Page 1 of 1
Need to allow http ports and other know ports
Posted: Wed Feb 01, 2006 5:39 pm
by henry_ajere
Hello,
Pls, I am not MT guru. I need to allow http (80) and 3 other known ports (5050, 25, and100) only on my network. I did something like this in my forward chain:
ip firewall rule forward add dst-port=5050 action=jump jump-target=output
ip firewall rule forward add dst-port=25 action=jump jump-target=output
ip firewall rule forward add dst-port=110 action=jump jump-target=output
ip firewall rule forward add dst-port=!80 action=drop
The only time the rule worked is when i disable the 1st three rules (i.e 5050, 25, and 110). I need this ports while other be dropped.
Pls Help
Posted: Wed Feb 01, 2006 5:59 pm
by djape
You want to forbid access to these ports on your network from outside?
Posted: Wed Feb 01, 2006 7:06 pm
by henry_ajere
I want access to these ports (80, 5050, 25, and 110)on my network; both inbounds and outbunds. All other ports forwarded (aside from 80, 5050, 25, and 110) should be droped.
Posted: Wed Feb 01, 2006 9:57 pm
by meister
Please explain your network. Natted, routed, ect, if you use private ip space. And in human terms what you are trying to accomplish.
ie. Stop people on your network from using anything but http, sip, and mail.
or Allowing your network internet access while keeping hackers out.
Posted: Thu Feb 02, 2006 10:23 am
by henry_ajere
thanks,
Meiser said: Please explain your network. Natted, routed, ect, if you use private ip space[/quote].
I have natted network, public ip from my provider: 66.179.254.120/27. I put MT between a satellite gateway (66.179.120.121) and my LAN.
meiser said: And in human terms what you are trying to accomplish.
I dont want PCs on my LAN to forward traffick through any other ports except, ports 80(http), 5050, 25 and 110. In other words, pcs on my LAN should just browse ,do POP mail and Yahoo chat, that's all!.
The Problem i have on my LAN is that I left all the Ports Opened, while worms and so many other malicious program taking advantage of the opened ports to attack, thereby eating up my bandwidth.
Posted: Thu Feb 02, 2006 11:55 am
by cibernet
thanks,
Meiser said: Please explain your network. Natted, routed, ect, if you use private ip space
.
I have natted network, public ip from my provider: 66.179.254.120/27. I put MT between a satellite gateway (66.179.120.121) and my LAN.
meiser said: And in human terms what you are trying to accomplish.
I dont want PCs on my LAN to forward traffick through any other ports except, ports 80(http), 5050, 25 and 110. In other words, pcs on my LAN should just browse ,do POP mail and Yahoo chat, that's all!.
The Problem i have on my LAN is that I left all the Ports Opened, while worms and so many other malicious program taking advantage of the opened ports to attack, thereby eating up my bandwidth.[/quote]
Then you should only allow this ports on the forward chain ej:
add chain=forward src-address=(your lan) protocol=tcp dst-port=80 action=accept
add chain=forward src-address=(your lan) protocol=tcp dst-port=5050 action=accept
add chain=forward src-address=(your lan) protocol=tcp dst-port=110 action=accept
And the add a rule to drop all the other traffic:
add chain=forward src-address=(your lan) action=drop
Regards
Posted: Thu Feb 02, 2006 1:10 pm
by henry_ajere
Thanks Cibernet
Then you should only allow this ports on the forward chain ej:
I have the following on my forward chain already, added by the hotspot automatically:
- 3 in-interface=WIRELESS action=jump jump-target=hotspot-temp
4 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot
5 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp
6 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot
7 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp
8 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot
9 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp
10 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot
Posted: Thu Feb 02, 2006 4:18 pm
by djape
You must allow udp 53 also or how else will you users resolve domain names?!
Posted: Thu Feb 02, 2006 6:07 pm
by andrewluck
Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT.
Regards
Andrew
Posted: Thu Feb 02, 2006 8:21 pm
by henry_ajere
Thanks Very Much!
add chain=forward src-address=(your lan) protocol=tcp dst-port=80 action=accept
add chain=forward src-address=(your lan) protocol=tcp dst-port=5050 action=accept
add chain=forward src-address=(your lan) protocol=tcp dst-port=110 action=accept[code]
And
add chain=forward src-address=(your lan) action=drop
Posted: Thu Feb 02, 2006 9:36 pm
by hmekolli
Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT
Plase tel as code for this because I need this , but no succes to do that
Thanks
Posted: Thu Feb 02, 2006 10:07 pm
by cibernet
Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT
Plase tel as code for this because I need this , but no succes to do that
Thanks
You need to read the manual....
add chain=forward src-address=(your lan) protocol=udp dst-port=53 action=accept
Regards