Mikrotik RouterOS – “drop all from WAN not DSTNATed”

The default DSTNATed firewall rule keeps traffic from the WAN accessing LAN side IP addresses.

More info here

Printing the rules on a router with the default config should show the following.

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1

If you are wanting to add the rule to a router, you can copy and past the following command. Replace in-interface=ether with your in interface.

/ip firewall add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface=ether1

Check if Mikrotik is an Open DNS Resolver

https://www.openresolver.com

You can test if a router is acting as an open DNS resolver by running the following command from a Linux terminal. If you need to install dig, refer to here for Debian/Ubuntu and here for RPM/CentOS/Fedora Distros.

Replace 192.168.88.1 with the host you want to test against.

dig +short test.openresolver.com TXT @192.168.88.1

If you receive the following

"open-resolver-detected"

The router is acting as an open resolver.

If you get

;; connection timed out; no servers could be reached

Then you are unable to use that router to resolve DNS.

Example running the command against a Mikrotik router with Remote DNS turned on Then adding a firewall rule to block unwanted request.

bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
"open-resolver-detected"
bob@localhost:~$ 
<<-- Put firewall rule on router -->>
bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
;; connection timed out; no servers could be reached  
bob@localhost:~$ 

Extra notes

If you have firewall rules allowing your IP address to use the router for DNS, then the above command to test will show it as an Open Resolver. Ideally you would want a connection from the outside to test. Or you can use this link and test it from the website. https://www.openresolver.com

FreeBSD 7 Allow IP range to SSH to server – IPF

Edit IPF config

vi /etc/ipf.rules

Hit “i” to enter insert mode and add the following to allow SSH from the 192.168.0.0/24 ip range. Change range if needed.

pass    in     quick on bge0 proto tcp from 192.168.0.0/24 to any port = 22 flags S keep state

Save and exit the file by hitting “Esc” then typing “:wq” followed by enter.

And start IPF with new rules

ipf -Fa -f /etc/ipf.rules

cPanel unable to access locally hosted domains

Check and verify that DNS is not being blocked upstream by a firewall. Behavior is weird, the server can get out to the internet, access to the servers IP address is available, but can’t ping domains that are locally hosted. Are also unable to ping the domains from the internet in.

To resolve the issue either disable the DNS firewall rules, or better yet add some rules to allow access to the cPanel server.

semanage Allow and Delete ports in CentOS

The commands are for CentOS, but should work on Fedora and RedHat.

If semanage is not installed refer to here.

You would typically use this along with the systems firewall to allow a port through.  Guide for firewalld and iptables.  If you change it in the firewall and fail to add/edit it in semanage you can potentially get weird behavior like sshd not wanting to start after changing the port.

Add port

semanage port -a -t ssh_port_t -p tcp 2222

The above command allows the sshd service to start, using port 2222.

List allowed ports

semanage port -l

You can use grep to filter the results

Example:

[admin@localhost ~]# semanage port -l | grep ssh
ssh_port_t tcp 2222, 22
[admin@localhost ~]#

Delete port

semanage port -d -p tcp 2222

Other examples

Allow SNMP

semanage port -a -t snmp_port_t -p udp 161

 

Allow KDE Connect through firewall

Firewalld

sudo firewall-cmd --zone=public --permanent --add-port=1714-1764/tcp
sudo firewall-cmd --zone=public --permanent --add-port=1714-1764/udp
sudo systemctl restart firewalld.service

UFW firewall

sudo ufw allow 1714:1764/udp
sudo ufw allow 1714:1764/tcp
sudo ufw reload

More information https://community.kde.org/KDEConnect

Setting up SNMP V3 on CentOS

Install SNMP.

yum install net-snmp net-snmp-utils

Configure the SNMP V3 user by running the following command and then following the prompts it gives you.

net-snmp-create-v3-user

Example: The username is “snmpadmin” and the password is”r123456″

[root@localhost ~]# net-snmp-create-v3-user
Enter a SNMPv3 user name to create:
snmpadmin
Enter authentication pass-phrase:
r123456
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]

adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser snmpadmin MD5 "r123456" DES
adding the following line to /etc/snmp/snmpd.conf:
   rwuser snmpadmin
[root@localhost ~]#

Change the syslocation and syscontact in the /etc/snmp/snmpd.conf file.

vi /etc/snmp/snmpd.conf

Start snmpd service

service snmpd start

Configure snmp to start on system boot.

chkconfig snmpd on

Test and make sure snmp is working

replace “password” and “username” with the ones you setup when you created the SNMP V3 user.

snmpwalk -v3 -a MD5 -A password -x DES -X password -l authPriv -u privuser localhost

If you receive something like “snmpwalk: Timeout” then something is not working correctly.  Check to make sure the service is started, and make sure that your firewall is not blocking SNMP.

If you are running a firewall, run the following commands to allow it through.

firewall-cmd --zone=public --add-port=161/udp --permanent
semanage port -a -t snmp_port_t -p udp 161
firewall-cmd --reload

On iptables you should be able to do

 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 161 -j ACCEPT

or add it to /etc/sysconfig/iptables and then restart iptables

How to Allow a Port Through Firewalld

Note: If you have SELinux enabled you’ll need to allow the port in semanage.

Basic syntax

 firewall-cmd --zone=public --add-port=(port number)/(protocal)

So the command to allow port 80 through the firewall would be

firewall-cmd --zone=public --add-port=http/tcp
or
firewall-cmd --zone=public --add-port=80/tcp

The above command only works for the running instance of firewalld.  If you want to add the port permanetely you need to run the above command and then run it again with “–permanent” added to the end of the command.

example:

firewall-cmd --zone=public --add-port=http/tcp
firewall-cmd --zone=public --add-port=http/tcp --permanent

How to Allow Ping Through Windows Firewall

Open up Windows Firewall with Advanced Security.

You can do this by going to
Control Panel –> System and security –> Windows Firewall –> Advanced settings

Or hit the Windows key and type in firewall and hit enter

Select Inbound rules and then add a New Rule.  On the New Inbound Rule Wizard select Custom for the type of rule and hit next.  Allow All programs and then hit next again.  Select ICMPv4 as the Protocol type and if you want you can specify the ICMP types by clicking on the Customize button.  Finish running through the wizard give it a name etc. and click Finish when your done.