Firewall Filters and Network Address Translation (NAT)

Document revision 1.12 (06-Sep-2003)
This document applies to the MikroTik RouterOS V2.7

Table of Contents
Summary
Specifications
Related documents
Description
Packet Flow
- Description
Firewall Setup
Network Address Translation
Marking the Packets (Mangle) and Changing the MSS
Connection Tracking
Service Ports
Troubleshooting
General Network Suggestions
IP Firewall Applications
Additional Resources

Summary

The firewall supports filtering and security functions that are used to manage data flows to the router, through the router, and from the router. Along with the Network Address Translation it serve as security tools for preventing unauthorized access to networks.

Specifications

Packages required : system
Licence required : Any
Home menu level : /ip firewall
Protocols utilized : IP (RFC791)
Hardware usage : Increases with rules count

Description

Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. MikroTik RouterOS implements wide firewalling features as well as masquerading capabilities, which allows you to hide your network infrastructure from outside world.

Packet Flow

Description

MikroTik RouterOS simplifies the creation and deployment of a sophisticated firewall policies. In fact, you can easily create a simple one to filter your traffic or enable source NAT without need to know how packets are processed in the router. But in case you want to create more complicated policies, it is worth to know the underlying process details. IP packet flow through the router is depicted in the following diagram:

As we can see, a packet can enter the conveyer in two ways: whether the packet has come from an interface or whether it has been originated by the router. Analogically, a packet has two ways to leave the conveyer: through an outgoing interface or, in case the packet is locally destined, in the local process.

When the packet arrives to the router's interface, firewall rules are applied in the following order:

The NAT rules are applied first. The firewall rules of the input chain and routing are applied after the packet has passed the NAT rule set.
If the packet should be forwarded through the router, the firewall rules of the forward chain are applied next.
When a packet leaves an interface, firewall rules of the output chain are applied first, then the NAT rules and queuing.

Additional arrows from IPsec boxes shows the processing of encrypted packets (they need to be encrypted / decrypted first and then processed as usual, id est from the point an typical packet enters the router).

If the packet is bridged one, the 'Routing Decision' changes to 'Bridge Forwarding Decision'. And in case the bridge is forwarding non-IP packets, all things regarding IP protocol are not applicable ('Universal Client', 'Conntrack', 'Mangle', et cetera).

Firewall Setup

Submenu level : /ip firewall
Firewall can be managed through the WinBox Console as well. Go to IP Firewall and select the desired chain. Press the List button to access the rules of the selected chain.

Description

To view the byte and packet counters, use commands print bytes and print packets, correspondingly. To reset the counters, use the command reset-counters.

Firewall Chains

Submenu level: /ip firewall

Description

The firewall filtering rules are grouped together in chains. It is very advantageous, if packets can be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. Let us assume that, for example, packets must be matched against the IP addresses and ports. Then matching against the IP addresses can be done in one chain without specifying the protocol ports. Matching against the protocol ports can be done in a separate chain without specifying the IP addresses.

The chain input is used to process packets entering the router through one of the interfaces with the destination of the router. Packets passing through the router are not processed against the rules of the input chain.

The chain forward is used to process packets passing through the router.

The chain output is used to process originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain.
These three chains cannot be deleted.

When processing a chain, rules are taken from the chain in the order they are listed there from the top to the bottom. If it matches the criteria of the rule, then the specified action is performed on the packet, and no more rules are processed in that chain. If the packet has not matched any rule within the chain, then the default policy action of the chain is performed.

The available policy actions are:

accept - Accept the packet
drop - Silently drop the packet (without sending the ICMP reject message)
none - N/A

You can change the chain policies by using the /ip firewall set command.

Usually packets should be matched against several criteria. More general filtering rules can be grouped together in a separate chain. To process the rules of additional chains, the jump action should be used to this chain from another chain.

The policy of user added chains is none, and it cannot be changed. Chains cannot be removed, if they contain rules (are not empty).

Notes

Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules, since the original packets might be already modified by the NAT.
The packets passing through the router are not processed against the rules of neither the input, nor output chains!
Be careful about changing the default policy action to these chains! You may lose the connection to the router, if you change the policy to drop, and there are no rules in the chain, that allow connection to the router.

