There are two ways to block a port in MikroTik Winbox. The first is to block it through IP > Firewall inside Winbox and the second one is to block a port in Winbox through the terminal line. which we will check both of the methods on this post to prevent unexpected login attempts.
To prevent hackers to hack your MikroTik or stop your users to illegally use some services, it is important to close some ports in your MikroTik server. Hackers use DDOS and Brutus Force attacks to infiltrate your MikroTik. They first get enough information from your MikroTik VPS to select the type of attack.
Ways To Block A Port In Mikrotik
- Block port through the user interface
- Block port using the terminal
In this tutorial, we will check how to block port 25 which is the port of SMTP to stop users spamming.
Block MikroTik Port Using The User Interface
Step1: Login To Winbox
First, try to login to your MikroTik VPS through Winbox.
You can download Winbox through the MikroTik website.
Step2: Block The Mentioned Port
Once you downloaded it, enter your login details such as server IP, username, and password.
Now you have successfully logged in to the Winbox. From the left panel choose IP and then Firewall.
In this section, there are some tabs and we will use the Filter Rules tab to block the SMTP port 25 on our MikroTik VPS server.
Click on the blue plus + sign. On the General tab, choose the Chain as Input.
Definition Of Chains In MikroTik Firewall
Input Chain: It means incoming packets to routers. In fact, when the destination of a packet is the router itself, the packet is in the input chain. Like when you use MikroTik as a DNS server, DNS packets are in the input chain.
Output Chain: It means packets that come out of the router. In fact, packages whose source address is the router itself. Like the NTP package that the router sends to the Internet to set its clock.
Forward Chain: It means packages that intend to cross the router. Like when the router only routes packets. And the closed source and destination addresses are not any of the router board addresses.
After setting the chain as Input, Choose the Protocol which can be TCP or UDP. And set the destination port as 25.
Note: Instead of 25, you should put your own port number that you wish to block.
Now in the Action tab, choose drop to drop the incoming packages. Click Apply and OK to complete the process.
Congratulation, now you have successfully blocked the port.
Now in the IP > Firewall and in the Filter Rules tab, you can see that the port is blocked.
Block A Port In MikroTik Using Terminal
Sometimes we do not have access to the Mikrotik Server remotely. As a result, we will have to add our rules through the command line in Console or VNC.
We use the terminal inside the Winbox but if still, you do not have access to the Winbox, you can use the below commands to add rules to the router.
Like the last time log in to the Winbox and open the new terminal.
Then type the below command one by one and press Enter.
ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop
In this way, you successfully change the port and you can type the below command to see the rules inside the firewall:
I hope you have enjoyed this post and you find it useful.
I will be happy to get your opinions regarding this article.
I have get a message:We very strongly advise securing your router/firewall to deny any outbound packets on port 25, except those coming from any email servers (if any) on your local network. Remote sending of email to servers on the Internet will still work if web-based, or configured properly using port 587 with SMTP-AUTH.When we talk "outbound" we talk about out going packets? Btw thanks for your help..
Hi Pablo, yes it means the outgoing packets.
Hi Harry,That`s a great tutorial, thanks for it.I have blocked the ports 21,22,23,25,80,161,8129,8291 with the command -> add chain=input protocol=tcp dst-port=25 action=dropI have lost the connection from to the router from the LAN - any chance you may help me getting the access back to the router please?
Hi Miki, it's obvious that it has happened because you've blocked one of the ports by mistake. Get access to your MikroTik through the console, VNC, or IPMI and reverse the changes by unblocking all ports. Then block them one by one and find out which port you should not block.
Hi Harry! Thanks for your documentation, it help me a lot! My router Mikrotik public IP was present in the Spamhaus list as PBL1722199 record (Link_not_allowed), now I've closed the port 25, rebooted and I will see...Thanks again!
Hi Davide, glad to hear this article was helpful for you. Just consider that this will not remove your IP from the blacklist and you should also use the delist option (remove from blacklist) in the link that you've sent to delist it.
Thank you for your clear article.