首頁 » 好用的 Router System » RouterOS

routeros - firewall

由 datahunter 在 二, 14/02/2017 - 18:21 發表

最後更新: 2017-06-13

 

 

Chain 與 Action
 

 

Chain

  • input
  • forward
  • output

Specifies to which chain rule will be added.

Firewall filtering rules are grouped together in chains.

If the input does not match the name of an already defined chain, a new chain will be created.

Routing Diagram

  • PRE -> INPUT -> OS
  • PRE -> FORWARD - POST
  • OUTPUT -> POST

Section

INPUT= MANGLE INPUT -> FILTER INPUT

FORWARD = MANGLE -> FILTER

OUTPUT = RAW -> CONNECTION TRACKING -> MANAGE -> FILTER

PRE = RAW -> CONNECTION TRACKING -> MANGLE -> DST-NAT

POST = MANGLE -SRC-NAT

Action

  • dst-nat
  • src-nat

to-addresses (IP address[-IP address]; Default: 0.0.0.0)     

Replace original address with specified one. Applicable if action is dst-nat, netmap, same, src-nat

dst-nat and src-nat same time

Each IP packet goes through the dstnat chain after getting inside the router (before routing decision),

and goes through srcnat chain before leaving the router.

So both the src-nat and dst-nat rules will be applied.

 

Connection Monitor

 

/ip firewall connection

/ip firewall connection> print

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying,
F - fasttrack, s - srcnat, d - dstnat
 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE
 0  SAC     tcp  115.160.172.18:55317  192.168.0.2:2222      established
 1  S C     icmp 192.168.0.2           192.168.3.254
 2  SAC     tcp  115.160.172.18:59484  192.168.0.2:2222      established
 3  S C     icmp 192.168.0.2           192.168.1.254

  * 見不到 ipsec 外面那層的 traffic [ IPSEC [ PAYLOAD ] ]

Flags

A - assured

It will not be erased if maximum possible tracked connection count is reached.

C - confirmed

Sent 左出去

S - seen-reply

對方有 reply 回來

Setting

/ip firewall connection tracking

View

/ip firewall connection tracking> print

enabled (yes | no | auto; Default: auto)

Disabling connection tracking will cause several firewall features to stop working.

i.e.

connection-bytes

connection-mark

udp-timeout (time; Default: 10s)   

Specifies the timeout for udp connections that has seen packets in one direction

udp-stream-timeout (time; Default: 3m)
Specifies the timeout of udp connections that has seen packets in both directions

icmp-timeout (time; Default: 10s)

# Read-only properties
max-entries: 524288

# Currently connection table holds
total-entries: 3

Set

/ip firewall connection tracking> set icmp-timeout 5s

# Filter ip (where)

/ip firewall connection print where src-address~"115.160"

find not work

/ip firewall connection find scr-address~"115.160"

find works, you just don't SHOW the result of the find

/ip firewall connection print from=[find src-address~"192.168.20.121"]

Remove connection status by IP

/ip firewall connection remove [find src-address~"192.168.20.121"]

Or

/ip firewall connection tracking set enabled=no
:delay 10s
/ip firewall connection tracking set enabled=yes

 

connection-nat-state

 

connection-nat-state (srcnat | dstnat; Default: )

Think of it as a way to create a allow all rule for dst-nat or src-nat traffic with out needing to generate both the "NAT table rule" and the filter table rule

Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat
even if there are no dst-nat rules at all.

 

connection-state

 

 

masquerade

 

Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it

Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.

on disconnect, all related connection tracking entries are purged;

next packet from every purged (previously masqueraded) connection will come into firewall as connection-state=new, and, if primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new connection;

primary link comes back, routing is restored over primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded leaking local IPs to a public network.

You can workaround this by creating blackhole route as alternative to route that might disappear on disconnect).

When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.

 

Mangle

 

Mangle is for mangling packets. It has an accept action but not drop or reject.

'accept' skip the mangle only, if not in a sub-chain (custom) it's the same as action 'return'

 

/ip firewall mangle

passthrough - ignore this rule and go to next one (useful for statistics).

 

address-list

 

位置

/ip firewall address-list

add 

comment  disable  edit  enable  export  find  print  remove  set

print

print

....
10   ;;; tim test
     test             0.0.0.0                              jul/25/2019 09:44:48

print terse

....
10   comment=tim test list=test address=1.2.3.4 creation-time=jul/25/2019 10:27:37

print where

print where list=test

 #   LIST             ADDRESS                              CREATION-TIME
 0   ;;; tim test
     test             192.168.88.177                       jul/25/2019 10:27:37

add

add list=test address=8.8.8.8/32 comment="tim test"

set

set  numbers=10 list=test address=8.8.8.8

set [find list=test] address=1.2.3.4

remove

remove numbers=10

get

:put [/ip firewall address-list get [find list=test] value-name=address]

說明

<number> -- Item number

<value-name> -- Name of the value you want to get

Result

  • 1.2.3.4
  • no such item

L7 Firewall

 

a method of searching for patterns in ICMP/TCP/UDP streams.

L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection

and searches for the pattern in the collected data.

If the pattern is not found in the collected data, the matcher stops inspecting further.

Allocated memory is freed and the protocol is considered as unknown.

Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing).

To satisfy this requirement l7 rules should be set in forward chain.

Example

/ip firewall layer7-protocol
add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd"

Blocking facebook, or youtube

The problem with all of those is that they're HTTPS sites, not HTTP ones.

With HTTPS sites, you can't inspect anything that's part of the request, and the domain itself is part of the request.

The first time you access Facebook, you access it over HTTP, which then does a "permanent" redirect to HTTPS.

Next time, the browser sees that there was a "permanent" redirect, meaning it decides not to visit the HTTP page, but go directly to the HTTPS one.

Doc

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

 

DSTNATed

 

add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=!new in-interface=ether1

 

 

 

 

»
  • 瀏覽次數: 2837

Creative Commons license icon Creative Commons license icon