Example

The list of currently defined chains can be viewed using the /ip firewall print command:

[admin@MikroTik] ip firewall> print
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
[admin@MikroTik] ip firewall>

To add a new chain, use the /ip firewall add command:

[admin@MikroTik] ip firewall> add name=router
[admin@MikroTik] ip firewall> print
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none
[admin@MikroTik] ip firewall>

Firewall Rules

Submenu level : /ip firewall rule chain_name

Description

Management of the firewall rules can be accessed by selecting the desired chain. If you use the WinBox console, select the desired chain and then press the List button on the toolbar to open the window with the rules.

Property Description

accept - accept the packet. No action, id est, the packet is passed through without undertaking any action, except for mangle, and no more rules are processed in the relevant list/chain

drop - Silently drop the packet (without sending the ICMP reject message)

jump - Jump to the chain specified by the value of the jump-target argument

passthrough - ignore this rule, except for mangle, go on to the next one Acts the same way as a disabled rule, except for ability to count and mangle packets

reject - reject the packet and send an ICMP reject message

return - return to the previous chain, from where the jump took place
disabled (yes | no; default: no) - is the rule disabled or not
in-interface (name; default: all) - interface the packet has entered the router through. If the default value all is used, it may include the local loopback interface for packets originated from the router
out-interface (name, default: all) - interface the packet is leaving the router from. If the default value all is used, it may include the local loopback interface for packets with destination to the router
src-port (port) - source port number or range (0-65535). 0 means all ports 1-65535
comment (text; default: "") - a descriptive comment for the rule
dst-address (IP adress; default: 0.0.0.0/0:0-65535) - destination IP address
jump-target (name) - Name of the target chain, if the action=jump is used
tcp-options (any | syn-only | non-syn-only; default: any) - TCP options
connection (text; default: "") - connection mark to match. Only connections (including related) marked in the MANGLE would be matched
dst-netmask (IP address) - destination netmask in decimal form x.x.x.x
limit-burst (integer; default: 0) - allowed burst regarding the limit-count/limit-time
protocol (ah | egp | ggp | icmp | ipencap | ospf | rspf | udp | xtp | all | encap | gre | idpr-cmtp | ipip | pup | st | vmtp | ddp | esp | hmp | igmp | iso-tp4 | rdp | tcp | xns-idp; default: any) - protocol setting. The value all cannot be used, if you want to specify ports
connection-state (any | established | invalid | new | related; default: any) - connection state.
dst-port (integer) - destination port number or range (0-65535). 0 means all ports 1-65535
limit-count (integer; default: 0) - how many times to use the rule during the limit-time period
src-address (IP adress; default: 0.0.0.0/0:0-65535) - source IP address
content (text; default: "") - the text packets should contain in order to match the rule
flow - flow mark to match. Only packets marked in the MANGLE would be matched
limit-time (time; default 0) - time interval, used in limit-count
src-mac-address (MAC adress; default: 00:00:00:00:00:00) - host's MAC address the packet has been received from.
icmp-options (default: any:any) - ICMP options
log ( yes | no; default: no) - specifies, to log the action or not
src-netmask (IP address) - source netmask in decimal form x.x.x.x

Notes

Keep in mind, that protocol must be explicity specified, if you want to select port.

Example

For instance, we want to reject packets with dst-port=8080:

[admin@MikroTik] ip firewall rule input> add dst-port=8080 protocol=tcp action=reject
[admin@MikroTik] ip firewall rule input> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:8080 out-interface=all protocol=tcp
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      sconnection="" content="" rc-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=reject log=no

[admin@MikroTik] ip firewall rule input>

Logging the Firewall Actions

To enable logging of the firewall actions you should set the value of the rule argument log to yes. Also, the logging facility should be enabled for firewall logs:

[admin@MikroTik] system logging facility> set Firewall-Log logging=local
[admin@MikroTik] system logging facility> print
  # FACILITY          LOGGING PREFIX           REMOTE-ADDRESS  REMOTE-PORT ECH
  0 Firewall-Log      local                                                no
  1 System-Info       local                                                no
  2 System-Error      local                                                no
  3 System-Warning    local                                                no
  4 Prism-Info        local                                                no
  5 Web-Proxy-Access  local                                                no
  6 Hotspot-Account   local                                                no
  7 OSPF-Info         local                                                no
  8 Hotspot-Error     local                                                no
  9 IPsec-Event       local                                                no
 10 IKE-Event         local                                                no
 11 IPsec-Warning     local                                                no
 12 System-Echo       local                                                yes

