anyone knows the spyware n virus port....?
and how can we block them in mikrotik....is it in forward...!
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
thx for the answer......im sorry i did spesifik the protocol soo this is my original script....:
ip firewall>add src-address=10.10.0.0/16 protocol=tcp dst-port=!80 action=drop chain=forward
still port 80 also drop......?
@normis yes i want to let other port to allow like 25 n 110 but i want some user cannot use anything except internet(80)...!
btw what is the diffrent input and forward.....and web-proxy...!
ip firewall>add src-address=10.10.0.0/16 protocol=tcp dst-port=!80 action=drop chain=forward
still port 80 also drop......?
@normis yes i want to let other port to allow like 25 n 110 but i want some user cannot use anything except internet(80)...!
btw what is the diffrent input and forward.....and web-proxy...!
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
You need to allow the return traffic with rules similar to these:
Code: Select all
28 ;;; Accept Internet Established
chain=forward in-interface=Internet connection-state=established
action=accept
29 ;;; Accept Internet Related
chain=forward in-interface=Internet connection-state=related
action=accept
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
Here's a list of protocols I allow for restricted free use areas...
That will only allow those specified ports to be used on the guest network.. If you want to allow all outgoing connections, but block any incoming it would look something like this...
If you don't have the "accept established" and "accept related" your clients for example would be able to send packets out on port 80 but the packets returning would be dropped because they're coming back on a dynamic port that isn't allowed in the firewall...
Code: Select all
add chain=guest-network connection-state=invalid action=drop comment="Drop Invalid" disabled=no
add chain=guest-network connection-state=established action=accept comment="Accept Established" disabled=no
add chain=guest-network connection-state=related action=accept comment="Accept Related" disabled=no
add chain=guest-network protocol=tcp dst-port=80 action=accept comment="HTTP" disabled=no
add chain=guest-network protocol=tcp dst-port=20-21 action=accept comment="FTP" disabled=no
add chain=guest-network protocol=tcp dst-port=110 action=accept comment="POP3" disabled=no
add chain=guest-network protocol=tcp dst-port=25 action=accept comment="SMTP" disabled=no
add chain=guest-network protocol=udp action=accept comment="UDP" disabled=no
add chain=guest-network protocol=tcp dst-port=5190 action=accept comment="AIM" disabled=no
add chain=guest-network protocol=tcp dst-port=443 action=accept comment="SSL" disabled=no
add chain=guest-network protocol=tcp dst-port=1863 action=accept comment="MSN Messenger" disabled=no
add chain=guest-network protocol=tcp dst-port=6891-6901 action=accept comment="MSN Messenger" disabled=no
add chain=guest-network protocol=tcp dst-port=143 action=accept comment="IMAP" disabled=no
add chain=guest-network protocol=tcp dst-port=993 action=accept comment="IMAP-SSL" disabled=no
add chain=guest-network action=log log-prefix="Guest Chain" comment="Log Dropped Packets" disabled=no
add chain=guest-network action=drop comment="Drop Everything" disabled=no
Code: Select all
add chain=customer connection-state=invalid action=drop comment="Drop Invalid" disabled=no
add chain=customer connection-state=established action=accept comment="Accept Established" disabled=no
add chain=customer connection-state=related action=accept comment="Accept Related" disabled=no
add chain=customer in-interface="LAN" out-interface=WAN action=accept comment="Accept Outgoing Connections" \
disabled=no
add chain=customer action=log log-prefix="Customer Chain" comment="Log Dropped" disabled=no
add chain=customer action=drop comment="Drop and log everything else" disabled=no
@wildbill442 >
1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; in-interface=wan ; connect-state=established ; action=accept
3. chain=forward ; in-interface=wan ; connct-state=invalid ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=80 ; in-interface=lan ; out-interface=wan ; src-address=x.x.x.x/x ; action=accept
5. chain=forward ; in-interface=lan ; out-interface=wan ; action=accept
6. chain=forward ; action=drop
7. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)
port 80 still wont work.....something wrong.....!
