Академический Документы
Профессиональный Документы
Культура Документы
Module 6
2013-01-01
Firewall Principles
2013-01-01
Firewall principles
A Firewall is a service that allows or
blocks data packets going to or through
it based on user-defined rules.
The firewall acts as a barrier between
two networks.
A common example is your LAN
(trusted) and the Internet (not trusted).
2013-01-01
Firewall principles
How the firewall works
Protocol
Protocol options (ICMP type and code fields, TCP flags, IP options)
DSCP byte
2013-01-01
And more
Packet flows
MikroTik created the packet flow
diagrams to help us in the creation of
more advanced configurations
It's good to be familiar with them to
know what's happening with packets
and in which order
For this course, we'll keep it simple
2013-01-01
Packet flows
Overall diagrams
2013-01-01
Packet flows
2013-01-01
Packet flows
2013-01-01
2013-01-01
Reply out
===OUTPUT===
Mangle-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
Filter-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
===POSTROUTING===
Mangle-postrouting postrouting: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
2013-01-01
10
11
2013-01-01
DST-ADDRESS
17.172.232.126:5223
224.0.0.5
172.16.9.254:445
206.53.159.211:443
17.149.36.108:443
172.16.0.1
209.217.98.158:4569
173.252.103.16:443
69.171.235.48:443
173.252.79.23:443
173.252.102.241:443
224.0.0.5
65.54.167.16:12350
173.194.76.125:5222
172.16.0.1:1723
79.125.114.47:5223
TCP-STATE
TIMEOUT
established 23h42m6s
5m49s
established 23h42m51s
established 23h44m8s
established 23h43m41s
4h44m11s
13m9s
established 23h42m40s
established 23h43m27s
established 23h43m26s
established 23h44m15s
5m49s
established 23h35m28s
established 23h43m57s
established 4h44m11s
established 23h29m1s
12
NAT
Firewall
connection-bytes
connection-type
connection-limit
layer7-protocol p2p
new-connection-mark
connection-mark
connection-state
connection-rate
tarpit
13
Established
14
2013-01-01
15
You can have user chains based on custom criteria. For example :
After that, you can start creating filter rules using the new chain by
inputting it in the Chain field of the new firewall filter.
2013-01-01
21
22
2013-01-01
23
2013-01-01
24
2013-01-01
25
Once you understand them and agree with them, input them
in the router.
2013-01-01
26
27
Filter Matchers
Before taking "action" on a packet, it
must be identified.
Matchers are many!
2013-01-01
28
Filter actions
Once a packet has been matched to a rule, an action will
be applied to it.
MikroTik's firewall filters have 10 actions.
Accept
Add-dst-to-address-list
Add destination address to address list specified by address-list parameter. Packet is passed to next firewall
rule.
Add-src-to-address-list
Add source address to address list specified by address-list parameter. Packet is passed to next firewall rule.
Drop
Silently drop the packet. Packet is not passed to next firewall rule.
Jump
Jump to the user defined chain specified by the value of jump-target parameter. Packet is passed to next
firewall rule (in the user-defined chain).
Log
Add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol,
src-ip:port->dst-ip:port and length of the packet. Packet is passed to next firewall rule.
Passthrough
Reject
Drop the packet and send an ICMP reject message. Packet is not passed to next firewall rule.
Return
Pass control back to the chain from where the jump took place. Packet is passed to next firewall rule (in
originating chain, if there was no previous match to stop packet analysis).
Tarpit
Capture and hold TCP connections (replies with SYN/ACK to the inbound TCP SYN packet). Packet is not
passed to next firewall rule.
2013-01-01
29
2013-01-01
30
2013-01-01
Accept icmp echo replies (You may want to ping a server on the
Internet. It would be useful for you to get the replies!)
Drop icmp echo requests (You don't want others pinging you.
Stay under the radar!)
Accept all "established" and "related" input traffic (You'll want
the replies to whatever the router asked for, like NTP and DNS
requests)
Drop all "invalid" input traffic (Whatever the router gets that it
didn't ask for)
Log the rest of input traffic (Have I missed anything
important?)
Drop the rest of input traffic (I want to be safe!)
31
2013-01-01
32
2013-01-01
33
2013-01-01
34
2013-01-01
35
Basic address-list
2013-01-01
36
Basic address-list
Address lists are groups of IP addresses
They can be used to simplify filter rules
2013-01-01
37
Basic address-list
They can be used in firewall filters, mangle and
NAT facilities.
Creation of address lists can be automated by using
add-src-to-address-list or add-dst-to-addresslist actions in the firewall filter, mangle or NAT
facilities.
2013-01-01
38
2013-01-01
39
Source NAT
2013-01-01
40
NAT
Network Address Translation (NAT) allows
hosts to use one set of IP addresses on the LAN
side and an other set of IP addresses when
accessing external networks.
Source NAT translates private IP addresses (on
the LAN) to public IP addresses when accessing
the Internet. The reverse is done for return
traffic. It's sometimes referred to as "hiding"
your address space (your network) behind the
ISP supplied address.
2013-01-01
41
2013-01-01
42
2013-01-01
Destination NAT
2013-01-01
44
2013-01-01
45
2013-01-01
46
NAT Syntax
Source NAT (from /ip firewall nat)
Destination NAT
Redirect all web traffic (TCP, port 80) to the router's web proxy on port 8080
2013-01-01
47
End of module 6
2013-01-01
48
Laboratory
Goals of the lab
2013-01-01
49
Laboratory : Setup
2013-01-01
50
Laboratory : step 1
Before going ahead with firewall rules, we'll test a NAT
rule : Masquerading
2013-01-01
51
Laboratory : step 2
Let's make things more interesting by adding filter rules.
Apply the following rules to incoming traffic on your
WAN interface.
2013-01-01
52
Laboratory : step 3
Now that you have rules, check your
logs. Look at the messages and their
format
Seeing what you see now, do you think
troubleshooting connection problems
would be easier? Why?
2013-01-01
53
Laboratory : step 4
Create Address Lists representing all
pods
Use the following format:
Name : Pod1
Address : <network/mask> of the LAN
Name : Pod1
Address : <IP> of the WAN interface
54
Laboratory : step 5
Pods should be matched in pairs for the
following tests
Close your WinBox window and reopen it,
connecting to your peer pod. What's happening?
With one filter rule ONLY, allow all IP
addresses from you peer pod to connect to your
router with WinBox (TCP, 8291)
2013-01-01
55
Laboratory : step 6
To test port redirection, we'll need to
make a small change to the IP
SERVICES of your pod.
2013-01-01
56
Laboratory : step 7
Close and reopen the WinBox interface without
adding any special parameters. What result do
you get?
Log into the WinBox using port 8111.
Create a dst-nat rule with a redirect action to port
8111 on all TCP port 8291 traffic.
Close and reopen WinBox without the port after
the IP address. Does it work now?
Log into you peer pod's router. What's happening?
2013-01-01
57
Laboratory : step 8
Return the WinBox port to it's normal
value of 8291.
Disable (don't delete) the dstnat rule of
"redirect".
Close WinBox and validate that you can
log into your router and your peer's
router normally.
2013-01-01
58
Laboratory : step 9
Create a dst-nat rule with a redirect
action to port 8291 on all TCP port 1313
traffic coming into the WAN port.
Open WinBox and log into your router
using port 1313.
Open WinBox and log into your peer's
router using port 1313.
Explain the different results.
2013-01-01
59
Laboratory : step 10
Do an export AND a binary backup
under the file name module6-podx.
2013-01-01
60
End of Laboratory 6
2013-01-01
61