Restrict traffic to port forwarded host Mikrotik - mikrotik

Here's the scenario. I'm currently running a Mikrotik RB433AH for my router here at my office. I have several firewall rules setup and all is good. I am also configured for NAT. I'm at a point now where I need to retrieve data from a host located on the inside network "192.168.0.10", protocol TCP and port 502. I will be accessing this internal host from a server that is located in a remote location with a static IP address. I need to allow this IP and everything else will need to be denied.
I add my dst-nat rule and once again all is fine there. However, since adding a dst-nat rule I can access this internal host from the outside where I need to have this internal host only accessible from my equipment that is located at a datacenter.
From what I've read so far I do believe that NAT rules are processed first and then the firewall filter rules. So this explains why I'm able to access this device from the outside. How do I filter the outside world from accessing this device?
Do I need to add another rule perhaps on the filter rule for chain=forward ? I've read a lot of documentation thus far and now things are quite hazy so any help would be awesome at this point.
Thanks in advance!
T

Yes, you need to make a firewall rule, from a specific address, to your host, and accept it, and drop everything else... That can be done in a single rule, using the ! option.
/ip firewall filter
add chain=forward src-address=!EXTERNALSERVERIP dst-address=192.168.0.10 action=accept
After that change only your external server can access your local host.

you need to put this rule on top
/ip firewall filter add chain=forward src-address=yourexternalipaddress dst-address=192.168.0.10 action=accept
below that rule you need to do this block
/ip firewall filter add chain=forward dst-address=192.168.0.10 action=drop
the explaination
when the connection goes through firewall filter rule, it will be checked by first rule.. if it match then it will be executed... if not matched it will be pass to the next rule..

Related

Not able to access EC2 instance in same VPC via private IP

I have 2 EC2 instances (one window and one linux) in same subnet. I am trying to access one instance from another via private IP but I am not able to do so.
In security groups, both instances belong to same security groups and security group allows all traffic from the same security group.
I am not even able to ping one instance from another using private IP address.
Any pointers what could be wrong here.
By default the Windows firewall will deny all inbound requests (including ping), but the firewall also contains a list of Exceptions (otherwise it would block everything!). Those Exceptions are a set of rules that describe what connections should be allowed in out-of-the-box.
To allow any additional connections, you just add a new rule to the firewall. There is a Wizard in the Windows Firewall GUI for viewing and creating rules, but i find it easier to use a PowerShell one-liner like this to allow ping:
New-NetFirewallRule -DisplayName "Inbound LAN Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.1.0/24 -Action Allow
Above will allow any IP's between 192.198.1.1 ... 192.168.1.255 to send ping requests to your Windows host (all other RemoteAddress will still be ignored). I'm assuming here your Linux machine's IP is for example 192.168.1.1 and your Windows machine's IP is 192.168.1.123.
As a rule of thumb, you should only open up the minimal number of ports, to as few IP/IP ranges as possible.
This will likely be the result of Windows firewall being enabled, with default settings it will block ping access (among other things).
Disabling it should enable inbound/outbound access to work for ping. This is a temporary measure and should not be considered a permanent workaround.
You should enable whitelisting in the Windows firewall to allow the ports you would like inbound or outbound to have network access to/from other resources within the network.
More information is available in this link.

Do I need an Inbound NACL to allow VPC Endpoint DynamoDB Access?

I have a Lambda in my VPC that needs to access DynamoDB. I have a VPC Endpoint setup for this, finally got it to work, but am questioning the setup.
Lambda is running in my private subnet.
The subnet has a route table:
Destination: 10.153.32.0/21 Target: local
Destination: pl-02cd2c6b (com.amazonaws.us-east-1.dynamodb, 52.94.0.0/22, 52.119.224.0/20) Target: (my VPC Endpoint)
Destination: 0.0.0.0/0 Target: (my NAT Gateway)
My VPC Endpoint is associated with the above route table (and a few others), hence the #2 route.
And I added the following Network ACL Inbound Rule
Port range 1024 - 65535
CIDR blocks 52.94.0.0/22 and 52.119.224.0/20
ALLOW
What concerns me is that Network ACL rule. I added it after reading this comment.
I'm wondering if I need that rule, or if maybe something else is wrong? I was surprised I had to add it because that SO comment was the only place that mentioned it.
It feels fairly safe to add since those CIDRs should be safe to allow since they are specifically for DynamoDB. But I'm assuming I'll have to keep an eye out for changes to those ranges.
EDIT: I also tried updating my lambda's security group outbound rules, to allow all ports with a destination of pl-02cd2c6b, but that didn't work.
You would only need that rule if you decided to use a customized Network ACL. By default, NACLs allow all, leaving network access control in the hands of security group settings... so you don't use the default rules, you have to manually allow everything in both directions since, unlike security groups, NACLs don't track IP flow states.
What you are doing looks correct (assuming you need a custom NACL).
The IP addresses from the prefix list are necessary for allowing reply traffic in the inbound direction, and the unusually-broad ephemeral port range comes from the VPC documentation:
AWS Lambda functions use ports 1024-65535.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
There is a documented caveat about treating the prefix list as static:
The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-routing
Using the default "allow all" NACL is probably a better alrernative. If you really feel the need to lock down your Lambda function's access, you should be able to create an outbound security group rule referencing the pl-xxxx directly. This will work once your NACL is set back to allow all.