[admin@MikroTik] system logging facility>

You can send UDP log messages to a remote syslog host by specifying the remote address and port (usually 514). Local logs can be viewed using the /log print command:

[admin@MikroTik] > log print without-paging
...
 mar/11/2003 17:44:55 chain added by admin
 mar/11/2003 17:45:51 rule added by admin
 mar/11/2003 18:00:26 web proxy cache size is limited by memory size

[admin@MikroTik] >

Network Address Translation

Description

Network Address Translation (NAT) provides ways for hiding local networks as well as to maintain public services on servers from these networks. Besides, through NAT additional applications like transparent proxy service can be made.

Property Description

The src-nat and the dst-nat have some common properties listed below. In turn, properties specific to each type of NAT will be listed under appropriate headers.

dst-address (IP adress; default: 0.0.0.0/0:0-65535) - destination IP address
src-address (IP adress; default: 0.0.0.0/0:0-65535) - source IP address
flow - flow mark to match. Only packets marked in the MANGLE would be matched
limit-time (time; default 0) - time interval, used in limit-count
protocol (ah | egp | ggp | icmp | ipencap | ospf | rspf | udp | xtp | all | encap | gre | idpr-cmtp | ipip | pup | st | vmtp | ddp | esp | hmp | igmp | iso-tp4 | rdp | tcp | xns-idp; default: any) - protocol setting. The value all cannot be used, if you want to specify ports
icmp-options (default: any:any) - ICMP options
content (text; default: "") - the text packets should contain in order to match the rule
comment (text; default: "") - a descriptive comment for the rule
connection (text; default: "") - connection mark to match. Only connections (including related) marked in the MANGLE would be matched
limit-burst (integer; default: 0) - allowed burst regarding the limit-count/limit-time
limit-count(integer; default: 0) - how many times to use the rule during the limit-time period
src-netmask (IP address) - source netmask in decimal form x.x.x.x
src-port (port) - source port number or range (0-65535). 0 means all ports 1-65535
dst-netmask (IP address) - destination netmask in decimal form x.x.x.x
dst-port (integer) - destination port number or range (0-65535). 0 means all ports 1-65535

Masquerading and Source NAT

Submenu level : /ip firewall src-nat

Description

Masquerading is a firewall function that can be used to 'hide' private networks behind one external IP address of the router. For example, masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from one single IP address given to you by the ISP. The masquerading will change the source IP address and port of the packets originated from the private network to the external address of the router, when the packet is routed through it.

Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

Property Description

action (accept | masquerade | nat; default: accept) - action to undertake if a packed matched a particular src-nat rule, one of the:

accept - Accept the packet. No action, id est, the packet is passed through without undertaking any action, except for mangle, and no more rules are processed in the relevant list/chain

masquerade - use masquerading for the packet and substitute the source address:port of the packet with the ones of the router. In this case, the to-src-address argument value is not taken into account and it does not need to be specified, since the router's local address is used

nat - perform Network Address Translation. The to-src-address should be specified (not required with action=masquerade)
out-interface (name; default: all) - interface the packet is leaving the router from. If the default value all is used, it may include the local loopback interface for packets with destination to the router
to-src-address (IP address; default: 0.0.0.0) - source address to replace original source address with
to-src-port (integer; default: 0-65535) - source port to replace original source port with

Example

To use masquerading, a source NAT rule with action=masquerade should be added to the src-nat rule set:

[admin@MikroTik] ip firewall src-nat> add src-address=10.5.91.0/24:0 \
\... out-interface=Public action=masquerade
[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
  0   src-address=10.5.91.0/24:0-65535 dst-address=0.0.0.0/0:0-65535
      out-interface=Public protocol=all icmp-options=any:any flow=""
      connection="" content="" limit-count=0 limit-burst=0 limit-time=0s
      action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535

[admin@MikroTik] ip firewall src-nat>

If the packet matches the masquerade rule, then the router opens a connection to the destination, and sends out a modified packet with its own address and a port allocated for this connection. The router keeps track about masqueraded connections and performs the "demasquerading" of packets, which arrive for the opened connections. For filtering purposes, you may want to specify the to-src-ports argument value, say, to 60000-65535.

