Block all ports except 80 and 1723.
how do I do?

I tried these codes to block all but 80
after I enable these rules, I can't able to browse. Once I disable last rule then I able to do browse.

Surfing probably doesn't work, because you are not allowing DNS.
If you type http://somehere.net in your browser, it needs to resolve the FQDN to an IP through DNS.
So if you only allow http (tcp 80) you should either use IP addresses for each page you want to visit (like http://12.23.34.45), or enable DNS (tcp/53 & udp/53) to pass through the firewall too.

Surfing probably doesn't work, because you are not allowing DNS.
If you type http://somehere.net in your browser, it needs to resolve the FQDN to an IP through DNS.
So if you only allow http (tcp 80) you should either use IP addresses for each page you want to visit (like http://12.23.34.45), or enable DNS (tcp/53 & udp/53) to pass through the firewall too.

+1... the other option would be to block DNS as you are doing in the forward chain, but make sure you have the dns server setup on the mikrotik itself and allow remote requests.

Post your whole config if you have problems setting that up.

It is working by these rules
I have another problem, please check my another question http://forum.mikrotik.com/viewtopic.php?f=2&t=79251

add chain=forward action=accept protocol=tcp dst-port 3389 in-interface=VPN comment="Allow RDP via VPN"

If you don't mind a suggestion... take some time to review the basic firewall documentation in the wiki. Also search for various firewall scripts out there.

IMO, firewalls are typically used to protect a LAN from the WAN while treading lightly on user-originated activities. From your posts, it would appear that you're wanting to place some severe restrictions on what users can do, which is fine, but is often much more difficult to implement.

A closed firewall (default drop), looks something like this:

1) drop invalid connections
2) allow established connections
3) allow related connections
4) drop undesirable connections (that might otherwise be allowed in #5)
5) allow the good stuff (tcp/53, udp/53, http/80, https/443, pop3/110, smtp/25, etc...)
6) drop everything else (final rule)

When you want to allow certain traffic, but only from certain sources, use the source:

ros code

add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN
add chain=forward action=accept protocol=tcp dst-port=3389 src-address=go.od.add.res/32

So, your prototype firewall to restrict users as much as possible, might look like this:

ros code

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comment "allow RDP via VPN"
add chain=forward action=drop

Please review the wiki firewall article, it explains a lot. If you're impatient (like me), use this code as a start and move on from there, but don't expect too much help beyond the absolute basics.

Good luck!

@troy thanks a lot. its working. I need to study wiki documentation as you said.

Hi I have almost the same problem with my RB951G-2HnD router, I just want it to allow all ports.

Can someone post the script for my Mikrotik to allow ALL ports especially port 22?

Thank you.

...I just want it to allow all ports...

For allow all ports you need no rules.