Blocking NNTP, SMTP, POP3 ?

RouterOS General
1

I got the following setup
2 ethernet ports, 1 for local area network, 1 for adsl

everything works fine

i just want to block everyone from 192.168.1.0/24 (and every other address) from reading and sending e-mail and reading/posting to usenet/news
the network 192.168.1.0/24 on port 80 is redirected to web proxy and other ports are masqueraded to outgoing interface directly

i tried creating filter rule in firewall
2 chain=input action=drop src-address=0.0.0.0
dst-address=0.0.0.0 in-interface=LAN dst-port=119
protocol=tcp

But it still enables me to read and post to usenet/news…

How to create proper firewall rule for each of these ports (25, 110, 119 all TCP)

Should I just add few more rules in NAT which block those ports?
(i’d rather do that through firewall as maybe one or two computers should be able to do all of above)

Thanks

2

That is a chain=forward, not chain=input.
/ip firewall filter set 2 chain=forward
should block it.

3

It doesn’t work, I mean I can read usenet/news as before. I even torched myself and I see opened connection to the news server on tcp 119 port but it still works somehow.

maybe the “masquerade” in the NAT is “stronger” than filter rules?

4

No, Firewall filter is the boss. (edit: nat is applied first, but this is what controls this action)
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=25
blocks outbound email from Outlook Express/Thunderbird
/ip firewall filter chain=forward action=drop protocol=tcp dst-port=119
should drop your news.

5

thank you now it works. now, is there a way to enable particular IP address to access those services and block all other?
for example, 192.168.10.10 and 192.168.10.11 should be able to access all of above, but 192.168.10.1-192.168.10.9 and 192.168.10.12-192.168.10.255 shouldn’t be able…

and as there is only one field in “action” tab, how do I drop + log the entries?

6

Yes. The order in this list is important.
/ip firewall filter chain=forward action=accept protocol=tcp dst-port=25 src-address=192.168.0.3 place-before=X
where X is the line number of the email blocker filter you just inserted.
This, in conjunction with the other rule, will allow only 192.168.0.3 to send email. You can use netmasks there too, like 192.168.0.0/24 allows the entire net to send email.
Same applies to other services/ports.

HINT: If you find you entered them in the wrong order, you can use the “move” command.
/ip firewall filter move 3 1
moves rule 3 to the rule 1 position.

As for the log, it is a 2-ruler:
/ip firewall filter add chain=forward action=log log-prefix=email protocol=tcp dst-port=25
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=25
They must be in that order.
First it logs, then it drops.

From testing, I presume the log action has a passthrough=yes as a default somehow. Normally, the first rule is used and all others are ignored.

7

thank you very much everything works as wanted…

now, not really On Topic, but, can you tell me is it possible to “cut” the log only to really important things? I mean my current log averages to around 100MB a day and i’ll be running out of space soon…

i mean web proxy generates a lot of logs for everything so it would be nice to remove all the “debugging” infos…