If you want to change the source address:port to specific adress:port, use the action=nat instead of action=masquerade:

[admin@MikroTik] ip firewall src-nat> add src-address=192.168.0.1/32 action=nat \
\... out-interface=Public to-src-address=10.10.10.5
[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
  4   src-address=192.168.0.1/32:0-65535 dst-address=0.0.0.0/0:0-65535
      out-interface=Public protocol=all icmp-options=any:any flow=""
      connection="" content="" limit-count=0 limit-burst=0 limit-time=0s
      action=nat to-src-address=10.10.10.5 to-src-port=0-65535

[[admin@MikroTik] ip firewall src-nat>

Here, the
src-address - can be IP host's address, for example, 192.168.0.1/32, or network address 192.168.0.0/24
to-src-address - can be one address, or a range, say 10.0.0.217-10.0.0.219. The addresses should be added to the router's interface, or should be routed to it from the gateway router.

The source nat can masquerade several private networks, and use individual to-src-address for each of them.

Redirection and Destination NAT

Submenu level : /ip firewall dst-nat

Description

Redirection and destination NAT should be used when you need to give access to services located on a private network from the outside world.

Property Description

action (accept | nat | redirect; default: accept) - action to undertake if a packed matched a particular dst-nat rule, one of the:

accept - Accept the packet. No action, id est, the packet is passed through without undertaking any action, except for mangle, and no more rules are processed in the relevant list/chain

redirect - redirects to the local address:port of the router. In this case, the to-dst-address argument value is not taken into account and it does not need to be specified, since the router's local address is used.

nat - perform Network Address Translation. The to-dst-address should be specified (not required with action=redirect)
in-interface (name; default: all) - interface the packet has entered the router through. If the default value all is used, it may include the local loopback interface for packets originated from the router
to-dst-port (integer; default: 0-65535) - destination port to replace original with
src-mac-address (MAC adress; default: 00:00:00:00:00:00) - host's MAC address the packet has been received from
to-dst-address (IP address; default: 0.0.0.0) - destination IP address to replace original with

Example

To add a destination NAT rule that gives access to the http server 192.168.0.4 on the local network via external address 10.0.0.217, use the following command:

[admin@MikroTik] ip firewall dst-nat> add action=nat protocol=tcp \
\... dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00
      limit-count=0 limit-burst=0 limit-time=0s action=nat
      to-dst-address=192.168.0.4 to-dst-port=0-65535

[admin@MikroTik] ip firewall dst-nat>

Here, if you want to redirect to the router's local address, use action=redirect and do not specify the to-dst-address.

Understanding REDIRECT and MASQUERADE

REDIRECT is similar to regular destination NAT in the same way as MASQUERADING is similar to source NAT - masquerading is source NAT, except you do not have to specify to-src-address - outgoing interface address is used automatically. The same with REDIRECT - it is destination NAT where to-dst-address is not used - incoming interface address is used instead. So there is no use of specifying to-src-address for src-nat rules with action=masquerade, and no use of specifying to-dst-address for dst-nat rules with action=redirect. Note that to-dst-port is meaningful for REDIRECT rules - this is port on which service on router that will handle these requests is sitting (e.g. web proxy).

When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed. Information about translation of addresses (including original dst address) is kept in router's internal tables. Transparent web proxy working on router (when web requests get redirected to proxy port on router) can access this information from internal tables and get address of web server from them. If you are dst-natting to some different proxy server, it has no way to find web server's address from IP header (because dst address of IP packet that previously was address of web server has changed to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which tells web server address, so proxy server can use it, instead of dst address of IP packet. If there is no such header (older HTTP version on client), proxy server can not determine web server address and therefore can not work.

It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and configure it so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not have to be transparent any more, as proxy on router will be transparent and will forward proxy-style requests (according to standard; these requests include all necessary information about web server) to "real" proxy.

Marking the Packets (Mangle) and Changing the MSS

Submenu level : /ip firewall mangle

Description

Packets entering the router can be marked for further processing them against the rules of firewall chains, source or destination NAT rules, as well as for applying queuing to them.

It is also possible to mark the packets associated (including related) with the same connection as the marked packet (in other words, to mark a connection with all related connections, you need to mark only one packet belonging to that connection).

You may also want to change the TCP Maximum Segment Size (MSS), to a value which is your desired MTU value less 40. The MSS can be set only for TCP SYN packets.

