Firewall: Understanding Custom Chains

-

Understanding Custom Chains

Ever wondered what makes MikroTik firewalls so flexible? It’s the custom chain feature — a powerful way to group and reuse firewall rules efficiently. Think of it as creating “mini rule blocks” or “functions” inside your firewall configuration. Let’s break it down in a practical, Pinoy-friendly way.

πŸ”₯ What Is a Custom Chain?

In MikroTik, a custom chain works like a shortcut or function. Instead of writing repetitive rules for every scenario, you can group related ones together. When a packet matches your condition, you “jump” into your custom chain, process the rules, then return to the main flow.

⚙️ Example: LAN Traffic Filtering

Here’s a simple setup where we handle LAN traffic separately:

# MikroTik Firewall Example
/ip firewall filter
add chain=forward src-address=192.168.88.0/24 action=jump jump-target=LAN-RULES
add chain=LAN-RULES protocol=tcp dst-port=80,443 action=accept comment="Allow Web"
add chain=LAN-RULES protocol=udp dst-port=53 action=accept comment="Allow DNS"
add chain=LAN-RULES action=drop comment="Drop Other LAN Traffic"
add chain=LAN-RULES action=return comment="Return to main chain"

🧩 Linux Equivalent (iptables)

# Linux iptables Example
iptables -N LAN_RULES
iptables -A FORWARD -s 192.168.88.0/24 -j LAN_RULES
iptables -A LAN_RULES -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A LAN_RULES -p udp --dport 53 -j ACCEPT
iptables -A LAN_RULES -j DROP
iptables -A LAN_RULES -j RETURN

πŸ“Š Illustration: How Custom Chains Flow


Packets jump into your custom chain, get processed, then return to the main chain — simple and efficient.

🧠 In Short

  • Custom chains = mini rule sets or functions.
  • They help organize your firewall rules cleanly.
  • You can reuse them for multiple scenarios (LAN, WAN, or VLAN).

In other words, custom chains make your MikroTik config cleaner and faster to troubleshoot — a habit every pro network admin should develop early.

Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

Why upload comes first before download

-
Image
Before we dive into why upload comes first, let’s quickly define upload and download in data communication. Upload refers to sending data from your device to a remote server or another device. This happens when you send an email, upload a file to the cloud, or even just request a webpage. Download is the process of receiving data from a remote source to your device. This includes streaming videos, loading webpages, or saving files from the internet. Think of it like a conversation: when you ask someone a question (upload), they respond with an answer (download). The same applies to internet communication—before you can receive data, you must first send a request. Why Upload Comes First in Data Communication Now that we understand uploads and downloads, let’s put it in simple human terms. Imagine you’re having a conversation with a friend: You ask a question (Upload): Before your friend can give you an answer, you first need to say something—whether it’s a question, a request, or a ...
Read more

Suricata on Mikrotik(IDS+IPS) = Part 3 - Configuration of the IDS Part

-
Image
Configuration Disclaimer:  this one is only for ubuntu 18.04 and login as root user to be sure In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server> /tool sniffer set filter-ip-address=<an_example_filter_ip> tool sniffer print ; tool sniffer start ; tool snifer stop Lets Start ... 1.     Configure the correct time zone and NTP synchronization         systemctl start systemd-timesync           systemctl status systemd-timesyncd         dpkg-reconfigure tzdat a 2.     Add the suricata in the repository    add-apt-repository ppa:oisf/suricata-stable 3.     Update the package database:         ...
Read more