📗MikroTik MTCNA - Firewall Principles (Forward,Input,Output)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome in this video we'll be going over the marketing firewall the basic overview of it how some of the connection states work as well as how a basic firewall rule works on a microtech device so let's get into the video oh firewall so this is something that scares a lot of people but i want to let you know firewalls are not scary they're there to help you they're your friend they're there to protect you so in an earlier lecture when we did the default configuration of a microtic device then you saw with the default configuration and marketing comes with some very basic firewall rules and functionality we've also set up some very basic stuff in the firewall like a masquerade rule just for internet breakout but now we'll be diving in a bit deeper into the marketing firewall and how we can actually set up some rules on it ourselves so firstly what i want you to do is we'll go into the ip and we'll go into the firewall tab so in this menu this actually opens up the firewall menu for all of the different types of things that you can access on the microsic firewall you get stuff like falter rules nat rules mangle rules the raw table service ports so these are just ports on the market when accessing certain things connections and this we're going to discuss now address lists and layer 7 protocols the biggest thing i want to bring up now is this connections tab this is very important for the marketing firewall and this is very important for any services that you might use with the firewall connection tracking if you click on this this is enabled on auto by default if you put it on auto what it means is it will not use the firewall until you add any type of firewall rule so the moment you add a nat rule then we'll start use connection tracking and then the marketing file will kick into place it needs to be on auto or yes if you plan on using any of the firewall functionality if you put it on no then the router becomes just a router it will just forward packets and whatnot but you won't be able to use the firewall to its full potential any manual rules that you have any nat rules any of that stuff it won't work it will just fail so something to take note of but not to worry it is typically just on auto um or it is on yes so just take note of that there are some settings in here but we are not going to change any of these settings related to the file we'll leave everything as default so let's just apply or let me set it to yes and apply so we know connection tracking is enabled but what is connection tracking well as you can see there's a whole table here telling us what is happening on the firewall level of the marketing what connections are being made on the market or being established so you see there's there's these sacs and these are again just like rob flags if you remember in earlier lecture lessons so you can just hover over this and you can see what is actually happening but in theory it just tells us what on our network is connecting to where on the internet and which protocols are being used and how long the session has been either established and you get different types of states so we'll go over some of the states in a bit but it's just telling you is there a connection and how many bytes or kilobits or megabits or whatever of traffic has actually gone over the connection and there's i'm a single computer there's only one computer connected to this marketing at the moment my home computer um and i'm really not doing much i'm making this youtube video and as you can see there is a ton of connections out to the internet that is keeping track of so if i'm one computer and i'm doing 68 different connections without really doing much think about how crazy it is the moment you start adding 100 users a thousand users tens of thousand users and that's why it's also important the more you start doing in an isp world if you've got a core router where you're running isp services through and you've got multiples of users connecting through this router you need to make sure that it's properly spec router that it's big enough to support all of these connections because if if it's not and you hit this max entry on the connection tracking then you're going to start having some problems users aren't going to be happy the connections are going to start failing so just something to take note of but that is connection tracking summed up and then i just want us to go into this uh the states quickly so we get stuff like called the tcp states and by default you'll see they might be established um what i might do is i'll just quickly bring up an article from my critique's site so let's just go on to the google and say my critique firewall states and this is actually a great place because i always recommend going to the wiki or going to help the marketing so you can show you actually what's going on but if we scroll down here this is actually showing you everything about the firewall but what we are really interested in is connection states so let's just scroll down or maybe up it should be at the c connection state so there are the different types of states that a connection might be in whenever it gets into that connection table and established it's just basically whenever the connection is made between your host that's sitting behind the router or even the router at south itself to a remote side that if it's established there's already a connection so traffic can flow two ways so you get all these different things like invalid new related untracked um default even though we don't see the default here and you can read all about it here so i will put a link in the description for this article so you can scroll down here yourself but in essence established packets are what we want to see invalid packets means there's something bad happening new packets is when we're just starting to establish the