Property Description

action (accept | passthrough; default: accept) - ation to undertake if the packet matches the rule, one of the:

accept - accept the packet applying the appropriate attributes (marks, MSS), and no more rules are processed in the list

passthrough - apply the appropriate attributes (marks, MSS), and go on to the next rule
disabled (yes | no; default: no) - is the rule disabled or not
in-interface (name; default: all) - interface the packet has entered the router through. If the default value all is used, it may include the local loopback interface for packets originated from the router
src-address (IP adress; default: 0.0.0.0/0:0-65535) - source IP address
src-netmask (IP address) - source netmask in decimal form x.x.x.x
src-port (port) - source port number or range (0-65535). 0 means all ports 1-65535
comment (text; default: "") - a descriptive comment for the rule
dst-address (IP adress; default: 0.0.0.0/0:0-65535) - destination IP address
dst-netmask (IP address) - destination netmask in decimal form x.x.x.x
dst-port (integer) - destination port number or range (0-65535). 0 means all ports 1-65535
tcp-options (any | syn-only | non-syn-only; default: any) - TCP options
icmp-options (default: any:any) - ICMP options
protocol (ah | egp | ggp | icmp | ipencap | ospf | rspf | udp | xtp | all | encap | gre | idpr-cmtp | ipip | pup | st | vmtp | ddp | esp | hmp | igmp | iso-tp4 | rdp | tcp | xns-idp; default: any) - protocol setting. The value all cannot be used, if you want to specify ports
content (text; default: "") - the text packets should contain in order to match the rule
flow (text; default: "") - flow mark to match. Only packets marked in the MANGLE would be matched
connection (text; default: "") - connection mark to match. Only connections (including related) marked in the MANGLE would be matched
limit-burst (integer; default: 0) - allowed burst regarding the limit-count/limit-time
limit-count (integer; default: 0) - how many times to use the rule during the limit-time period
limit-time (time; default 0) - time interval, used in limit-count
src-mac-address (MAC adress; default: 00:00:00:00:00:00) - host's MAC address the packet has been received from.
log ( yes | no; default: no) - specifies, to log the action or not
mark-flow (text; default: "") - change flow-mark of the packet to this value
mark-connection (text; default: "") - change connection-mark of the packet to this value
tcp-mss (intereg | dont-change; default: dont-change - change MSS of the packet or:

dont-change - leave MSS of the packet as is

Example

Specify the value for the mark-flow argument and use action=passthrough, for example:

[admin@MikroTik] ip firewall mangle> add action=passthrough mark-flow=abc-all
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 protocol=all tcp-options=any
      icmp-options=any:any flow="" connection="" content=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=passthrough mark-flow=abc-all tcp-mss=dont-change
      mark-connection=""

[admin@MikroTik] ip firewall mangle>

To change the MSS, adjust the tcp-mss argument. For example, if your if you have encrypted PPPoE link with MTU = 1492, you can set the mangle rule as follows:

[admin@MikroTik] ip firewall mangle> add protocol=tcp tcp-options=syn-only\
\.. action=passthrough tcp-mss=1448
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 protocol=tcp tcp-options=syn-only
      icmp-options=any:any flow="" connection="" content=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=passthrough mark-flow="" tcp-mss=1448
      mark-connection=""

[admin@MikroTik] ip firewall mangle>

Connection Tracking

Submenu level : /ip firewall connection

Description

This feature provides a facility for monitoring connections made through the router and their states.

Property Description

src-address (read-only: IP address:port) - the source address and port the connection is established from
dst-address (read-only: IP address:port) - the destination address and port the connection is established to
protocol (read-only: text) - IP protocol name or number
tcp-state (read-only: text) - the state of TCP connection
timeout (read-only: time) - the amount of time until the connection will be timed out
reply-src-address (read-only: IP address:port) - the source address and port the reply connection is established from
reply-dst-address (read-only: IP address:port) - the destination address and port the reply connection is established to
assured (read-only: true | false) - shows whether the connection is assured
icmp-id (read-only: integer) - contains the ICMP ID. Each ICMP packet gets an ID set to it when it is sent, and when the receiver gets the ICMP message, it sets the same ID within the new ICMP message so that the sender will recognize the reply and will be able to connect it with the appropriate ICMP request
icmp-option (read-only: integer:integer) - the ICMP type and code fields
reply-icmp-id (read-only: integer) - contains the ICMP ID of received packet
reply-icmp-option (read-only: integer:integer) - the ICMP type and code fields of received packet
unreplied (read-only: true | false) - shows whether the request was unreplied

Connection timeouts

Here comes a list of connection timeouts:

TCP SYN sent (First stage in establishing a connection) = 2min.