2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,account 192.168.20.201 GET > http://www.google.hr/ > action=allow cache=MISS
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug GET / HTTP/1.1
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug Accept: /
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug Accept-Language: hr
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug Accept-Encoding: gzip, deflate
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug Host: > http://www.google.hr
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug Cookie: PREF=ID=4f9a1a7517740591:TM=1190994769:LM=1206560191:S=fltWGzzvCuwZPtv; SID=DQAAAHEAAAAACdHnFc7Nh30C708whtGtFOgcyp90nR02vJKElbQ0FnBg7yuFztriN2j6GQwhiLqKHpbeI6Iow1kz_9qTqCLs8CF0hWiqkASs152e1DovJcWChhOs3QRz8XaukDQRkDG7qH0BpWZFrvhsyAeKkS7aF0bIth
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug gTmHP4Xss3xE9DQ; NID=13=ManWvEJOUgBjv-mFuL4-sr5hxtUT8jOwETYmz1Yb7bKYe6qpnR3dkPods-rNA0iInvGYXx8eBVFqSkmk3_p0qOGp7cXbpfi_xeO7ZKkzINIiodHvVYEUHL2OH0uK1V9F
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug X-Proxy-ID: 1355529342
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug X-Forwarded-For: 192.168.20.201
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug Via: 1.1 192.168.20.1 (Mikrotik HttpProxy)
2008-08-08 00:04:49 Local7.Debug ch1 web-proxy,debug
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Response to "GET > http://www.google.hr/> ":
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug HTTP/1.1 200 OK
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Cache-Control: private, max-age=0
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Date: Thu, 07 Aug 2008 22:04:28 GMT
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Expires: -1
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Content-Type: text/html; charset=UTF-8
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Content-Encoding: gzip
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Server: gws
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug Content-Length: 3067
2008-08-08 00:04:50 Local7.Debug ch1 web-proxy,debug
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,account 192.168.20.201 GET > http://www.rapidshare.com/ > action=allow cache=MISS
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug GET / HTTP/1.1
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Accept-Language: hr
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Accept-Encoding: gzip, deflate
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Host: > http://www.rapidshare.com
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Cookie: user=4276129-%38%37%4B%4B%73%65%55%53%71%74
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug X-Proxy-ID: 1355529342
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug X-Forwarded-For: 192.168.20.201
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Via: 1.1 192.168.20.1 (Mikrotik HttpProxy)
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Response to "GET > http://www.rapidshare.com/> ":
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug HTTP/1.1 200 OK
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug P3P: CP=“ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa TELa OUR STP UNI NAV STA PRE”
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Date: Thu, 07 Aug 2008 22:04:38 GMT
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Accept-Ranges: bytes
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Content-Type: text/html; charset=ISO-8859-1
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Cache-Control: no-cache
2008-08-08 00:04:59 Local7.Debug ch1 web-proxy,debug Content-Length: 8836

Thanks :wink:

8

you can disable debug topic in system logging. use a !debug i believe.

9

it still logs a lot of debug information

2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,account 192.168.20.201 GET > http://www.index.hr/xmag/img/hmenu/hover/Ljepotice.gif > action=allow cache=MISS
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug GET /xmag/img/hmenu/hover/Ljepotice.gif HTTP/1.1
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Accept: /
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Referer: > http://www.index.hr/xmag/clanak/jay-leno-zario-u-intimu-scarlett-johansson-i-izbezumio-lijepu-glumicu/398021.aspx
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Accept-Language: hr
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Accept-Encoding: gzip, deflate
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Host: > http://www.index.hr
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Cookie: __utma=113995871.1655131464.1192020931.1218534259.1218534307.480; __utmz=113995871.1215987608.436.19.utmcsr=croportal.net|utmccn=(referral)|utmcmd=referral|utmcct=/forum/zene/severina-vuckovic-4727/stranica95/; __utmb=113995871.11.10.1218534307
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug ; __utmc=113995871; ASP.NET_SessionId=o1nf4bry4ty0mqb2py4ojlzo
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug X-Proxy-ID: 1355529342
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug X-Forwarded-For: 192.168.20.201
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Via: 1.1 192.168.20.1 (Mikrotik HttpProxy)
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Response to "GET > http://www.index.hr/xmag/img/hmenu/hover/Ljepotice.gif> ":
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug HTTP/1.1 200 OK
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Content-Length: 1085
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Content-Type: image/gif
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Last-Modified: Mon, 04 Dec 2006 13:19:32 GMT
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Accept-Ranges: bytes
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug ETag: “04aa9d5a617c71:17d8”
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Server: Microsoft-IIS/6.0
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug X-Powered-By: ASP.NET
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug Date: Tue, 12 Aug 2008 09:45:29 GMT
2008-08-12 11:45:51 Local7.Debug ch1 web-proxy,debug

even with what you said:

Flags: X - disabled, I - invalid

TOPICS ACTION PREFIX

0 info disk INFO
1 error disk
2 warning disk
3 critical echo
4 critical disk
5 web-proxy remote
6 firewall echo
7 firewall remote
8 !debug remote

Any other ideas?

10

change 5 web-proxy remote to 5 web-proxy !debug remote

11

and how exactly do i do that? I mean web-proxy is a topic for itself, debug is topic for itself, how do i put two topics into one rule?

12 
add action=memory disabled=no prefix="" topics=web-proxy,!debug
13

thanks mate!!!