I have a problem with NATed customer(s) spamming on our router’s IP address, so I want to restrict everyone that is NATed to using only our SMTP server, which is on a public IP outside of the NAT. I’m sure this is simple, but anyone have an example on how to do this? So, for example, our gateway router does the NAT to say, 111.222.333.2, and the SMTP server is at 111.222.333.3, I’m assuming some rule to block port 25 access from 111.222.333.2 to only 111.222.33.3 in the output chain? (I tried searching this, but there is something fubared about the seach function on the forum). Thanks!
You should do this in the forward chain not output!
First allow tcp traffic from your clients ips to 111.222.333.3:25
Second drop all tcp traffic to port 25
Something like this:
/ ip firewall filter
add chain=forward src-address=(your private-nated ips) dst-address=111.222.333.3 protocol=tcp dst-port=25 action=accept
add chain=forward src-address=(your private-nated ips) protocol=tcp dst-port=25 action=drop
You might find this helpful as well.
http://wiki.mikrotik.com/wiki/How_to_detect_infected_or_spammers_users_and_temporary_block_the_SMTP_output
Aug
Thank you, gentlemen. That worked just fine.