Blocking non-developers

Adel95 · May 10, 2021, 10:46am

I have a web service that is used by developers and can be accessed from the internet via a global IP

This service is connected to a mobile application that is used by normal users. I don’t want users to write 185.x.x.x:x and be able to access the web service.
How can I only restrict access to developers and the mobile application only?
here’s a link to the image I’m trying, but failing to view here
https://drive.google.com/file/d/1KfwVCSxI4vrb6wGiy5GyJyn0EAV93NoZ/view?usp=sharing

anav · May 11, 2021, 11:21am

Create a firewall address list of the WANIPs from your developers.
IF they dont have a static IP then tell them to get a free dyndns account (easily available).

add address=PublicIP1 list=developers comment=developerGeorge
add address=PublicIP2 list=developers comment=developerAlice
add address=PublicIP3 list=developers comment=developer Tony

Where public IP can be an IP address or dyndns domain name.

The firewall address list will be used in a destination nat rule to be used in the port forwarding rule for the server.
add chain=dstnat action=dst-nat protocol=tcp dst-port=xxxx in-interface-list=WAN
src-address-list=developers to-addresses=IPofServer to-ports=yyyyy ( to ports only required if dst port is translated to a different internal port)

rextended · May 11, 2021, 12:18pm

Where is the MikroTik device?

Adel95 · May 22, 2021, 7:44am

Anav
This will make users unable to use the mobile app that is connected to web service
I guess there’s no way to do my requirement

rextended · May 22, 2021, 7:55am

Where is the MikroTik device?

jvanhambelgium · May 22, 2021, 8:14am

Well, if you manage / wrote the mobile app yourself, there is always the option to introduce some form of “port-knocking”

Developers should, before they start they work, issue a port-knock sequence to your device to “open up”. There are “port-knock” apps for Android no problem.
Ordinary users, not using your mobile app, will face a public IP that is completely closed, no backend web-service acessible
App-users : the app first launches the port-knock sequence in correct order, the ACL is dynamicly adjusted and their public-IP is added to the list. Then the app can use the DNAT and reach the backend webservice.

The only drawback → offcourse traffic could be sniffed, so advanced users can figure out the knock-sequence you issue to open up. But let’s be real, 99.999999% is not going to investigate your app to see what traffic it emits etc,etc.

I know, this is seriously far fetched and there are probably better ways, but just giving you some ideas.

rextended · May 22, 2021, 8:21am

“unzipping” the app often reveal API keys…

Please check if you app is “compiled” in so stupid way…

alexlama · October 12, 2021, 10:50am

You have to take into consideration the fact that you have to modify the settings in order for anyone to be able to access this. Things related to programming and developing can be pretty difficult. I’ve recently started freelancing and I’ve had some interesting customers. I’m used to working on Windows, but I’ve had clients that were asking different things for iOS. After this, I had to contact someone from https://ithire.com/category/ios-developers because I didn’t know how to solve everything. Fortunately, I’ve managed to solve every issue and I’m proud of that!