Lab 3.1 Creating a Basic Firewall with MikroTik Router - Part 2
Let’s dive deeper into the purpose behind each rule in the MikroTik firewall default script, breaking them down by their respective categories
1. NAT (Network Address Translation)
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
- Purpose: This rule is used for Source NAT (SNAT), specifically masquerading. It modifies the source address of packets going out through interfaces in the
WAN
list. This is often used to allow multiple devices on a private network to share a single public IP address. Theipsec-policy=out,none
parameter specifies that this rule does not affect traffic that is encrypted with IPsec.
2. IPv4 Firewall Filter Rules
Input Chain
Accept Established, Related, and Untracked Connections
/ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
- Purpose: Allows incoming packets that are part of an established connection (e.g., a response to an outbound request), related to an existing connection (e.g., FTP data transfer), or untracked packets (not yet tracked by the connection tracking system). This rule ensures that legitimate traffic associated with ongoing sessions is allowed.
Drop Invalid Connections
/ip firewall filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
- Purpose: Drops packets with an invalid connection state. Invalid packets are those that cannot be associated with an existing connection and could be indicative of errors or potential security issues.
Accept ICMP Traffic
/ip firewall filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
- Purpose: Allows ICMP traffic, which is used for diagnostic purposes (e.g.,
ping
requests) and network management.
Accept Local Loopback Traffic
/ip firewall filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
- Purpose: Permits traffic destined for the local loopback address (127.0.0.1). This is crucial for local services and applications (such as CAPsMAN for managing wireless access points) to communicate with the router itself.
Drop Traffic Not From LAN
/ip firewall filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
- Purpose: Drops incoming traffic that does not come from interfaces in the
LAN
list. This is a security measure to ensure that only trusted internal sources can send traffic to the router.
Forward Chain
Accept IPsec Traffic (Incoming)
/ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
- Purpose: Allows forwarding of packets that match incoming IPsec policies. This is necessary for handling encrypted traffic securely.
Accept IPsec Traffic (Outgoing)
/ip firewall filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
- Purpose: Allows forwarding of packets that match outgoing IPsec policies. This ensures that IPsec traffic is properly routed.
Fasttrack Established and Related Connections
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
- Purpose: Utilizes the FastTrack feature to speed up the handling of established and related connections. This helps improve performance by bypassing some of the packet processing steps for these connections.
Accept Established, Related, and Untracked Forwarded Connections
/ip firewall filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
- Purpose: Similar to the input chain rule, this accepts forwarded packets that are part of established, related, or untracked connections.
Drop Invalid Forwarded Connections
/ip firewall filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
- Purpose: Drops forwarded packets with invalid connection states to maintain network security and integrity.
Drop New Connections From WAN Not DSTNATed
/ip firewall filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
- Purpose: Drops new forwarded packets from the
WAN
interface list that have not been destination NATed (i.e., they are not mapped to an internal IP). This helps to block unsolicited incoming connections from the internet that have not been specifically allowed.
3. IPv6 Firewall Rules
Address Lists
Add Bad IPv6 Addresses
/ipv6 firewall address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
/ipv6 firewall address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
/ipv6 firewall address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
/ipv6 firewall address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
/ipv6 firewall address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
/ipv6 firewall address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only"
/ipv6 firewall address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
/ipv6 firewall address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
/ipv6 firewall address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
- Purpose: Adds various reserved or invalid IPv6 addresses to a
bad_ipv6
list. These addresses are either reserved for special purposes, not routable, or deprecated, and thus should be filtered out to prevent misuse.
Input Chain
Accept Established, Related, and Untracked Connections
/ipv6 firewall filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
- Purpose: Allows incoming IPv6 traffic that is part of an established or related connection and untracked packets, similar to IPv4 rules.
Drop Invalid Connections
/ipv6 firewall filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
- Purpose: Drops incoming IPv6 packets with an invalid connection state.
Accept ICMPv6 Traffic
/ipv6 firewall filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
- Purpose: Allows ICMPv6 traffic, which is necessary for IPv6 diagnostics and network operations.
Accept UDP Traceroute
/ipv6 firewall filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
- Purpose: Accepts UDP packets on ports 33434-33534, which are typically used by traceroute tools for network path diagnostics.
Accept DHCPv6-Client Prefix Delegation
/ipv6 firewall filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
- Purpose: Accepts DHCPv6 traffic on port 546 from link-local addresses, which is used for assigning IPv6 addresses and configuration.
Accept IKE Traffic
/ipv6 firewall filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
- Purpose: Allows UDP traffic on ports 500 and 4500, used for Internet Key Exchange (IKE) in IPsec VPNs.
Accept IPsec AH and ESP Traffic
/ipv6 firewall filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
/ipv6 firewall filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
- Purpose: Accepts IPsec Authentication Header (AH) and Encapsulating Security Payload (ESP) traffic, which are part of the IPsec protocol suite for securing network communications.
Accept All Matching IPSec Policy
/ipv6 firewall filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
- Purpose: Accepts any incoming IPv6 traffic that matches the IPsec policy, allowing secured traffic through.
Drop Traffic Not From LAN
/ipv6 firewall filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
- Purpose: Drops all incoming traffic not from the interfaces in the
LAN
list to ensure that only trusted internal sources can communicate with the router.
Forward Chain
Accept Established, Related, and Untracked Forwarded Connections
/ipv6 firewall filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
- Purpose: Allows forwarded IPv6 packets that are part of established, related, or untracked connections.
Drop Invalid Forwarded Connections
/ipv6 firewall filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
- Purpose: Drops forwarded IPv6 packets with invalid connection states.
Drop Packets With Bad IPv6 Source Addresses
/ipv6 firewall filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
- Purpose: Drops forwarded packets with source addresses listed in
bad_ipv6
, preventing the use of reserved or invalid addresses.
Drop Packets With Bad IPv6 Destination Addresses
/ipv6 firewall filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
- Purpose: Drops forwarded packets with destination addresses listed in
bad_ipv6
, blocking invalid destinations.
Drop ICMPv6 Packets With Hop-Limit of 1
/ipv6 firewall filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
- Purpose: Drops ICMPv6 packets with a hop limit of 1 to prevent abuse and ensure compliance with RFC 4890.
Accept ICMPv6 Traffic
/ipv6 firewall filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
- Purpose: Allows ICMPv6 traffic to support diagnostics and network operations in IPv6.
Accept HIP Traffic
/ipv6 firewall filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
- Purpose: Accepts traffic for the Host Identity Protocol (HIP) on protocol number 139.
Accept IKE Traffic
/ipv6 firewall filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
- Purpose: Similar to the input chain rule, allows IKE traffic over UDP ports 500 and 4500 for IPsec VPN connections.
Accept IPsec AH and ESP Traffic
/ipv6 firewall filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
/ipv6 firewall filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
- Purpose: Accepts IPsec AH and ESP traffic, ensuring that secured communication is properly forwarded.
- Accept All Matching IPsec Policy
/ipv6 firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
- Purpose: Allows forwarded traffic that matches IPsec policies, facilitating secure network traffic.
- Drop Traffic Not From LAN
/ipv6 firewall filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
- Purpose: Drops all forwarded IPv6 traffic not coming from interfaces in the
LAN
list, ensuring that only trusted internal traffic is allowed.
Summary
- NAT Rule: Manages outbound traffic to share a single public IP address.
- IPv4 Rules: Securely manage incoming and forwarded IPv4 traffic, including handling IPsec, NAT, and performance optimization.
- IPv6 Rules: Similar management for IPv6 traffic, with additional handling for specific IPv6 protocols, reserved addresses, and ensuring IPv6 compliance.