pass the forward chain. What am I missing?
Here are my IP firewall filter and nat rules:
[admin@router] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept Ping -- (default configuration
chain=input action=accept protocol=icmp
1 ;;; Accept Related -- (default configuration)
chain=input action=accept connection-state=related
2 ;;; Accept Established -- (default configuration)
chain=input action=accept connection-state=established
3 ;;; Allow FTP, SSH, HTTP & Winbox from LAN
chain=input action=accept protocol=tcp src-address=192.168.1.0/24 \
dst-address=192.168.1.1 in-interface=bridge-local dst-port=21,22,80,8291
4 ;;; an input chain rule
5 ;;; Allow pptp vpn
chain=input action=accept protocol=tcp dst-address=74.65.224.112 dst-port=1723
6 ;;; Drop everything else -- (default configuration)
chain=input action=drop
7 ;;; Forward New from LAN -- Then accept established & related (Drop everything else)
chain=forward action=accept connection-state=new src-address=192.168.1.0/24
8 chain=forward action=accept connection-state=established
9 chain=forward action=accept connection-state=related
10 X chain=forward action=drop
[admin@router] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade LAN -- (default configuration)
chain=srcnat action=masquerade to-addresses=0.0.0.0 dst-address=0.0.0.0/0 out-interface=ether1-gateway
1 ;;; Port Forward requests to server (WWW, Mail & FTP)
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=80 \
protocol=tcp dst-address=74.65.224.112 dst-port=80
2 chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=21 \
protocol=tcp dst-address=74.65.224.112 dst-port=21
3 chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=143 \
protocol=tcp dst-address=74.65.224.112 dst-port=143
4 chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=25 \
protocol=tcp dst-address=74.65.224.112 dst-port=25
5 ;;; Hairpin NAT
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 \
out-interface=bridge-local dst-port=21,22,25,80,143,587,443
Re: Firewall forward chain problem
Because dst-natted connections are initiated from "outside" (from WAN). You must allow it in input and forward chain.
Re: Firewall forward chain problem
Thanks for the reply.
How do I “allow it in input and forward chain??
I thought DST-NAT forwards desired traffic to the TO-ADDRESS and TO-PORT and records an ESTABLISHED connection. The rule in the forward chain (rule
allows all ESTABLISHED traffic (I thought).
If this is not the case, how do I re-write or add a rule to pass traffic from the server, out? With the servers LAN or WAN address and ports?
How do I “allow it in input and forward chain??
I thought DST-NAT forwards desired traffic to the TO-ADDRESS and TO-PORT and records an ESTABLISHED connection. The rule in the forward chain (rule
allows all ESTABLISHED traffic (I thought). If this is not the case, how do I re-write or add a rule to pass traffic from the server, out? With the servers LAN or WAN address and ports?
Re: Firewall forward chain problem
I'm surprised that all the forum experts can't answer this question!!
It seems pretty basic.
I went back and read the page on basic router configuration:
http://wiki.mikrotik.com/wiki/How_to_co ... P_firewall
and reviewed the MikroTik Packet Flow Diagram
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
and there is a gaping hole with regard to the relation between the “Forward” chain and the NAT chains (srcnat & dstnat). My problem clearly shows that putting a default drop at the end of my forward chain rules overrides dst-nat function!
Do I have adequate security using just NAT and getting rid of the connection state rules on the forward chain?? Because it seems that NAT and the connection state rules on the forward chain don't want to play with each other. Is this an either/or situation??
It seems pretty basic.
I went back and read the page on basic router configuration:
http://wiki.mikrotik.com/wiki/How_to_co ... P_firewall
and reviewed the MikroTik Packet Flow Diagram
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
and there is a gaping hole with regard to the relation between the “Forward” chain and the NAT chains (srcnat & dstnat). My problem clearly shows that putting a default drop at the end of my forward chain rules overrides dst-nat function!
Do I have adequate security using just NAT and getting rid of the connection state rules on the forward chain?? Because it seems that NAT and the connection state rules on the forward chain don't want to play with each other. Is this an either/or situation??
Re: Firewall forward chain problem
It is actually quite simple.
If dst-nat rules are created, there need to be a corresponding rule on the input or forward chain.
It depends on the destination. If the destination is the router itself, the input chain is hit. When the destination is behind the router (eg webserver) the forward chain is hit.
So when allowing connections initiated from outside, create a Nat and a filter rule.
This obviously only applies when the filter chains end with a generic drop rule.
Regarding your comment on the packet diagram:
What happens is that when dst-nat is in charge, the destination address is changed. From that point onwards the translated address is used by the router so that should be used on the filter rules.
If dst-nat rules are created, there need to be a corresponding rule on the input or forward chain.
It depends on the destination. If the destination is the router itself, the input chain is hit. When the destination is behind the router (eg webserver) the forward chain is hit.
So when allowing connections initiated from outside, create a Nat and a filter rule.
This obviously only applies when the filter chains end with a generic drop rule.
Regarding your comment on the packet diagram:
What happens is that when dst-nat is in charge, the destination address is changed. From that point onwards the translated address is used by the router so that should be used on the filter rules.