Rules are copied from working configs, but sanitized. The field is denoted where CIDR notation is required.

Drop subnet

/ip firewall filter add action=drop chain=forward comment="Subnet Drop" log=yes log-prefix="[Subnet Drop]" src-address=SUNBNET_CIDR

Drop Port

/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=PORT

Drop all but a port

/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=!PORT

Forward Port

/ip firewall filter add action=dst-nat chain=dstnat comment="Cockpit" dst-address=WAN_IP dst-port=9090 protocol=tcp to-addresses=LAN_IP to-ports=9090

Hairpin NAT

/ip firewall filter add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=SERVER out-interface=bridge protocol=tcp src-address=DUBNET_CIDR