How To Block A Port In MikroTik Winbox
28 May, 2020 by

How To Block A Port In MikroTik Winbox

There are two ways to block a port in MikroTik Winbox. The first is to block it through IP > Firewall inside Winbox and the second one is to block a port in Winbox through the terminal line. which we will check both of the methods on this post to prevent unexpected login attempts.

To prevent hackers to hack your MikroTik or stop your users to illegally use some services, it is important to close some ports in your MikroTik server. Hackers use DDOS and Brutus Force attacks to infiltrate your MikroTik. They first get enough information from your MikroTik VPS to select the type of attack.

Ways To Block A Port In Mikrotik

  • Block port through the user interface
  • Block port using the terminal

In this tutorial, we will check how to block port 25 which is the port of SMTP to stop users spamming.

How to change Winbox port

Block MikroTik Port Using The User Interface

Step1: Login To Winbox

First, try to login to your MikroTik VPS through Winbox.
You can download Winbox through the MikroTik website.

 

Download Wibox

 

Step2: Block The Mentioned Port

Once you downloaded it, enter your login details such as server IP, username, and password.

 

Login to Winbox

 

Now you have successfully logged in to the Winbox. From the left panel choose IP and then Firewall.

In this section, there are some tabs and we will use the Filter Rules tab to block the SMTP port 25 on our MikroTik VPS server.

Click on the blue plus sign. On the General tab, choose the Chain as Input.

Definition Of Chains In MikroTik Firewall

Input Chain: It means incoming packets to routers. In fact, when the destination of a packet is the router itself, the packet is in the input chain. Like when you use MikroTik as a DNS server, DNS packets are in the input chain.

Output Chain: It means packets that come out of the router. In fact, packages whose source address is the router itself. Like the NTP package that the router sends to the Internet to set its clock.

Forward Chain: It means packages that intend to cross the router. Like when the router only routes packets. And the closed source and destination addresses are not any of the router board addresses.

 

new firewall rule in mikrotik

 

After setting the chain as Input, Choose the Protocol which can be TCP or UDP. And set the destination port as 25.

Note: Instead of 25, you should put your own port number that you wish to block.

Now in the Action tab, choose drop to drop the incoming packages. Click Apply and OK to complete the process.

 

drop a port in winbox

 

Congratulation, now you have successfully blocked the port.

Now in the IP > Firewall and in the Filter Rules tab, you can see that the port is blocked.

 

block port in winbox

 

Block A Port In MikroTik Using Terminal

Sometimes we do not have access to the Mikrotik Server remotely. As a result, we will have to add our rules through the command line in Console or VNC.

We use the terminal inside the Winbox but if still, you do not have access to the Winbox, you can use the below commands to add rules to the router.

Like the last time log in to the Winbox and open the new terminal.
Then type the below command one by one and press Enter.

ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop

 

block a port in Mikrotik terminal

 

In this way, you successfully change the port and you can type the below command to see the rules inside the firewall:

print

 

print firewall rules in Mikrotik

 

I hope you have enjoyed this post and you find it useful.
I will be happy to get your opinions regarding this article.

Leave a Reply

Your email address will not be published. Required fields are marked.

Pablo Publish in November 29, 2021 at 1:19 pm

I have get a message: We very strongly advise securing your router/firewall to deny any outbound packets on port 25, except those coming from any email servers (if any) on your local network. Remote sending of email to servers on the Internet will still work if web-based, or configured properly using port 587 with SMTP-AUTH. When we talk "outbound" we talk about out going packets? Btw thanks for your help..

Reply
    Harry Hill Publish in December 14, 2021 at 2:32 am

    Hi Pablo, yes it means the outgoing packets.

    Reply
Miki Publish in July 13, 2021 at 10:16 am

Hi Harry, That`s a great tutorial, thanks for it. I have blocked the ports 21,22,23,25,80,161,8129,8291 with the command -> add chain=input protocol=tcp dst-port=25 action=drop I have lost the connection from to the router from the LAN - any chance you may help me getting the access back to the router please?

Reply
    Harry Hill Publish in July 14, 2021 at 1:22 am

    Hi Miki, it's obvious that it has happened because you've blocked one of the ports by mistake. Get access to your MikroTik through the console, VNC, or IPMI and reverse the changes by unblocking all ports. Then block them one by one and find out which port you should not block.

    Reply
Davide Publish in January 8, 2021 at 4:51 pm

Hi Harry! Thanks for your documentation, it help me a lot! My router Mikrotik public IP was present in the Spamhaus list as PBL1722199 record (Link_not_allowed), now I've closed the port 25, rebooted and I will see... Thanks again!

Reply
    Harry Publish in January 8, 2021 at 5:33 pm

    Hi Davide, glad to hear this article was helpful for you. Just consider that this will not remove your IP from the blacklist and you should also use the delist option (remove from blacklist) in the link that you've sent to delist it.

    Reply
Robert Publish in October 13, 2020 at 11:29 am

Thank you for your clear article.

Reply