MikroTik CHR: Basic system protection. Guide for essential system protection. Here You will find the essential steps to protect your MikroTik CHR from intrusion. Be careful while placing restrictive (drop) rules, it is possible to limit your own access to the router. Please be noted that the above firewall rules are NOT complete.
We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →
Introduction
Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday scenarios. This includes iptables examples of allowing and blocking various services by port, network interface, and source IP address.
How To Use This Guide
- If you are just getting started with configuring your iptables firewall, check out our introduction to iptables
- Most of the rules that are described here assume that your iptables is set to DROP incoming traffic, through the default input policy, and you want to selectively allow traffic in
- Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently
- Use the Contents menu on the right side of this page (at wide page widths) or your browser's find function to locate the sections you need
- Copy and paste the command-line examples given, substituting the values in red with your own values
Keep in mind that the order of your rules matter. All of these
iptables
commands use the -A
option to append the new rule to the end of a chain. If you want to put it somewhere else in the chain, you can use the -I
option which allows you to specify the position of the new rule (or simply place it at the beginning of the chain by not specifying a rule number).Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.
Remember that you can check your current iptables ruleset with
sudo iptables -S
and sudo iptables -L
.Let's take a look at the iptables commands!
Saving Rules
Iptables rules are ephemeral, which means they need to be manually saved for them to persist after a reboot.
Ubuntu
On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the
iptables-persistent
package. Install it with apt-get like this:During the installation, you will asked if you want to save your current firewall rules.
If you update your firewall rules and want to save the changes, run this command:
On versions of Ubuntu prior to 16.04, run this command instead:
CentOS 6 and Older
On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the
iptables
init script to save your iptables rules:This will save your current iptables rules to the
/etc/sysconfig/iptables
file.Listing and Deleting Rules
If you want to learn how to list and delete iptables rules, check out this tutorial: How To List and Delete Iptables Firewall Rules.
Generally Useful Rules
This section includes a variety of iptables commands that will create rules that are generally useful on most servers.
Allow Loopback Connections
The loopback interface, also referred to as
lo
, is what a computer uses to forward network connections to itself. For example, if you run ping localhost
or ping 127.0.0.1
, your server will ping itself using the loopback. The loopback interface is also used if you configure your application server to connect to a database server with a 'localhost' address. As such, you will want to be sure that your firewall is allowing these connections.To accept all traffic on your loopback interface, run these commands:
Allow Established and Related Incoming Connections
As network traffic generally needs to be two-way—incoming and outgoing—to work properly, it is typical to create a firewall rule that allows established and related incoming traffic, so that the server will allow return traffic to outgoing connections initiated by the server itself. This command will allow that:
Allow Established Outgoing Connections
You may want to allow outgoing traffic of all established connections, which are typically the response to legitimate incoming connections. This command will allow that:
Internal to External
Assuming
eth0
is your external network, and eth1
is your internal network, this will allow your internal to access the external:Drop Invalid Packets
Some network traffic packets get marked as invalid. Sometimes it can be useful to log this type of packet but often it is fine to drop them. Do so with this command:
Block an IP Address
To block network connections that originate from a specific IP address,
15.15.15.51
for example, run this command:In this example,
-s 15.15.15.51
specifies a source IP address of '15.15.15.51'. The source IP address can be specified in any firewall rule, including an allow rule.If you want to reject the connection instead, which will respond to the connection request with a 'connection refused' error, replace 'DROP' with 'REJECT' like this:
Block Connections to a Network Interface
To block connections from a specific IP address, e.g.
15.15.15.51
, to a specific network interface, e.g. eth0
, use this command:This is the same as the previous example, with the addition of
-i eth0
. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.Service: SSH
If you're using a cloud server, you will probably want to allow incoming SSH connections (port 22) so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.
Allow All Incoming SSH
To allow all incoming SSH connections run these commands:
The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow Incoming SSH from Specific IP address or subnet
To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire
15.15.15.0/24
subnet, run these commands:The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow Outgoing SSH
If your firewall
OUTPUT
policy is not set to ACCEPT
, and you want to allow outgoing SSH connections—your server initiating an SSH connection to another server—you can run these commands:Allow Incoming Rsync from Specific IP Address or Subnet
Rsync, which runs on port 873, can be used to transfer files from one computer to another.
