Professional Documents
Culture Documents
Firewall RAW Table: Mikrotik User Meeting London, November 14, 2016 Achmad Mardiansyah GLC Networks, Indonesia
Firewall RAW Table: Mikrotik User Meeting London, November 14, 2016 Achmad Mardiansyah GLC Networks, Indonesia
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
www.glcnetworks.com
Agenda
● Introduction
● Firewall
● Raw table
● Demo
● Q&A
2
www.glcnetworks.com
What is GLC?
3
www.glcnetworks.com
Trainer Introduction
4
www.glcnetworks.com
Where is Indonesia?
5
www.glcnetworks.com
About Telkom University
6
www.glcnetworks.com
Mikrotik academy @ TEL-U
● Started in 2013
● Embedded into schools curricula
● 100% hands-on
● Get MTCNA certification
7
www.glcnetworks.com
Mikrotik in Indonesia
8
www.glcnetworks.com
Firewall
9
www.glcnetworks.com
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing -> using TCP port 80)
10
www.glcnetworks.com
How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
11
www.glcnetworks.com
Where the packet
is processed?
A: see packet flow
Note: ipsec is removed in this
diagram
12
www.glcnetworks.com
FORWARD
INPUT
What's the
difference between
forward and input?
1313
www.glcnetworks.com
On which chain
can you apply
filter?
14
www.glcnetworks.com
On which chain
can you apply
NAT?
15
www.glcnetworks.com
On which chain
can you apply
mangle?
16
www.glcnetworks.com
Which processes
could take more
CPU power?
17
www.glcnetworks.com
Common place to block
DDOS attack? We use
filter table (still eating
CPU power)
18
www.glcnetworks.com
Raw table
19
www.glcnetworks.com
Raw table
20
www.glcnetworks.com
Packet flow for raw
table
21
www.glcnetworks.com
Raw table matchers and
action
● No paramaters related to connection
tracking (l7-filter, conn-mark, bytes, etc)
22
www.glcnetworks.com
demo
23
www.glcnetworks.com
Combined with connection-limit and address list
24
www.glcnetworks.com
QA
25
www.glcnetworks.com
End of slides
26
www.glcnetworks.com