In the context of the MikroTik firewall, chains are essentially rules or processing sequences through which data packets pass to be inspected and filtered.

Each chain represents a specific point in the traffic flow through the router where packets can be evaluated and manipulated according to rules defined by the network administrator. Chains allow traffic to be classified and controlled in a detailed manner, offering great flexibility and power in network security management.

MikroTik's RouterOS defines several default chains in its firewall to categorize network traffic into different stages of processing, such as:

1. Input

This chain processes incoming packets directed to the router itself. It is useful to control who can access the router and to manage connection attempts to the services that the router offers, such as SSH, Winbox, or the web interface.

2. output

It manages the packets that the router generates and sends to the network. Using rules in this chain can be useful to limit outbound traffic from the router to certain destinations or services.

3. Forward

This chain deals with packets that traverse the router, that is, traffic that is not destined for the router itself, but simply traverses it from one interface to another. The rules in this chain are crucial for implementing security policies between different segments of your network.

4. Prerouting and Postrouting

• Prerouting: Processes packets as soon as they are received by the router, before the routing decision is made. It is useful for altering incoming packets before they are processed by Input or Forward rules.
• Postrouting: Applies to packets after their route has been decided, allowing them to be modified just before they are sent. This is useful for changing the source address of packets for applications such as NAT (Network Address Translation).

Customization and Creation of Chains

In addition to these predefined chains, RouterOS allows users to create their own custom chains to handle specific situations. This adds even more flexibility to the firewall system, allowing administrators to design and apply very granular security policies based on their specific needs.

Rules within each chain are processed in sequential order, from the first rule down, until a packet matches a rule. Therefore, the organization and order of rules within a chain are crucial to the desired behavior of the firewall.

Actions that can be taken on packets include allow, reject, discard, among others, based on criteria such as IP addresses, ports, protocols, and more.