Block Website Using Layer 7 Protocol Didn't Working

I've tried many tutorial how to block any website using layer 7 protocol. I need to block any social media website in office hour. But for the very first time, i've already done it but i still can access the website for example facebook.com.
This is my screenshoot :
Filter number 15 is what im trying to do but didn't work.
This is my layer 7 regexp
This is number 15 filter rules detail
Could you help me ?
You need to first disable ip\settings fast path.
/ip settings set allow-fast-path=no
Then, move your rule up, above fasttrack rule.
I'm not sure you can do it this way, because layer7 filter looks INTO the packets, not the destination URL; as Facebook/Youtube traffic is encrypted, layer7 filter sees nothing but encrypted stuff.
So you can't block traffic dynamically but you can block IPs this way:
Create a script which resolves www.facebook.com to an IP, and put this IP into an address list.
Schedule this script every minute or so.
Add a firewall rule to drop forwarded traffic to this address list.
You can also use the Mikrotik built-in DNS server, set your hosts to use it, and statically set www.facebook.com to 127.0.0.1. Your clients will be unable to connect to the real facebook (IF they are using your DNS).

How can I force outgoing ip for specific applications? ForceBindIp doesn't seem to work

I have a dedicated windows 2012 server with 12 dedicated IPs.
I want to be able to make connections simultaneously from two different ips that I choose.
This will be used for two different browser applications.
I have tried the following:
ForceBindIP %IP_ADDRESS% %APP_EXE%
But the IP doesn't change, the browser always displays the lowest IP from my added range.
I have also experimented with a script that removes all the ips, and then just adds one.
netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0
This changes the address BUT I end up having only one IP for both applications.
If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).
For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).
Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).
Basically what you need to do is:
install Squid
add ACL for loopback IP mapping, such as:
acl IP110 src 127.0.0.1/32
acl IP111 src 127.0.0.2/32
[...]
tcp_outgoing_address 104.251.111.110 IP110
tcp_outgoing_address 104.251.111.111 IP111
[...]
And the default, which is just formally needed:
tcp_outgoing_address 104.251.111.110
Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:
for outgoing connection using IP .111, use proxy on 127.0.0.2
for outgoing connection using IP .110, use proxy on 127.0.0.1
.. and so on.
Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.
This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.
It looks like you're searching for a fix involving little rework of the browser applications. Assuming that you're using IIS to serve the applications, you should:
Using File Explorer or command line, soft-link the application configuration in another root folder for each instance of the browser application.
Using IIS, recreate the application as a site for each of the above browser application folders.
Using IIS, bind each instance of the browser application to the IP address you wish to serve it with.
Caveat: It's tempting to use the same app pool for all instances, but evaluate your hardware before! Remember that (depending on the application requirements) you create a single point of failure when using a single app pool. Create separate app pools with identical parameters to reduce this risk.

Access a local machine form outside the LAN

Is there a way to access a machine from outside the LAN without port forwarding?
I have two scenarios in my current setup port forwarding is complicating:
I have two FTP servers on the same router I want to access from outside
I want to Remote Control/Access files on Windows computers on the network
Right now, the first option is possible, but it needs reconfiguring the router, while other one seems impossible outside the LAN.
Is there something like [global IP address]/[machine name] or [global IP address]/[Local IP address]?
We need more information. Are these addresses IPv4 RFC 1918 addresses, publicly routed addresses, or IPv6?
If they are in the RFC1918 (10.x.x.x, 172.16.x.x, 192.168.x.x) address space then, simply no. Those addresses are not publicly routed and therefore must be translated to a non-RFC 1918 address.
Otherwise, yes, you can.
If your servers should be available to the public - the answer will be "no".
If you plan to give a limited number of users (for example, only you) access to this servers then you have some options:
Use SSH tunnels with, for example, PuTTY and set up a Forwarding for each service you want to expose to your computer and access it over localhost:port.
localhost:21001 --> 192.168.1.3:21 (FTP1)
localhost:21002 --> 192.168.1.4:21 (FTP2)
Advantage: you can setup your "port-forwardings" at clinet-side
Disadvantage: you need a router or another computer running the SSH server
Use a VPN (for example, OpenVPN, PPTP, etc.) to get access to your LAN from outside. Then you can act like you are in your LAN.
Advantages:
easy to use if setup properly
you can use almost every protocol
Disadvantage: Need to setup VPN Service/Gateway

Resources