1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; in-interface=wan ; connect-state=established ; action=accept
3. chain=forward ; in-interface=wan ; connct-state=invalid ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=80 ; in-interface=lan ; out-interface=wan ; src-address=x.x.x.x/x ; action=accept
5. chain=forward ; in-interface=lan ; out-interface=wan ; action=accept
6. chain=forward ; action=drop
7. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)
port 80 still wont work.....something wrong.....!
well i can see you have everything all joggled up. you see the way the table works is if a packets comes in throiugh a partucular port the header and a few other stuff are compared with each rule in the table and once one rule is carried out it wont go to the next rule thats the end of it another packet is picked and if no rule corresponds then it takes the default policy of the chain.
so looking at what you have there
thn following the theory i put up 4 n 5 v conflicting interest (there is no need for 1 of them)then i dont think ur data is flowing in the right direction(correct with previous direction)[/list]
i think u should getting workin after that. ps i need help with hotspot
so looking at what you have there
- line 3 is useless cos you already dropped everything invalid in 1
then the spellin in 3 is even wrong
then you have to accept both related nd established coming from both sides of the network which u didnt do.
thn following the theory i put up 4 n 5 v conflicting interest (there is no need for 1 of them)then i dont think ur data is flowing in the right direction(correct with previous direction)[/list]
i think u should getting workin after that. ps i need help with hotspot
@nowoxi im sorry my script should be like this.....:
1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; in-interface=wan ; connect-state=established ; action=accept
3. chain=forward ; in-interface=wan ; connct-state=related ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=80 ; src-address=x.x.x.x/x ; action=accept
5. chain=forward ; in-interface=lan ; out-interface=wan ; action=accept
6. chain=forward ; action=drop
7. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)
@5 my in-interface is my local network....!
still port 80 drop....!
1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; in-interface=wan ; connect-state=established ; action=accept
3. chain=forward ; in-interface=wan ; connct-state=related ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=80 ; src-address=x.x.x.x/x ; action=accept
5. chain=forward ; in-interface=lan ; out-interface=wan ; action=accept
6. chain=forward ; action=drop
7. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)
@5 my in-interface is my local network....!
still port 80 drop....!
well i think the problem is that you should accept established and related connections in all directions. i think its dropping replies to connections made to 8080. so if u accept related and established in both directions the problem should be solved
2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept
that should be ur new line 2 n 3
2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept
that should be ur new line 2 n 3
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
Yeah you do not need to specify the interface..well i think the problem is that you should accept established and related connections in all directions. i think its dropping replies to connections made to 8080. so if u accept related and established in both directions the problem should be solved
2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept
that should be ur new line 2 n 3
You could've just copy and pasted the rules i had on there to your router (as long as your using 2.9.x) and then just added this rule to the forward chain:
Code: Select all
add chain=forward action=jump jump-target=customer comment="Jump to customer chain"
ALSO MAKE SURE YOU TAKE NOTE...
where ever I specified an interface make sure that the interface name matches the interface you're trying to apply the rule to, otherwise you'll get an error, or the rule just wont do anything.
Oh, another thing, why are you redirecting incoming port 80 traffic (from the WAN) to your proxy server? Shouldn't it be the other way around ?
Do this first.. disable the proxy server and related rules for now, get the firewall working and test it make sure you can make a connection on the ports you need (80 and whatever else) THEN once you've verified that everything is working without the proxy, enable it and then test...
You've got too many things going on which is going to make it difficult to troubleshoot and figure out the root cause of your problems...
okay i did like this:
1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=!80 ; src-address=x.x.x.x/x ; action=drop
5. chain=forward ; action=add src to address list ; address list=…. ; timeout=00:00:01
6. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)
in proxy:
src-address=x.x.x.x/x ; dst-port=80 ; action=allow
src-address=x.x.x.x/x ; action=deny
and i dont know its working very well all ip that r not specific in proxy will be blok by mikrotik httpProxy...!
1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=!80 ; src-address=x.x.x.x/x ; action=drop
5. chain=forward ; action=add src to address list ; address list=…. ; timeout=00:00:01
6. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)
in proxy:
src-address=x.x.x.x/x ; dst-port=80 ; action=allow
src-address=x.x.x.x/x ; action=deny
and i dont know its working very well all ip that r not specific in proxy will be blok by mikrotik httpProxy...!
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
i also didnt understand ur last post. then line 4 on the post before the last is either uselss if ur policy is drop then u dont need it then if its not its better u perform drops at the end of the scripts not before the end so u dont get undesired effects
NEED HELP WITH HOTSPOTS. IF YOU KNOW AN ARTICLE OR TUTORIAL INEED TO KNOW ITS CAPABILITIES AND USES.
NEED HELP WITH HOTSPOTS. IF YOU KNOW AN ARTICLE OR TUTORIAL INEED TO KNOW ITS CAPABILITIES AND USES.
Who is online
Users browsing this forum: Google [Bot], svmk and 37 guests