Page 1 of 1
Browsing to MT Web Page
Posted: Mon Sep 06, 2004 4:41 pm
by GJS
I would like to stop the MT web page from showing to people browsing to my routers public address but would also like WinBox to be able to work from the public address. Can this be done?
I ideally, I would like to be able to re-direct to an external website.
Thanks,
Guy
Posted: Mon Sep 06, 2004 10:15 pm
by lastguru
Set up a transparent proxy on the same router to handle HTTP requests. Then it will be possible to play with access list to allow only requests containing "winbox" in their name.
Also, i think, version 2.9 does not require HTTP, so it could be disabled at all (I did not check if it is so, but that is how I understand the changelog)
Posted: Tue Sep 07, 2004 1:01 am
by dwright
What we do is put a firewall rule to only allow certain ip address to connect to winbox from our network. If we are outside our network, we vpn in.
Dan
Posted: Tue Sep 07, 2004 5:57 pm
by GJS
Umm, what's wrong with this rule? Doesn't seem to do anything:
[admin@pad001X] ip firewall rule input> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop all HTTP connections to router
dst-address=:80 protocol=tcp action=drop log=yes
[admin@pad001X] ip firewall rule input>
I thought I'd disable all web access to the router then just enable and disable the rule via telnet when I want to get in with Winbox. Just for a temporary fix while I look into the web-proxy thing.
Thanks,
Guy
Posted: Tue Sep 07, 2004 8:07 pm
by dwright
make sure the rule is in the input chain.
From the manual:
To protect the router from unauthorized access, we should filter out all packets with the destination addresses of the router, and accept only those which are allowed. Since all packets with destination to the router's address are processed against the input chain, we can add the following rules to it:
/ip firewall rule input
add protocol=tcp connection-state=established \
comment="Allow established TCP connections"
add protocol=udp comment="Allow UDP connections"
add protocol=icmp comment="Allow ICMP messages"
add src-addr=10.5.8.0/24 \
comment="Allow access from 'trusted' network 10.5.8.0/24"
add action=reject log=yes \
comment="Reject and log everything else"
Thus, the input chain will accept only allowed connections and reject, and log everything else.
You could remove the src-addr rule and put in these two rules.
#This one is to allow port 80 traffic. You enable this when you want to connect. Should be before the last line at bottom
add protocol=tcp comment"Allow port 80 traffic" dst-address=:80
#This one will allow ssh traffic so you can get in and switch on/off port 80 traffic rule. Should be before the last line too at the bottom.
add protocol=tcp comment"Allow ssh traffic" dst-address=:22
I would also recommend that you not use ssh instead of telnet. Telnet has no encyption and sends your password open text. Turn of the telnet service. If you are running windows,
here is a ssh client for windows.
Dan