In my previous post, I explained how to block unwanted traffic from your network. As the Internet as about sharing information, at some point you’ll want to allow specific traffic through your router. Generally you want these rules sandwiched between your rules looking for bad traffic and the final rules to drop any leftover unknown traffic (in essence, drop traffic that we don’t explicitly allow here). Listed below are some examples:
Router LAN IP: 192.168.25.1
Server LAN IP: 192.168.25.50
Server WAN IP: 10.0.0.20
Redundant Router WAN IP: 10.0.0.10
Allow Invited Traffic Back In
This emulates basic NAT traversal theory, as we want to block uninvited incoming traffic, but allow traffic across those ports to come back in once the connection is established (in short, don’t allow people inside your network unless someone inside your network has invited the traffic in).
/ip firewall filter add chain=forward connection-state=established action=accept comment="Play nice with invited traffic, part 1" add chain=forward connection-state=related action=accept comment="Play nice with invited traffic, part 2"
Ping Responder (ICMP)
/ip firewall filter add chain=input protocol=icmp action=accept comment="Respond to ICMP" add chain=forward dst-to-address="192.168.25.50" protocol=icmp action=accept comment="If I have a public IP I'm forwarding directly to a server, I may want to add this, otherwise leave this out"
/ip firewall filter add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=21 action=accept comment="Allow FTP Control Port" add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=20 action=accept comment="Allow FTP Transfer Port" add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=10000-10019 action=accept comment="Allow limited Passive FTP port range"
/ip firewall filter add chain=input protocol=ipsec-ah src-address=10.0.0.10/32 action=accept comment="Allow Encrypted VRRP Traffic"
/ip firewall filter add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=80 action=accept comment="Allow HTTP" add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=443 action=accept comment="Allow HTTPS"
For a full list of of known Ports, check out this great Wikipedia article has to say about it.