Need to allow http ports and other know ports

henry_ajere · Wed Feb 01, 2006 5:39 pm

Hello,

Pls, I am not MT guru. I need to allow http (80) and 3 other known ports (5050, 25, and100) only on my network. I did something like this in my forward chain:

ip firewall rule forward add dst-port=5050 action=jump jump-target=output

ip firewall rule forward add dst-port=25 action=jump jump-target=output

ip firewall rule forward add dst-port=110 action=jump jump-target=output
ip firewall rule forward add dst-port=!80 action=drop

The only time the rule worked is when i disable the 1st three rules (i.e 5050, 25, and 110). I need this ports while other be dropped.

Pls Help

djape · Wed Feb 01, 2006 5:59 pm

You want to forbid access to these ports on your network from outside?

henry_ajere · Wed Feb 01, 2006 7:06 pm

I want access to these ports (80, 5050, 25, and 110)on my network; both inbounds and outbunds. All other ports forwarded (aside from 80, 5050, 25, and 110) should be droped.

meister · Wed Feb 01, 2006 9:57 pm

Please explain your network. Natted, routed, ect, if you use private ip space. And in human terms what you are trying to accomplish.

ie. Stop people on your network from using anything but http, sip, and mail.

or Allowing your network internet access while keeping hackers out.

henry_ajere · Thu Feb 02, 2006 10:23 am

thanks,

Meiser said: Please explain your network. Natted, routed, ect, if you use private ip space[/quote].

I have natted network, public ip from my provider: 66.179.254.120/27. I put MT between a satellite gateway (66.179.120.121) and my LAN.

meiser said: And in human terms what you are trying to accomplish.

I dont want PCs on my LAN to forward traffick through any other ports except, ports 80(http), 5050, 25 and 110. In other words, pcs on my LAN should just browse ,do POP mail and Yahoo chat, that's all!.

The Problem i have on my LAN is that I left all the Ports Opened, while worms and so many other malicious program taking advantage of the opened ports to attack, thereby eating up my bandwidth.

cibernet · Thu Feb 02, 2006 11:55 am

thanks,

Meiser said: Please explain your network. Natted, routed, ect, if you use private ip space

.

I have natted network, public ip from my provider: 66.179.254.120/27. I put MT between a satellite gateway (66.179.120.121) and my LAN.

meiser said: And in human terms what you are trying to accomplish.

I dont want PCs on my LAN to forward traffick through any other ports except, ports 80(http), 5050, 25 and 110. In other words, pcs on my LAN should just browse ,do POP mail and Yahoo chat, that's all!.

The Problem i have on my LAN is that I left all the Ports Opened, while worms and so many other malicious program taking advantage of the opened ports to attack, thereby eating up my bandwidth.[/quote]

Then you should only allow this ports on the forward chain ej:

add chain=forward src-address=(your lan) protocol=tcp dst-port=80 action=accept  

add chain=forward src-address=(your lan) protocol=tcp dst-port=5050 action=accept 

add chain=forward src-address=(your lan) protocol=tcp dst-port=110 action=accept

And the add a rule to drop all the other traffic:

add chain=forward src-address=(your lan) action=drop

Regards

henry_ajere · Thu Feb 02, 2006 1:10 pm

Thanks Cibernet

Then you should only allow this ports on the forward chain ej:

I have the following on my forward chain already, added by the hotspot automatically:

3 in-interface=WIRELESS action=jump jump-target=hotspot-temp

4 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

5 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp

6 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

7 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp

8 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

9 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp

10 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

djape · Thu Feb 02, 2006 4:18 pm

You must allow udp 53 also or how else will you users resolve domain names?!

andrewluck · Thu Feb 02, 2006 6:07 pm

Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT.

Regards

Andrew

henry_ajere · Thu Feb 02, 2006 8:21 pm

Thanks Very Much!

add chain=forward src-address=(your lan) protocol=tcp dst-port=80 action=accept  

add chain=forward src-address=(your lan) protocol=tcp dst-port=5050 action=accept 

add chain=forward src-address=(your lan) protocol=tcp dst-port=110 action=accept[code]

And

add chain=forward src-address=(your lan) action=drop


It worked!!

Best Regards

hmekolli · Thu Feb 02, 2006 9:36 pm

Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT

Plase tel as code for this because I need this , but no succes to do that
Thanks

cibernet · Thu Feb 02, 2006 10:07 pm

Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT
Plase tel as code for this because I need this , but no succes to do that
Thanks

You need to read the manual....

add chain=forward src-address=(your lan) protocol=udp dst-port=53 action=accept

Regards