connection related packets means that something is part of an existing connection so this might be if you think about if you're doing an ftp connection but that ftp connection also maybe has something else to just make sure the connections there like the icmp um there's two types of connections happening but it's it's not really like the same established connection so one is a string for the icmp whereas the other is the ftp and then we've got untracked states and you can also manually set the states on the firewall but for the most part you won't be fiddling around with states much but there is cool things that you can do by using states on the microtic firewall all right now that we've got that out of the way let's actually go into the filter rules so filter rules are the in essence the firewall rules that you can add on a microtic device and i've gone over this before in another video like how the firewall actually works and operates but we'll go over it again here and i might use paint so let me just quickly open up paint uh let me just make a new document quickly and let's just quickly discuss micro tick firewall principles so if i'm on the filter rules and i click on this plus you get different types of chains and this is something that we need to go over so the forward chain the input chain and the output chain so each of these chains represent a way that traffic is either flowing to out of or over the micro tick so i'm just quickly going to paint the little picture using paint and i'm just going to add a little micro tech router here so let's say that's my home router and let's just give it some lines so it kind of looks like a router and then from my home router there's a cable connecting to my computer and pray style there's my computer but my home router is obviously connecting to some other routers as well which we can't see because everything's just kind of this is how the internet operates bunch of routers connecting to each other but there's some some router as well over the internet somewhere and then over this internet router there's also like let's say cable connecting to maybe some servers so there's some servers connecting to that router on the remote side so let's just quickly discuss the different types of chains we get so i said we get something we call a forward chain that's the first thing if we look at our chains there's forward and when you think about a forward chain i want you to think about the router actually forwarding packets things that's going through the router so let's say this server here this was let's just see is the size big enough let's say this was a a web server so that's www sorry my pain skills aren't that good but that's www and this is my pc so my pc wants to connect to that web server over www so what it would in essence do it it would connect to this router my home router so it would send packets there would say hello router i'm trying to get to this web server it would look at its ip headers and would say okay cool i can see if we want to get there i need to full traffic out to this gateway i need to forward it to that destination so the keyword again is forward um if wd let's just make it that so we're forwarding traffic so if we are forwarding traffic that means the router is passing the traffic off somewhere else and it doesn't need to be traffic that's going in or out to go to a server somewhere it applies as well to maybe things that's going out from other servers back to your router and maybe you've got some naturals in your forwarding stuff your own internal servers that's also forwarding traffic so we can then in essence manage access based on traffic being forwarded so that is what the for chain does so what we could in essence do is i know my computer's address is 192. 168. 0.254 that's my pc's address and then what i could do is let's just open up the command prompt so let's see can i ping 8.8.8.8 i can currently ping that right so what i'm going to do is i'm going to add a forward chain i'm going to set that as the destination as 8.8.8.8 so see i can manage my source address my destination address i can even set the protocol and if i click on there there's even icmp so i can just set that for icmp for pinging and we can specify stuff like in and out interfaces different stuff like packet marks but this will go over when we discuss something called mangle rules and here we get those connection types we're talking about earlier so you can sit um oh there's the connection state so you can set it to invalid establish related new or untracked but i'm just going to leave that blank for this example so i'm going to say anything from my computer wanting to go to google's dna server that's a ping then we can specify an action so if i click on action this is what the firewall needs to do as soon as anything matches these details so anything that matches these general details and i can go to advance as well there's some more stuff that you can put in here like address lists and whatnot but we can specify an action and that action can either be accept add it to an address list drop it fast track the connection which we'll discuss at the very end of this video series of the firewall we can jump log pass through reject return target and what i want to do is i just want to drop the traffic so what's going to happen is i'm saying anything from my computer going to google that's icmp so anything that i ping to google i want to drop if i apply that you can see it creates this firewall entry in my rules and i can see no packets have been dropped yet but what happens if i try and ping google now if i do a ping 8.8.8 oh no now it's failing and if you notice on my microtig it's actually being referenced by the firewall the file is able to see hey there are packets trying to be forwarded this is how many bytes we were trying for these are the amount of packets and now we know that the firewall rule is actually working so now we've blocked traffic from