Firewall (Input Chain)

Yaser Rahmati | یاسر رحمتی

The Input Chain in MikroTik is used to filter traffic that is destined for the router itself. This includes traffic like SSH, Winbox, API access, and pings to the router's IP address. Understanding how to configure the Input Chain properly is crucial for securing your MikroTik router.

Here’s a step-by-step guide to configuring the Input Chain with a practical example:

1. Scenario Setup

Imagine you have a MikroTik router connected to the internet, and you want to secure the router by allowing only specific traffic:

  • Allow SSH access (port 22) from a specific IP address (e.g., 192.168.1.100).

  • Allow Winbox access (port 8291) only from the local network (e.g., 192.168.1.0/24).

  • Allow ICMP (ping) from the local network.

  • Block all other incoming traffic to the router.

2. Access the MikroTik Router

First, log in to your MikroTik router using Winbox, or SSH if you already have access.

3. Open the Firewall Configuration

  1. Navigate to IP -> Firewall in the left menu.

  2. Select the “Filter Rules” tab to start creating firewall rules.

4. Add Firewall Rules to the Input Chain

Rule 1: Allow Established and Related Connections

This rule ensures that any established or related traffic (like returning responses to your requests) is allowed.

  • Chain: input

  • Connection State: established, related

  • Action: accept

  • Comment: "Allow established and related connections"

Steps:

  1. Click on the "+" sign to add a new rule.

  2. In the General tab, set the Chain to input.

  3. Go to the Advanced tab and set Connection State to established, related.

  4. In the Action tab, set the Action to accept.

  5. Add a comment for clarity.

  6. Click OK to save the rule.

Rule 2: Allow SSH Access from a Specific IP

This rule will allow SSH access to the router only from a specific IP address.

  • Chain: input

  • Protocol: tcp

  • Dst. Port: 22

  • Src. Address: 192.168.1.100

  • Action: accept

  • Comment: "Allow SSH from specific IP"

Steps:

  1. Click on the "+" sign to add a new rule.

  2. In the General tab, set the Chain to input.

  3. Set the Protocol to tcp.

  4. Set the Dst. Port (destination port) to 22.

  5. Set the Src. Address (source address) to 192.168.1.100.

  6. In the Action tab, set the Action to accept.

  7. Add a comment for clarity.

  8. Click OK to save the rule.

Rule 3: Allow Winbox Access from the Local Network

This rule allows Winbox access to the router only from devices within the local network.

  • Chain: input

  • Protocol: tcp

  • Dst. Port: 8291

  • Src. Address: 192.168.1.0/24

  • Action: accept

  • Comment: "Allow Winbox from local network"

Steps:

  1. Click on the "+" sign to add a new rule.

  2. In the General tab, set the Chain to input.

  3. Set the Protocol to tcp.

  4. Set the Dst. Port to 8291.

  5. Set the Src. Address to 192.168.1.0/24.

  6. In the Action tab, set the Action to accept.

  7. Add a comment for clarity.

  8. Click OK to save the rule.

Rule 4: Allow ICMP (Ping) from the Local Network

This rule allows ping requests from devices within the local network.

  • Chain: input

  • Protocol: icmp

  • Src. Address: 192.168.1.0/24

  • Action: accept

  • Comment: "Allow ICMP from local network"

Steps:

  1. Click on the "+" sign to add a new rule.

  2. In the General tab, set the Chain to input.

  3. Set the Protocol to icmp.

  4. Set the Src. Address to 192.168.1.0/24.

  5. In the Action tab, set the Action to accept.

  6. Add a comment for clarity.

  7. Click OK to save the rule.

Rule 5: Block All Other Incoming Traffic

This rule blocks all other incoming traffic to the router that doesn’t match the above rules.

  • Chain: input

  • Action: drop

  • Comment: "Drop all other inbound traffic"

Steps:

  1. Click on the "+" sign to add a new rule.

  2. In the General tab, set the Chain to input.

  3. In the Action tab, set the Action to drop.

  4. Add a comment for clarity.

  5. Click OK to save the rule.

  6. Place this rule at the bottom of the rule list, so it only applies if none of the above rules are matched.

5. Review and Reorder Rules

  • Ensure that the rules are in the correct order. The established and related connections rule should be at the top, followed by the allow rules, and finally, the drop all other inbound traffic rule.

  • The order of the rules matters because MikroTik processes them from top to bottom.

6. Apply and Test the Configuration

  • Test SSH Access: Attempt to SSH into the router from the allowed IP address and ensure it works. Also, test from a different IP to ensure it’s blocked.

  • Test Winbox Access: Try accessing the router using Winbox from the local network to ensure it works.

  • Test ICMP (Ping): Ping the router from a device within the local network and ensure it responds.

7. Monitoring and Logging

You can enable logging for certain rules if you need to monitor which traffic is being allowed or blocked:

  • In the Action tab of a rule, set Action to log or check the Log option before accepting or dropping traffic.

  • Logs can be viewed in Log under System.

Summary

By following these steps, you’ve successfully set up a firewall using the Input Chain on a MikroTik router. The configuration allows specific traffic while blocking unwanted traffic, ensuring your router is secure.

Keywords

MikroTik, RouterOS, RouterBOARD, wireless networking, ISP, WISP, networking equipment, routers, switches, Cloud Core Router, CCR, SXT, LTE integration, 5G, cybersecurity, network security, networking software, networking hardware, Latvia, John Trully, Arnis Riekstiņš, MikroTik Academy, MUM events, network management, hotspot, VLAN, firewall, VPN, QoS, bandwidth management, traffic shaping, wireless access point, CAPsMAN, WinBox, PoE, mesh networking, routing protocols, MPLS, OSPF, BGP, MikroTik training

میکروتیک, روتر او اس, روتر برد, شبکه بی‌سیم, آی اس پی, وایرلس آی اس پی, تجهیزات شبکه, روترها, سوییچ‌ها, کلود کور روتر, سی سی آر, اس ایکس تی, ادغام ال تی ای, 5G, امنیت سایبری, امنیت شبکه, نرم‌افزار شبکه, سخت‌افزار شبکه, لتونی, جان ترولی, آرنیس ریکسینش, آکادمی میکروتیک, رویدادهای مام, مدیریت شبکه, هات اسپات, وی‌لَن, فایروال, وی‌پی‌ان, کیو‌اُ‌اس, مدیریت پهنای باند, شکل‌دهی ترافیک, نقطه دسترسی بی‌سیم, کپزمن, وین‌باکس, پی او ای, شبکه مش, پروتکل‌های مسیریابی, ام پی ال اس, اُ اس پی اف, بی جی پی, آموزش میکروتیک

External Links

🌐 Personal Website 📄 Resume 🎥 Video Archive 💼 Finance Blog 🔐 Network & Security Notebook 🎬 Aparat Channel

PreviousFirewall PrinciplesNextModule 7 : QoS

Last updated