As I understand it, default rule for forward and output is accept, default rule for input is reject. So having no forward rules is the same as accepting all forward traffic.
Maybe I'm missing it somewhere in the block of text, but where's your firewall filter input accept rule for port 21? On Jun 11, 2014, at 10:51 AM, Casey Mills <[email protected]> wrote: > I assume 172.250.x.x is you WAN IP. > > I don't see a need to specify dst-address in this rule, you are already > specifying the in-interface. > add action=dst-nat chain=dstnat comment="FTP for Work" > dst-address=172.250.x.x dst-port=21 in-interface=ether1-gateway > protocol=tcp to-addresses=192.168.200.200 to-ports=21 > > My RB2011 came with a few forward table filter rules that might come in > handy. > add chain=forward comment="default configuration" > connection-state=established > add chain=forward comment="default configuration" connection-state=related > add action=drop chain=forward comment="default configuration" > connection-state=invalid > > Casey > > > > > On Wed, Jun 11, 2014 at 12:46 PM, Jerry Roy <[email protected]> wrote: > >> All, >> >> This was working and now it's not. Can someone suggest what is wrong with >> this? I have an ftp server sitting on the LAN at 192.168.200.200. I want to >> access it from anywhere. I exported my FW and Nat rules below. Thanks for >> looking :) >> >> /ip firewall filter >> add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 >> protocol=tcp src-address-list=ssh_blacklist >> add action=add-src-to-address-list address-list=ssh_blacklist >> address-list-timeout=1w3d chain=input connection-state=new dst-port=22 >> protocol=tcp \ >> src-address-list=ssh_stage3 >> add action=add-src-to-address-list address-list=ssh_stage3 >> address-list-timeout=1m chain=input connection-state=new dst-port=22 >> protocol=tcp src-address-list=\ >> ssh_stage2 >> add action=add-src-to-address-list address-list=ssh_stage2 >> address-list-timeout=1m chain=input connection-state=new dst-port=22 >> protocol=tcp src-address-list=\ >> ssh_stage1 >> add action=add-src-to-address-list address-list=ssh_stage1 >> address-list-timeout=1m chain=input connection-state=new dst-port=22 >> protocol=tcp >> add chain=input comment="default configuration - icmp" protocol=icmp >> add chain=input comment=established connection-state=established >> add chain=input comment=related connection-state=related >> add chain=input dst-port=22,443,8728,8291 protocol=tcp >> add action=drop chain=input comment="default configuration" >> in-interface=ether1-gateway >> /ip firewall nat >> add action=masquerade chain=srcnat comment="default configuration" >> out-interface=ether1-gateway to-addresses=0.0.0.0 >> add action=dst-nat chain=dstnat comment="Den Camera" dst-port=8080 >> protocol=tcp to-addresses=192.168.200.90 to-ports=8080 >> add action=dst-nat chain=dstnat comment="FTP for Work" >> dst-address=172.250.x.x dst-port=21 in-interface=ether1-gateway >> protocol=tcp to-addresses=\ >> 192.168.200.200 to-ports=21 >> add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=20 >> in-interface=ether1-gateway protocol=tcp to-addresses=192.168.200.200 >> to-ports=20 >> add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=5000-6000 >> in-interface=ether1-gateway protocol=tcp to-addresses=192.168.200.200 >> to-ports=\ >> 5000-6000 >> add action=dst-nat chain=dstnat comment=Xbox dst-address=172.250.x.x >> dst-port=88,3074 in-interface=ether1-gateway protocol=tcp >> to-addresses=192.168.200.93 \ >> to-ports=3074 >> add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=3074 >> in-interface=ether1-gateway protocol=udp to-addresses=192.168.200.93 >> to-ports=3074 >> /ip firewall service-port >> set ftp disabled=yes ports=99 >> set tftp disabled=yes >> set irc disabled=yes >> set pptp disabled=yes >> [admin@RB2011UAS-2HnD] /ip firewall> >> >> /ip firewall nat >> add action=masquerade chain=srcnat comment="default configuration" >> out-interface=ether1-gateway to-addresses=0.0.0.0 >> add action=dst-nat chain=dstnat comment="Den Camera" dst-port=8080 >> protocol=tcp to-addresses=192.168.200.90 to-ports=8080 >> add action=dst-nat chain=dstnat comment="FTP for Work" >> dst-address=172.250.x.x dst-port=21 in-interface=ether1-gateway >> protocol=tcp to-addresses=\ >> 192.168.200.200 to-ports=21 >> add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=20 >> in-interface=ether1-gateway protocol=tcp to-addresses=192.168.200.200 >> to-ports=20 >> add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=5000-6000 >> in-interface=ether1-gateway protocol=tcp to-addresses=192.168.200.200 >> to-ports=\ >> 5000-6000 >> add action=dst-nat chain=dstnat comment=Xbox dst-address=172.250.x.x >> dst-port=88,3074 in-interface=ether1-gateway protocol=tcp >> to-addresses=192.168.200.93 \ >> to-ports=3074 >> add action=dst-nat chain=dstnat dst-address=172.250.x.x dst-port=3074 >> in-interface=ether1-gateway protocol=udp to-addresses=192.168.200.93 >> to-ports=3074 >> [admin@RB2011UAS-2HnD] /ip firewall nat> >> >> >> *Jerry Roy* >> Sr. Systems Engineer >> MTCNA/MTCRE/MTCTCE >> >> >> 1 949 681 5054 >> 1 562 305 9545 Cell >> >> Unity Network Services >> >> *An iPass Company* >> 125 Technology Drive >> Suite 100 >> Irvine, CA 92618 >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/eb9686c0/attachment.html >>> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: image001.gif >> Type: image/gif >> Size: 2041 bytes >> Desc: not available >> URL: < >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/eb9686c0/attachment.gif >>> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140611/3f0eac85/attachment.html> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