TCP SYN recvd (Second stage in establishing a connection) = 60sec.

Established TCP connections (Third stage) = 5 days.

TCP FIN wait (connection termination) = 2min.

TCP TIME wait (connection termination) = 2min.

TCP CLOSE (remote party sends RTS) = 10sec.

TCP CLOSE wait (sent RTS) = 60sec.

TCP LAST ACK (received ACK) = 30sec.

TCP Listen (ftp server waiting for client to establish data connection) = 2min.

UDP timeout = 30sec.

UDP with reply timeout (remote party has responded) = 180sec.

ICMP timeout = 30sec.

All other = 10min.

Example

[admin@MikroTik] ip firewall connection> print
Flags: U - unreplied, A - assured
  #    SRC-ADDRESS           DST-ADDRESS           PR.. TCP-STATE   TIMEOUT
  0  A 10.5.91.205:1361      10.5.0.23:22          tcp  established 4d23h59m55s
  1  A 10.5.91.205:1389      10.5.5.2:22           tcp  established 4d23h59m21s
  2  A 10.5.91.205:1373      10.5.91.254:3986      tcp  established 4d23h59m56s
  3  A 10.5.91.205:1377      159.148.172.3:23      tcp  established 4d23h35m14s
  4  A 80.232.241.3:1514     159.148.172.204:1723  tcp  established 4d23h59m53s
  5    159.148.172.204       80.232.241.3          47               9m21s
[admin@MikroTik] ip firewall connection>

Service Ports

Submenu level : /ip firewall service-port

Description

This submenu allows to configure Connection Tracking 'helpers' for various protocols. They are used to provide correct NAT traversal for the traffic of these protocols.

Property Description

name (read-only: name) - protocol name
ports (integer) - port range that is used by the protocol

Example

To disable h323 service port:

[admin@MikroTik] ip firewall service-port> set h323 disabled=yes
[admin@MikroTik] ip firewall service-port> print
Flags: X - disabled
  #   NAME                                                                PORTS
  0   ftp                                                                 21
  1   pptp
  2   gre
  3 X h323
  4   mms
  5   irc                                                                 6667
  6   quake3

[admin@MikroTik] ip firewall service-port>

Troubleshooting

I set the policy for the input chain to drop, and I lost connection to the router
You should add rules to the chain allowing required communications, and only then change the default policy of the chain!
I put up filtering rules, but they seem not to work
Use the Firewall logging to see, whether you are matching the packets with your rules or not! The most common mistake is wrong address/netmask, e.g., 10.0.0.217/24 (wrong), 10.0.0.217/32 (right), or 10.0.0.0/24 (right).
I am trying to use policy routing based on source addresses and masquerading, but it does not work.
Masqueraded packets have source address 0.0.0.0 at the moment when they are processed according to the routing table. Therefore it is not possible to have masquerading with different source address. See the Routes Manual for more information.

General Network Suggestions

Implement an environment where users are required to log on to use computer resources. This provides a foundation from which suspicious activity can be traced.

Make use of HotSpot technology. Doing so provides safe, yet flexible network resources access to end user.

Provide sufficient training to end-users. Especially be sure that users are aware of the dangers of not logging off their computers. Such dangers include the ability of a third-party to sit at an "open" computer and assume the user�s identity. The unauthorized person has all the rights and privileges of the logged in user. Any suspicious activity will be traced back to the user�s login, not to the unauthorized person.

Make use of user activities and system activity logs analysis. Doing so enables the organization to detect suspicious activity before a full-blown break-in occurs.

Some public structures like libraries, univercities, airport and some schools have "public" computers anyone can use. In order to minimize the threat of unauthorized access to network resources, install these computers on a "public" network segment, so that internal network resources can not be reachable without authorization.

IP Firewall Applications

In this section some IP firewalling common applications and examples of them are discussed.

