From 36d8ab2e0ec950b704d2b7d20c9cbf92bae69ea5 Mon Sep 17 00:00:00 2001 From: Sergei Bobkov Date: Thu, 2 Jan 2025 22:38:18 +0300 Subject: [PATCH] Fix firewall input from localhost to localhost --- mikrotik/base-config/dc01-ccr01-terse.rsc | 1 + mikrotik/base-config/dc01-emer01-terse.rsc | 1 + mikrotik/base-config/dc01-gw01-terse.rsc | 1 + mikrotik/base-config/dc01-sw01-terse.rsc | 1 + mikrotik/base-config/dc01-sw02-terse.rsc | 1 + 5 files changed, 5 insertions(+) diff --git a/mikrotik/base-config/dc01-ccr01-terse.rsc b/mikrotik/base-config/dc01-ccr01-terse.rsc index b403c1a..e0cd3ca 100644 --- a/mikrotik/base-config/dc01-ccr01-terse.rsc +++ b/mikrotik/base-config/dc01-ccr01-terse.rsc @@ -96,6 +96,7 @@ /ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp /ip firewall filter add action=accept chain=allow-default-buh protocol=icmp /ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks +/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" diff --git a/mikrotik/base-config/dc01-emer01-terse.rsc b/mikrotik/base-config/dc01-emer01-terse.rsc index 3c0649b..c124835 100644 --- a/mikrotik/base-config/dc01-emer01-terse.rsc +++ b/mikrotik/base-config/dc01-emer01-terse.rsc @@ -57,6 +57,7 @@ /ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=213.141.150.29 /ip firewall filter add action=accept chain=input dst-address=172.20.1.0/24 in-interface=bridge-local protocol=icmp src-address=172.20.1.0/24 /ip firewall filter add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=172.20.1.0/24 +/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" diff --git a/mikrotik/base-config/dc01-gw01-terse.rsc b/mikrotik/base-config/dc01-gw01-terse.rsc index c1c622b..a7d0c3c 100644 --- a/mikrotik/base-config/dc01-gw01-terse.rsc +++ b/mikrotik/base-config/dc01-gw01-terse.rsc @@ -128,6 +128,7 @@ /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" diff --git a/mikrotik/base-config/dc01-sw01-terse.rsc b/mikrotik/base-config/dc01-sw01-terse.rsc index 6982c4c..cceadf5 100644 --- a/mikrotik/base-config/dc01-sw01-terse.rsc +++ b/mikrotik/base-config/dc01-sw01-terse.rsc @@ -56,6 +56,7 @@ /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" diff --git a/mikrotik/base-config/dc01-sw02-terse.rsc b/mikrotik/base-config/dc01-sw02-terse.rsc index 35e057c..8bbe204 100644 --- a/mikrotik/base-config/dc01-sw02-terse.rsc +++ b/mikrotik/base-config/dc01-sw02-terse.rsc @@ -56,6 +56,7 @@ /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""