Community discussions

MikroTik App
  4. RouterOS
  5. General

Browsing to MT Web Page

Post Reply
 
GJS
Member
Member
Topic Author
Posts: 418
Joined: Sat May 29, 2004 4:07 pm
Location: London

Browsing to MT Web Page

Mon Sep 06, 2004 4:41 pm

I would like to stop the MT web page from showing to people browsing to my routers public address but would also like WinBox to be able to work from the public address. Can this be done?

I ideally, I would like to be able to re-direct to an external website.

Thanks,
Guy
Top
 
User avatar
lastguru
Member
Member
Posts: 432
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:
Contact lastguru

Mon Sep 06, 2004 10:15 pm

Set up a transparent proxy on the same router to handle HTTP requests. Then it will be possible to play with access list to allow only requests containing "winbox" in their name.

Also, i think, version 2.9 does not require HTTP, so it could be disabled at all (I did not check if it is so, but that is how I understand the changelog)
Top
 
User avatar
dwright
Member Candidate
Member Candidate
Posts: 158
Joined: Fri May 28, 2004 1:10 pm
Location: Mchenry, Il

Tue Sep 07, 2004 1:01 am

What we do is put a firewall rule to only allow certain ip address to connect to winbox from our network. If we are outside our network, we vpn in.

Dan
Top
 
GJS
Member
Member
Topic Author
Posts: 418
Joined: Sat May 29, 2004 4:07 pm
Location: London

Tue Sep 07, 2004 5:57 pm

Umm, what's wrong with this rule? Doesn't seem to do anything:

[admin@pad001X] ip firewall rule input> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop all HTTP connections to router
dst-address=:80 protocol=tcp action=drop log=yes
[admin@pad001X] ip firewall rule input>

I thought I'd disable all web access to the router then just enable and disable the rule via telnet when I want to get in with Winbox. Just for a temporary fix while I look into the web-proxy thing.

Thanks,
Guy
Top
 
User avatar
dwright
Member Candidate
Member Candidate
Posts: 158
Joined: Fri May 28, 2004 1:10 pm
Location: Mchenry, Il

Tue Sep 07, 2004 8:07 pm

make sure the rule is in the input chain.

From the manual:
To protect the router from unauthorized access, we should filter out all packets with the destination addresses of the router, and accept only those which are allowed. Since all packets with destination to the router's address are processed against the input chain, we can add the following rules to it:

/ip firewall rule input
add protocol=tcp connection-state=established \
comment="Allow established TCP connections"
add protocol=udp comment="Allow UDP connections"
add protocol=icmp comment="Allow ICMP messages"
add src-addr=10.5.8.0/24 \
comment="Allow access from 'trusted' network 10.5.8.0/24"
add action=reject log=yes \
comment="Reject and log everything else"

Thus, the input chain will accept only allowed connections and reject, and log everything else.
You could remove the src-addr rule and put in these two rules.
Code: Select all
#This one is to allow port 80 traffic. You enable this when you want to connect. Should be before the last line at bottom
add protocol=tcp comment"Allow port 80 traffic" dst-address=:80
#This one will allow ssh traffic  so you can get in and switch on/off port 80 traffic rule. Should be before the last line too at the bottom.
add protocol=tcp comment"Allow ssh traffic" dst-address=:22
I would also recommend that you not use ssh instead of telnet. Telnet has no encyption and sends your password open text. Turn of the telnet service. If you are running windows,here is a ssh client for windows.



Dan
Top
Post Reply
  4. RouterOS
  5. General