Hi All,
I have a webserver running behind my Mikrotik server.
As for now all requests which are destined to port 80/443 are forwarded to the Ubuntu server.
I would like to make the webserver reachable only for a specific country. Is this possible? Adding some whitelist to the portforwarding or something?
Thank for the help!
I’m afraid this can’t be (easily) done with routerOS. To my knowledge there’s no geoIP functianlity.
In case your webserver is running Apache2 or nginx, you could add the geo_ip modules.
Or you add a squid instance as a reverse proxy in front of the webserver.and et it do the geoIP job…
-Chris
I have got the IP subnets of the country which need to be whitelisted.
But I don’t know how should I implement it 
Ah, if this is the case, then add those addresses with CIDR suffix to a firewall address list.named “myCountry”
then adjust your dst-nat rule adding src-address-list=myCountry
Then create a filter drop rule for tcp/80,443
Done.
-Chris
Hi cdiedrich!
Thanks for the idea, it worked 
/ip firewall address-list> add address=x.x.x.x/16 list=whitelist
/ip firewall address-list> add address=x.x.x.x/20 list=whitelist
... bunch of subnets ...
/ip firewall nat> add action=dst-nat chain=dstnat comment="HTTP requests" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.66 src-address-list=whitelist
/ip firewall nat> add action=dst-nat chain=dstnat comment="HTTPS requests" dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.66 src-address-list=whitelist
I’ve also used this for 22 sooo many people were trying to login with “admin” “root” “administrator” “mikrotik” …
Thanks again! Have a nice day!
IP2Location is providing free ACL list by country for MicroTik. You can download the free access list from block visitors by country and then apply it in the MicroTik configuration to enable access from specific country only.