Block outgoing connection from server to Internet, but enable specific TCP port access from outside

Question

I am using Mikrotik RouterOS on a Mikrotik router.

There is a server in my network from which every outgoing connection using every protocol should be disabled. I achieved this with a following rule:

/ip firewall filter
action=drop chain=forward out-interface=ether1-gateway src-mac-address=XX:XX:XX:XX:XX:XX

where XX:XX:XX:XX:XX:XX is the MAC address of server's NIC.

Now I wanted to enable an access from Internet to this server only on specific TCP port. I created a NAT rule for that:

/ip firewall nat
chain=dstnat action=netmap to-addresses=A.A.A.A to-ports=8912 protocol=tcp dst-address-type=local dst-port=8912

where A.A.A.A is server's IP address in the LAN.

Then I tried to connect to the router from outside over TCP port 8912 became no response, but noticed that the first rule was triggered.

After that I placed another firewall rule just before the first rule to always enable ACK from server:

/ip firewall filter
chain=forward action=accept tcp-flags=ack protocol=tcp out-interface=ether1-gateway src-mac-address=XX:XX:XX:XX:XX:XX

and everything worked.

Is it a good/bad idea always to enable TCP ACK from server? What are the drawbacks?

Answer 1

The correct approach is to do exactly the norm for home networks when enabling all outgoing traffic to internet but blocking every incoming new traffic, except reversing the outgoing and incoming roles.

This is assuming you already had this filter rule in your router to protect the rest of your network:

chain=forward connection-state=established,related action=accept

It should be at the very top of the filter list.

Now you simply do what you'd normally do when forwarding a port from internet to your LAN network, except reversed.

chain=forward dst-address=A.A.A.A action=accept
chain=forward src-address=A.A.A.A action=drop

Combined with your NAT, access should work now. No need for ACK rule.

If the accept rule seems too broad, it only works in conjunction with the NAT you created in your original post anyway. Without an accompanying NAT, the router doesn't know it's supposed to forward the traffic to your server.