Hello all,
I am brand new to RouterOS. I followed a tutorial from the net to enable web proxy. My machines on the LAN are able to access internet via web proxy, however port 8080 is open on the WAN side.
There is a firewall rule, which says to drop packets. It still shows up http://www.yougetsignal.com/tools/open-ports/
Please see screenshots attached. Thanks in advance folks.
Don’t put anything in the SRC Address. Note however that you probably shouldn’t need a specific rule dropping 8080 on the WAN side because if you want “firewall” behavior you should have a default drop rule on the input and forward chains and only permit the traffic that you actually want to flow.
I think that correct src adress must be 0.0.0.0**/0**
Thanks folks, I removed the SRC Address and it works great. I appreciate your quick help folks. Cheers
I’m with him. You should setup a default drop.
Sent from my SCH-I545 using Tapatalk
Hello again guys,
Sorry to bother you’ll. I have struggling trying to block everything except the stuff I need. Please could someone spell it out for me. Attaching two screenshots with what I have on the NAT.
Cheers
Can you post exports instead of a screenshot? I can’t seem to see those on my phone
Sent from my SCH-I545 using Tapatalk
Alright… something like this… … note you need to add allows for your dst-nat.
/ip firewall filter
add chain=input comment=“Connection State - Established” connection-state=established
add chain=input comment=“Connection State - Related” connection-state=related
add action=drop chain=input comment=“Connection State - Invalid” connection-state=invalid
add action=jump chain=input comment=“ICMP - From Internet - Jump” in-interface=ether01-gateway jump-target=ICMP protocol=icmp
add chain=input comment=“Local” in-interface=!ether01-gateway
add action=drop chain=input comment=“TCP - Syn Flood Suppression - Drop SynFlood” src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood address-list-timeout=30m chain=input comment=“TCP - Syn Flood Detection - Add To SynFlood (30 Connections Per IP Address)” connection-limit=
30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment=“TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)” protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment=“TCP - DoS Attack Supression - Tarpit BlackList (3 Connections Per IP Address)” connection-limit=3,32 protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=“TCP - DoS Attack Detection - Add to BlackList for 1d (10 Connections per IP Address)”
connection-limit=10,32 protocol=tcp
add action=drop chain=input comment=“Default Drop”
add chain=forward comment=“Connection State - Established” connection-state=established
add chain=forward comment=“Connection State - Related” connection-state=related
add action=drop chain=forward comment=“Connection State - Invalid” connection-state=invalid
add chain=forward comment=“Forward to Ether1-Gateway” out-interface=ether01-gateway
add action=drop chain=forward comment=“Default Drop”
add chain=ICMP comment=“ICMP - Allow Echo Reply (0:0-255), Limit 5pps” icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps” icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Source Quench (4:0), Limit 5pps” icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Echo Request (8:0), Limit 5pps” icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Time Exceeded (11:0), Limit 5pps” icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Parameter Bar (12:0), Limit 5pps” icmp-options=12 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment=“ICMP - Drop All Others” protocol=icmp
[admin@MikroTik] /queue tree> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN
1 ;;; Web Proxy for internal Machines
chain=dstnat action=redirect to-ports=8080 protocol=tcp in-interface=LAN dst-port=80
2 ;;; NAT 443 to Internal Server
chain=dstnat action=dst-nat to-addresses=192.168.7.2 to-ports=443 protocol=tcp in-interface=WAN dst-port=443
3 ;;; NAT SSH to internal server
chain=dstnat action=dst-nat to-addresses=192.168.7.2 to-ports=22 protocol=tcp in-interface=WAN dst-port=2222
4 ;;; UDP to VPN Server Internal
chain=dstnat action=dst-nat to-addresses=192.168.7.2 to-ports=500 protocol=udp in-interface=WAN dst-port=500
For reference… just type /export and post that… it is much easier to read than the print. And if you put it in the “select syntax → routeros” tags you get color highlighting…
For my answer see above.