being forwarded so forward traffic in essence protects you take a guess it protects these people it protects the hosts protects the remote side and also my my computer so anything that's behind or across the network that's what you're protecting with forward rules so that will allow you to let's say manage traffic for those type of people now i'm going to disable that so that my pings can work again so i can see i can ping 808.88 again and that's great next let's hit another plus and let's look at another chain so let's discuss the input chain so input chain if i go back to my little paint drawing input i'm just going to use a different color let's maybe use green and let's just make it in and exactly as it sounds this is traffic coming in to your router so your router is the destination your router is where the traffic tries to go to so this might be traffic from uh it could even come from a different host from the outside but they are trying to get to the router the router is their destination they're trying to get to the router the router's ip address or or something in that effect they want to connect to the router itself so what we could do is we could restrict management traffic with input rules so that um and not even management traffic it's it's a wide range of things that you can obviously add but what i could do is i could again add the 192 168 0254 which is my pc and 0.1 is the router so if i ping 192.1680.1 i can ping that so i'm going to make that the destination which is the router's address and what i could do is i could also set it for icmp and i might just drop this again and let's just quickly see if this works so let me go back do the ping now my pc can't ping the micro tick which is uh good for some reason and it's also bad for other reasons because now i can't actually verify if the host is up or not so let's just revert the protocol being icmp being dropped but let's maybe set it for something else let's set it for tcp which is a well-known protocol that we use and let's change or set the destination port to some type of management port so let's set it to 423 which is telnet so if i open up my putty and i go telnet and i telnet to my micro six ip 192 1680.1 i hit open i can turn it to my micro deck hang on connection refused um i think i might have set something in my services let's just quickly check there oh i changed the service to 23 23. all right that's fine let's just update that destination port to 2323. sorry that was from a previous lecture and let's try and tell that again 2168. uh 0.1 2323 all right there we go sorry i just uh had the wrong service being used so let's make it admin and blank so now we know this is actually working so what i'm going to do is i'm going to set an input rule for my source as my computer the destination being the router protocol being tcp the port being the 2323 which is the target port i put in and the action will be dropped so let's just enable them and then what i'd like to do is open up a new party session and let's connect to 192.1680.1 on port 2323 on tarotnet and now i should get the connection refused as well actually i might not even get anything i just need to go to my um firewall rules and then we can see the packets are being captured and they are being dropped or enforced now so now we've actually said that nobody from that range can telnet in and again you could also maybe do something like we could remove the source address and we could do it in our in interface so we could put it on our wan interface so that would mean that nobody from our wan from our internet side could telnet onto this router we just add a lot of security to the device so this is why we would use an input chain all right now i want us to go over the firewall chain so let's go into ib firewall again let me disable this old rule and now what i want you to look at is if we go back to our paint diagram we're going to get out traffic and i might make this a nice blue color so out is short for the output chain so i go to my firewall i create a new rule you'll see there's a chain for output and all that output does is output allows you to specify what traffic can leave from the router so the router itself is the source the router will be initiating the connections and it might be going to something so you can tell the router where it can and cannot go to which is quite nice because there might be some things that you don't want the router to be able to do maybe you don't want the router to broadcast stuff um on ospf or maybe you don't want the router to be able to connect to some weird sites and this is how you could effectively do that is you could add a ip file rule and just set it for the output chain and then we could we don't even need to specify a source address here we can just set the destination address and i'm going to use google's dna server again just to show you how it works so now we've got an output chain going to google's dna server and i'm going to set the action to drop and then i just want to open up a window before we implement this so i'm going to ping 8.8.8.8 so there i can see the router camping google's dns but if i apply this rule now can i ping eight today today today no and i even get a message back from the router saying the packet is being rejected and if we look at our firewall rules we can see packets are hitting the firewall rule and it is being picked up great so that basically covers the different chains that you get you get your forward you get your input and your output chain and how action reflects against them we're going to end of the video here so i hope you enjoyed it and i'll catch you in the next video we will be doing some more cool firewall stuff

Info

Channel: The Network Berg

Views: 1,726

Rating: 5 out of 5

Keywords: #Routers, #MTCNA, #MTCRE, #MTCINE, #Networking, #Firewall, #MikroTik Firewall

Id: NXvHdZbAuTI

Channel Id: undefined

Length: 18min 13sec (1093 seconds)

Published: Fri Oct 29 2021