How to fight off unwanted people, Mikrotik?

S

shark1366662017-10-20 08:02:29

Mikrotik

shark136666, 2017-10-20 08:02:29

Good afternoon, not so long ago I changed the main router to Mikrotik, I need advice:
We have an IP PBX and some unwanted people on port 5060 and 5073 (PBX ports) are constantly hammering on it, sorting through passwords. To begin with, I specified the nat rule that only allowed from a certain ip (provider) on ports 5060 and 5073, but this did not help, now I want to stupidly not give them access to the firewall.
I write the input rule - the incoming interface - to drop everything from the 85.40.4.0 subnet, no matter which port they are accessing.
So they all the same tap, need some good advice)

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

G

Gansterito, 2017-10-20
@shark136666

As already mentioned above, the rule must be added to the forward chain, because incoming traffic is not intended for Mikrotik itself (input chain), but passes through it (forward chain). For the same reason, in the screenshot above, there is a zero canuterus (last two columns).
And as already mentioned above, the rules in the input and forward chains must be built so that at first there are allowing rules (remote access from the outside is allowed, ICMP echo request is allowed, responses to already established sessions - connection state = ESTABLISHED and RELATED, port forwarding) and The last one is to ban everything.

C

CityCat4, 2017-10-20
@CityCat4

You can mark "good" connections in prerouting, and pass with the mark in the filter, you can simply pass from the provider's IP in the filter, blame everything else on these ports

V

Viktor Belsky, 2017-10-20
@Belyj

You would not only block input, but also block forward.

S

Sergey, 2017-10-20
@SuNbka

The best option: configure mikrotik according to the principle that everything that is not allowed is prohibited.
Or you can:

Write a blocking rule for N unsuccessful attempts to connect

add action=drop chain=input comment="drop" dst-address-list=block
add action=drop chain=forward comment="drop" dst-address-list=block \\ Рекомендация Виктор Бельский
add action=jump chain=input jump-target=alarm port=5060,5073 protocol=tcp
add action=add-src-to-address-list address-list-timeout=1m chain=alarm connection-state=new protocol=tcp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block-stage-2 address-list-timeout=1m chain=alarm connection-state=new protocol=tcp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block address-list-timeout=1d chain=alarm connection-state=new protocol=tcp src-address-list=block-stage-2
add action=jump chain=input jump-target=alarm port=5060,5073 protocol=udp
add action=add-src-to-address-list address-list-timeout=1m chain=alarm connection-state=new protocol=udp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block-stage-2 address-list-timeout=1m chain=alarm connection-state=new protocol=udp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block address-list-timeout=1d chain=alarm connection-state=new protocol=udp src-address-list=block-stage-2