To allow incoming rsync connections from a specific IP address or subnet, specify the source IP address and the destination port. For example, if you want to allow the entire
15.15.15.0/24
subnet to be able to rsync to your server, run these commands:The second command, which allows the outgoing traffic of established rsync connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Service: Web Server
Web servers, such as Apache and Nginx, typically listen for requests on port 80 and 443 for HTTP and HTTPS connections, respectively. If your default policy for incoming traffic is set to drop or deny, you will want to create rules that will allow your server to respond to those requests.
Allow All Incoming HTTP
To allow all incoming HTTP (port 80) connections run these commands:
The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow All Incoming HTTPS
To allow all incoming HTTPS (port 443) connections run these commands:
The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow All Incoming HTTP and HTTPS
If you want to allow both HTTP and HTTPS traffic, you can use the multiport module to create a rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443) connections run these commands:
The second command, which allows the outgoing traffic of established HTTP and HTTPS connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Service: MySQL
MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
Allow MySQL from Specific IP Address or Subnet
To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire
15.15.15.0/24
subnet, run these commands:The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow MySQL to Specific Network Interface
To allow MySQL connections to a specific network interface—say you have a private network interface
eth1
, for example—use these commands:The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Service: PostgreSQL
PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
PostgreSQL from Specific IP Address or Subnet
To allow incoming PostgreSQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire
15.15.15.0/24
subnet, run these commands:The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow PostgreSQL to Specific Network Interface
To allow PostgreSQL connections to a specific network interface—say you have a private network interface
eth1
, for example—use these commands:The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Service: Mail
Mail servers, such as Sendmail and Postfix, listen on a variety of ports depending on the protocols being used for mail delivery. If you are running a mail server, determine which protocols you are using and allow the appropriate types of traffic. We will also show you how to create a rule to block outgoing SMTP mail.
Block Outgoing SMTP Mail
If your server shouldn't be sending outgoing mail, you may want to block that kind of traffic. To block outgoing SMTP mail, which uses port 25, run this command:
This configures iptables to reject all outgoing traffic on port 25. If you need to reject a different service by its port number, instead of port 25, simply replace it.
Allow All Incoming SMTP
To allow your server to respond to SMTP connections, port 25, run these commands:
The second command, which allows the outgoing traffic of established SMTP connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Note: It is common for SMTP servers to use port 587 for outbound mail.
Allow All Incoming IMAP
To allow your server to respond to IMAP connections, port 143, run these commands:
The second command, which allows the outgoing traffic of established IMAP connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow All Incoming IMAPS
To allow your server to respond to IMAPS connections, port 993, run these commands:
The second command, which allows the outgoing traffic of established IMAPS connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow All Incoming POP3
To allow your server to respond to POP3 connections, port 110, run these commands:
The second command, which allows the outgoing traffic of established POP3 connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Allow All Incoming POP3S
To allow your server to respond to POP3S connections, port 995, run these commands:
The second command, which allows the outgoing traffic of established POP3S connections, is only necessary if the
OUTPUT
policy is not set to ACCEPT
.Conclusion
That should cover many of the commands that are commonly used when configuring an iptables firewall. Of course, iptables is a very flexible tool so feel free to mix and match the commands with different options to match your specific needs if they aren't covered here.
If you're looking for help determining how your firewall should be set up, check out this tutorial: How To Choose an Effective Firewall Policy to Secure your Servers.
Good luck!
Router OS v6.35.4
I ticked the option
IP > DNS > Allow remote requests
because I want to use router's static DNS list.Using firewall rules I
drop
all the traffic to dst 53
port of UDP
and TCP
for input
and forward
chains allowing only UDP requests from local subnet to my router through input chain.When I look to
IP > Firewall > Connections
tab I see sometimes connections from some external IP address to some other external IP address to port 53. Both external IP addresses are not mine. The status of those connections is seen reply
+ confirmed
where normal external requests are typically seen reply
+ assured
+ confirmed
.Counter for the blocking rules remains by 0. Rules are moved to the top.
The only way to stop strange connections is to untick the
IP > DNS > Allow remote requests
option.How to explain this?
PaulPaul