Basic Firewall Building Principles

Assume we have a router that connects a customer's network to the Internet. The basic firewall building principles can be grouped as follows:

Protection of the router from unauthorized access
Connections to the addresses assigned to the router itself should be monitored. Only access from certain hosts to certain TCP ports of the router should be allowed.
This can be done by putting rules in the input chain to match packets with the destination address of the router entering the router through all interfaces.
Protection of the customer's hosts
Connections to the addresses assigned to the customer's network should be monitored. Only access to certain hosts and services should be allowed.
This can be done by putting rules in the forward chain to match packets passing through the router with the destination addresses of customer's network.
Using source NAT (masquerading) to 'Hide' the Private Network behind one External Address
All connections form the private addresses are masqueraded, and appear as coming from one external address - that of the router.
This can be done by enabling the masquerading action for source NAT rules.
Enforcing the Internet Usage Policy from the Customer's Network
Connections from the customer's network should be monitored.
This can be done by putting rules in the forward chain, or/and by masquerading (source NAT) only those connections, that are allowed.

Filtering has some impact on the router's performance. To minimize it, the filtering rules that match packets for established connections should be placed on top of the chain. These are TCP packets with options non-syn-only.

Examples of setting up firewalls are discussed below.

Example of Firewall Filters

Assume we want to create a firewall, that:

protects the MikroTik router from unauthorized access from anywhere. Only access from the 'trusted' network 10.5.8.0/24 is allowed.
protects the customer's hosts within the network 192.168.0.0/24 from unauthorized access from anywhere.
gives access from the Internet to the http and smtp services on 192.168.0.17
Allows only ICMP ping from all customer's hosts and forces use of the proxy server on 192.168.0.17

The basic network setup is in the following diagram:

Firewall

The IP addresses and routes of the MikroTik router are as follows:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.217/24      10.0.0.0        10.0.0.255      Public
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local
[admin@MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.254      1        Public
    1 DC 192.168.0.0/24     r 0.0.0.0         0        Local
    2 DC 10.0.0.0/24        r 0.0.0.0         0        Public
[admin@MikroTik] >

Protecting the Router

To protect the router from unauthorized access, we should filter out all packets with the destination addresses of the router, and accept only those are allowed. Since all packets with destination to the router's address are processed against the input chain, we can add the following rules to it:

[admin@MikroTik] > ip firewall rule input
[admin@MikroTik] ip firewall rule input> add protocol=tcp tcp-option=non-syn-only \
\... connection-state=established comment="Allow established TCP connections"
[admin@MikroTik] ip firewall rule input> add protocol=udp comment="Allow UDP connections"
[admin@MikroTik] ip firewall rule input> add protocol=icmp comment="Allow ICMP messages"
[admin@MikroTik] ip firewall rule input> add src-addr=10.5.8.0/24 \
\... comment="Allow access from 'trusted' network 10.5.8.0/24"
[admin@MikroTik] ip firewall rule input> add action=reject log=yes \
\... comment="Reject and log everything else"
[admin@MikroTik] ip firewall rule input> print
Flags: X - disabled, I - invalid, D - dynamic
  0   ;;; Allow established TCP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp
      icmp-options=any:any tcp-options=non-syn-only
      connection-state=established flow="" connection="" content=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=accept log=no

  1   ;;; Allow UDP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  2   ;;; Allow ICMP messages
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  3   ;;; Allow access from 'trusted' network 10.5.8.0/24 of ours
      src-address=10.5.8.0/24:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  4   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=reject log=yes

[admin@MikroTik] ip firewall rule input>

Thus, the input chain will accept only allowed connections and reject and log everything else.

Protecting the Customer's Network

To protect the customer's network, we should match all packets with destination address 192.168.0.0/24 that are passing through the router. This can be done in the forward chain. We can match the packets against the IP addresses in the forward chain, and then jump to another chain, say, customer. We create the new chain and add rules to it:

