drunkez: Puvodne jsem mel jen tcp kamarad me poradil at zkusim pridat i udp pravidlo ale to taky nezabralo.
mac0112: To vim tam mam nastaveny aby mikrotik mel ssh na posrtu 222. Problem ktery ted resim je ten ze potrebuji abych se z WAN dostal prez SSH na server ktery je za Mikrotikem.
EDIT:
M.: Aha tak to me nenapadlo zkusim dohledat jak koretne nastavit pravidlo pro povoleni spojeni z WAN do LAN.
Postu jsem nastaveni pro Firewall a NAT jestli to nejak pomuze.
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade for PPPoE
chain=srcnat action=masquerade out-interface=O2_VDSL log=yes log-prefix="masquerade"
1 chain=srcnat action=masquerade dst-address=192.168.88.125 log=no log-prefix=""
2 chain=srcnat action=masquerade dst-address=192.168.88.130 log=no log-prefix=""
3 ;;; Web FE
chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=80-99 protocol=tcp dst-address=83.208.XXX.XXX dst-port=80-99 log=yes log-prefix="web-fe"
4 chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=443 protocol=tcp dst-address=83.208.XXX.XXX dst-port=443 log=yes log-prefix="caddy"
5 ;;; TeamSpeak3 Server
chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=9987 protocol=udp dst-address=83.208.XXX.XXX dst-port=9987 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=30033 protocol=tcp dst-address=83.208.XXX.XXX dst-port=30033 log=no log-prefix=""
7 ;;; Terraria-Server
chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=7777 protocol=tcp dst-address=83.208.XXX.XXX dst-port=7777 log=no log-prefix=""
8 chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=7777 protocol=udp dst-address=83.208.XXX.XXX dst-port=7777 log=no log-prefix=""
9 ;;; NAS FTP
chain=dstnat action=dst-nat to-addresses=192.168.88.130 to-ports=21 protocol=tcp dst-address=83.208.XXX.XXX dst-port=21 log=no log-prefix=""
10 ;;; Server SSH
chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=22 protocol=tcp dst-address=83.208.XXX.XXX in-interface=O2_VDSL dst-port=2222 log=yes log-prefix="Putty"
11 chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=22 protocol=udp dst-address=83.208.XXX.XXX in-interface=O2_VDSL dst-port=2222 log=yes log-prefix="Putty"
12 ;;; Factorio Server
chain=dstnat action=dst-nat to-addresses=192.168.88.125 to-ports=34197 protocol=udp dst-address=83.208.XXX.XXX dst-port=34197 log=no log-prefix=""
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
3 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
4 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
5 chain=input action=accept protocol=icmp log=no log-prefix=""
6 chain=input action=accept connection-state=established log=no log-prefix=""
7 chain=input action=accept connection-state=related log=no log-prefix=""
8 chain=input action=drop in-interface=ether1 log=no log-prefix=""
9 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
10 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m
11 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect
12 X ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
13 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 log=no log-prefix=""
14 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix=""
15 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix=""
16 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix=""
17 ;;; drop telnet brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=23 log=no log-prefix=""
18 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=23
19 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=23
20 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=23
21 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=23
VDSL Modem je pripojen do ether1
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1598 4074
1 RS ether2-master ether 1500 1598 4074
2 RS ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 S ether5 ether 1500 1598 4074
5 RS wlan1 wlan 1500 1600 2290
6 S wlan2 wlan 1500 1600 2290
7 R O2_VDSL pppoe-out 1480
8 R ;;; defconf
bridge bridge 1500 1598
24 Odpovědí
9190 Zhlédnutí