mikrotik firewall

each firewall module (called as table in iptables) has its own predefined chain

  • raw: dipakai sebelum data dilihat oleh conntrack, NAT, masuk routing, dll. intinya di sinilah proses early sebelum benar2 di proses. karna belum sampai ke conntrack, maka akan sangat fast, dipakai untuk mitigasi ddos

    karna statenya ada sebelum conntrack, maka tidak ada status kayak estab, dll, tapi sangat fast + low cpu, only raw matching

    Karna raw table melihat packet sebelum NAT, maka

    • Destination IPs are still the original IPs from the client
    • Source IPs haven't been changed by masquerade or src-nat yet

    chain chain nya

    • prerouting: packet yang datang dari luar just sebelum masuk conntrack
    • output: packet yang digenerate oleh aplikasi, juga statenya sebelum di track oleh conntrack

    contoh

    • /ip firewall raw add chain=prerouting src-address=8.8.8.8 action=drop

    tambahan:

    letak raw di packet flow

    IN → RAW → MANGLE (pre) → CONNECTION TRACKING → NAT (dstnat) → FILTER (input/forward) → MANGLE (post) → NAT (srcnat) → OUT

  • filter

    • input
    • forward
    • output

  • mangle

    • prerouting
    • input
    • forward
    • output
    • postrouting

  • nat

    • srcnat
    • dstnat

chains

RouterOS consist of a few default chains. These chains allow you to filter packets at various points:

  • The PREROUTING chain: Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the nat, mangle and raw tables.
  • The INPUT chain: Rules in this chain apply to packets just before they’re given to a local process. This chain is present in the mangle and filter tables.
  • The OUTPUT chain: The rules here apply to packets just after they’ve been produced by a process. This chain is present in the raw, mangle, nat, and filter tables.
  • The FORWARD chain: The rules here apply to any packets that are routed through the current host. This chain is only present in the mangle and filter tables.
  • The POSTROUTING chain: The rules in this chain apply to packets as they just leave the network interface. This chain is present in the nat and mangle tables.