Follow the http://wiki.mikrotik.com/wiki/Protecting_your_customers

add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

The connections through port 80 not detected by that chain.., but there is activity detected on port 25.

then i try put action log on that chain.. with chain forward, result is no packet/connections detected.
Then i change the chain with output, result is i can detect that the connections from 3128 (proxy) to IP that do browsing.

So, i think this cause the problem:
3 chain=dstnat in-interface=local src-address=172.168.0.0/16 protocol=tcp dst-port=80 action=redirect to-ports=3128

tested with 3.13, then 2.9.27

So,how the concept of protecting my customers behind nat then proxy? any idea??


This is my configurations:
[admin@MikroTik] > ip firewall filter print (from 0-33 is disabled)
Flags: X - disabled, I - invalid, D - dynamic
34 ;;; Proxy From Outside
chain=input in-interface=public src-address=0.0.0.0/0 protocol=tcp dst-port=3128 action=drop

35 ;;; accept established connection packets
chain=input connection-state=established action=accept

36 ;;; accept related connection packets
chain=input connection-state=related action=accept

37 ;;; Log invalid connections
chain=input connection-state=invalid action=log log-prefix="INVALID"

38 ;;; drop invalid packets
chain=input connection-state=invalid action=drop

39 ;;; Allow PPTP
chain=input protocol=tcp dst-port=1723 action=accept

40 ;;; Allow PPTP
chain=input protocol=gre action=accept

41 ;;; Allow from local network
chain=input src-address=172.168.0.0/16 action=accept

42 ;;; Log everything else
chain=input protocol=tcp src-port=3128 action=log log-prefix="DROP"

43 X ;;; Drop everything else
chain=input action=drop

44 ;;; allow established connections
chain=forward connection-state=established action=accept

45 ;;; allow related connections
chain=forward connection-state=related action=accept

46 ;;; Log invalid connections
chain=forward connection-state=invalid action=log log-prefix="INVALID"

47 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop

48 X ;;; Allow HTTP
chain=output protocol=tcp dst-port=80 action=accept

49 X ;;; anti-spam policy
chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop

50 X chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
address-list-timeout=0s

51 X chain=smtp-first-drop src-address-list=approved-smtp action=return

52 X chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s

53 X chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

54 X ;;; DNS
chain=local-services connection-mark=dns action=accept

55 X ;;; Drop Public Conections
chain=public-services action=drop

56 ;;; allow ping
chain=forward protocol=icmp action=jump jump-target=ICMP

57 ;;; Allow local traffic (between router applications)
chain=input src-address-type=local dst-address-type=local action=accept

58 ;;; Allow pings, but at a very limited rate (5 per sec)
chain=input connection-mark=ping limit=5,5 action=accept

59 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept

60 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept

61 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept

62 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept

63 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept

64 X chain=input action=jump jump-target=drop

65 X chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept

66 X chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept

67 X chain=dhcp dst-address-type=local src-address-list=local-addr action=accept

68 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus

69 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop

70 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop

71 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop

72 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop

73 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop

74 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop

75 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop

76 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop

77 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop

78 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop

79 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop

80 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop

81 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop

82 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop

83 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop

84 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop

85 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop

86 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop

87 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127-3128 action=drop

88 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop

89 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop

90 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop

91 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop

92 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop

93 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop

94 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop

95 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop

96 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop

97 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop

98 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop

99 X ;;; Allow HTTP
chain=forward protocol=tcp dst-port=8080 action=accept

100 X ;;; Allow SMTP
chain=forward protocol=tcp dst-port=25 action=accept

101 X ;;; Allow SSL
chain=forward protocol=tcp dst-port=443 action=accept

102 X ;;; Allow POP3
chain=forward protocol=tcp dst-port=110 action=accept

103 X ;;; Allow SMTP
chain=forward protocol=tcp dst-port=25 action=accept

104 X ;;; Allow NTP
chain=forward protocol=tcp dst-port=123 action=accept

105 X ;;; Allow YM
chain=forward protocol=tcp dst-port=5050 action=accept

106 X ;;; Allow HBCI
chain=forward protocol=tcp dst-port=3000 action=accept

107 X ;;; Allow Galileo
chain=forward protocol=tcp dst-port=2749 action=accept

108 X ;;; Allow Galileo
chain=forward protocol=tcp dst-port=4143 action=accept

109 X ;;; allow TCP
chain=forward protocol=tcp action=accept

110 X ;;; allow ping
chain=forward protocol=icmp action=accept

111 X ;;; allow udp
chain=forward protocol=udp action=accept

112 X ;;; drop everything else
chain=forward action=drop
-- [Q quit|D dump|up|down]


[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public src-address=172.168.0.0/16 action=masquerade

1 I chain=srcnat out-interface=CBN src-address=172.168.0.0/16 action=masquerade

2 chain=srcnat out-interface=abacus1 dst-address=10.10.1.0/24 action=masquerade

3 chain=dstnat in-interface=local src-address=172.168.0.0/16 protocol=tcp dst-port=80 action=redirect to-ports=3128

4 chain=dstnat in-interface=local src-address=172.168.0.0/16 protocol=tcp dst-port=3128 action=redirect to-ports=3128

no help?

then how do you set limitation of ports?

thanks,
yudi