There are two ways to block a port in Mikrotik Winbox. The first is to block it through IP > Firewall inside Winbox and the second one is to block a port in Winbox through the terminal line. which we will check both of the methods on this post to prevent unexpected login attempts.
To prevent hackers to hack your Mikrotik or stop your users to illegally use some services, it is important to close some ports in your Mikrotik server. Hackers use DDOS and Brutus Force attacks to infiltrate your Mikrotik. They first get enough information from your Mikrotik VPS to select the type of attack.
Ways to block a port in Mikrotik
- Block port through the user interface
- Block port using the terminal
In this tutorial, we will check how to block the port 25 which is the port of SMTP to stop users spamming.
Block Mikrotik port using the user interface
Step1: Login to winbox
Step2: Block The mentioned port
Once you downloaded it, enter your login details such as server IP, username, and password.
Now you have successfully logged in to the Winbox. From the left panel choose IP and then Firewall.
In this section, there are some tabs and we will use the Filter Rules tab to block the SMTP port 25 on our Mikrotik VPS server.
Click on the blue plus + sign. On the General tab, choose the Chain as Input.
Definition of Chains in Mikrotik firewall
Input Chain: It means incoming packets to routers. In fact, when the destination of a packet is the router itself, the packet is in the input chain. Like when you use Mikrotik as a DNS server, DNS packets are in the input chain.
Output Chain: It means packets that come out of the router. In fact, packages whose source address is the router itself. Like the NTP package that the router sends to the Internet to set its clock.
Forward Chain: It means packages that intend to cross the router. Like when the router only routes packets. And the closed source and destination addresses are not any of the router board addresses.
After setting the chain as Input, Choose the Protocol which can be TCP or UDP. And set the destination port as 25.
Note: Instead of 25, you should put your own port number that you wish to block.
Now in the Action tab, choose drop to drop the incoming packages. Click Apply and OK to complete the process.
Congratulation, now you have successfully blocked the port.
Now in the IP > Firewall and in the Filter Rules tab, you can see that the port is blocked.
Block a port in Mikrotik using terminal
Sometimes we do not have access to the Mikrotik Server remotely. As a result, we will have to add our rules through the command line in Console or VNC. We use the terminal inside the Winbox but if still you do not have access to the Winbox, you can use the below commands to add rules to the router.
Like the last time log in to the Winbox and open the new terminal.
Then type the below command one by one and press Enter.
ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop
In this way, you successfully change the port and you can type the below command to see the rules inside firewall:
I hope you have enjoyed this post and you find it useful.
I will be happy to get your opinions regarding this article.