[admin@MikroTik] ip firewall> add name=customer
[admin@MikroTik] ip firewall> print
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none
  4 customer                                                             none
[admin@MikroTik] ip firewall> rule customer
[admin@MikroTik] ip firewall rule customer> add protocol tcp tcp-option non-syn-only \
\... connection-state=established comment="Allow established TCP connections"
[admin@MikroTik] ip firewall rule customer> add protocol udp \
\... comment="Allow UDP connections"
[admin@MikroTik] ip firewall rule customer> add protocol icmp \
\... comment="Allow ICMP messages"
[admin@MikroTik] ip firewall rule customer> add protocol tcp tcp-option syn-only \
\... dst-address 192.168.0.17/32:80 \
\... comment="Allow http connections to the server at 192.168.0.17"
[admin@MikroTik] ip firewall rule customer> add protocol tcp tcp-option syn \
\... dst-address 192.168.0.17/32:25 \
\... comment="Allow smtp connections to the server at 192.168.0.17"
[admin@MikroTik] ip firewall rule customer> add protocol tcp tcp-option syn \
\... src-port 20 dst-port 1024-65535 \
\... comment="Allow ftp data connections from servers on the Internet"
[admin@MikroTik] ip firewall rule customer> add action reject log yes \
\... comment="Reject and log everything else"
[admin@MikroTik] ip firewall rule customer> print
Flags: X - disabled, I - invalid
  0   ;;; Allow established TCP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp
      icmp-options=any:any tcp-options=non-syn-only
      connection-state=established flow="" connection="" content=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=accept log=no

  1   ;;; Allow UDP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  2   ;;; Allow ICMP messages
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  3   ;;; Allow http connections to the server at 192.168.0.17
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=192.168.0.17/32:80 out-interface=all protocol=tcp
      icmp-options=any:any tcp-options=syn-only connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  4   ;;; Allow smtp connections to the server at 192.168.0.17
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=192.168.0.17/32:25 out-interface=all protocol=tcp
      icmp-options=any:any tcp-options=syn-only connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  5   ;;; Allow ftp data connections from servers on the Internet
      src-address=0.0.0.0/0:20 in-interface=all
      dst-address=0.0.0.0/0:1024-65535 out-interface=all protocol=tcp
      icmp-options=any:any tcp-options=syn-only connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  6   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=reject log=yes

[admin@MikroTik] ip firewall rule customer>

Note about the rule #5: active ftp data connections are made from the server's port 20 to the client's tcp port above 1024.

All we have to do now is to put rules in the forward chain, that match the IP addresses of the customer's hosts on the Local interface and jump to the customer chain:

[admin@MikroTik] ip firewall rule forward> add out-interface=Local action=jump \
\... jump-target=customer
[admin@MikroTik] ip firewall rule forward> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=jump jump-target=customer log=no

[admin@MikroTik] ip firewall rule forward>

Thus, everything that passes the router and leaves the Local interface (destination of the customer's network) will be processed against the firewall rules of the customer chain.

Enforcing the "Internet Policy"

To force the customer's hosts to access the Internet only through the proxy server at 192.168.0.17, we should put following rules in the forward chain:

[admin@MikroTik] ip firewall rule forward> add protocol icmp out-interface Public \
\... comment="Allow ICMP ping packets"
[admin@MikroTik] ip firewall rule forward> add src-address 192.168.0.17/32 out-interface \
\... Public comment="Allow outgoing connections form the server at 192.168.0.17"
[admin@MikroTik] ip firewall rule forward> add action reject out-interface Public log yes \
\... comment="Reject and log everything else"
[admin@MikroTik] ip firewall rule forward> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=jump jump-target=customer log=no

  1   ;;; Allow ICMP ping packets
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=icmp
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  2   ;;; Allow outgoing connections form the server at 192.168.0.17
      src-address=192.168.0.17/32:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=accept log=no

  3   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all
      icmp-options=any:any tcp-options=any connection-state=any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=reject log=yes

[admin@MikroTik] ip firewall rule forward>

Example of Source NAT (Masquerading)

If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.0.0.217 given to you by the ISP (see the network diagram in the Application Example above), you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.0.0.217 of the router when the packet is routed through it.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:

[admin@MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public
[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535
      out-interface=Public protocol=all icmp-options=any:any flow=""
      connection="" content="" limit-count=0 limit-burst=0 limit-time=0s
      action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535

[admin@MikroTik] ip firewall src-nat>

All outgoing connections from the network 192.168.0.0/24 will have source address 10.0.0.217 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use destination Network Address Translation (NAT).

Example of Destination NAT

Assume you need to configure the MikroTik router for the following network setup, where the server is located in the private network area:

The server has address 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of destination Network Address Translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port:

[admin@MikroTik] ip firewall dst-nat> add action=nat protocol=tcp \
\... dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow=""
      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
      limit-burst=0 limit-time=0s action=nat to-dst-address=192.168.0.4
      to-dst-port=0-65535

[admin@MikroTik] ip firewall dst-nat>

Additional Resources

Read about connection tracking at
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html
Read more about NAT in RFC2663