i have mikrotik 3.13 i work as pptp i need to open only 2 port 1 for 80 and another for vpn and drop all another port and drop all comin from internet traffic only open port 1010 for 192.168.100.151 and i tray alot of firwall rull like:



47 X chain=input action=accept src-port=80 protocol=tcp

48 X chain=output action=accept dst-port=80 protocol=tcp

49 X ;;; dns
chain=output action=accept dst-port=53 protocol=udp dst-limit=3048,5,dst-address/1m40s

50 X chain=output action=accept src-port=8080 protocol=tcp

51 X ;;; http
chain=output action=accept dst-port=8080 protocol=tcp

52 X ;;; Allow-limited-icmp
chain=output action=accept protocol=icmp limit=50/5s,2

53 X chain=output action=accept protocol=gre

54 X chain=output action=accept src-port=1723 protocol=tcp

55 X chain=output action=accept dst-port=1723 protocol=tcp

56 X ;;; accept new connections
chain=output action=accept protocol=tcp

57 X ;;; Drop-evry-theenggg
chain=output action=drop

and when i tray to open msn messsnager its work yahoo messanger i ts work
this is my config

[admin@EnG:MoHaMeD] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic

2 chain=srcnat action=masquerade

3 chain=dstnat action=redirect to-ports=8080 dst-port=80 protocol=tcp


[admin@EnG:MoHaMeD] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; Lan
10.0.0.3/24 10.0.0.4 10.0.0.255 Lan
1 ;;; Wan
91.11.16.88/24 91.11.16.88 91.11.16.88 Wan
2 ;;; Server-Lan
192.168.100.3/24 192.168.100.2 192.168.100.250 Lan
3 D 192.168.100.3/32 192.168.1.229 0.0.0.0

[admin@EnG:MoHaMeD] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 reachable 91.11.16.3 1 Wan
1 ADC 10.0.0.0/24 10.0.0.3 0 Lan
2 ADC 91.11.16.0/24 91.11.16.88 0 Wan
3 A S 192.0.0.0/8 reachable 192.168.100.3 1 Lan
4 A S 192.168.0.0/16 reachable 192.168.100.1 1 Lan
5 ADC 192.168.1.229/32 192.168.100.3 0
6 ADC 192.168.100.0/24 192.168.100.3 0 Lan



/ip proxy> print
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: “admin”
max-cache-size: 20000KiB
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 2d
serialize-connections: no
always-from-cache: yes
cache-hit-dscp: 12

Thanks for help me .

Input rules are from internet to the router
Output rules are from router to internet
Forward rules are from local network to internet and viceversa.

If you need to open 80, you must open 53 for DNS too…

thanks for your help but when i but

71 ;;; DNS
chain=output action=accept dst-port=53 protocol=udp

72 ;;; HTTP
chain=output action=accept dst-port=80 protocol=tcp

73 chain=output action=accept src-port=8080 protocol=tcp

74 ;;; VPN
chain=output action=accept protocol=gre

75 chain=output action=accept src-port=1723 protocol=tcp

76 ;;; DROP-EVRY-THING-ELTH
chain=output action=drop
open port 80 and 8080 and 53 and gre and 1723 its working good
but when i tray to open msn masenger its work yahoo its work
i need only http and vpn work and drop every thing else ???

Ibersystems gave you the answer. You just did not see it.

It is chain=forward you need to control!

i tray to make it forward its the same problem yahoo and msn work !!!

these days yahoo & msn r using the same port as http. we r not even able to block them by url blocking in the router.

Many messengers use HTTP for IMs. Do those two?