Need to allow http ports and other know ports

henry_ajere · February 1, 2006, 3:39pm

Hello,

Pls, I am not MT guru. I need to allow http (80) and 3 other known ports (5050, 25, and100) only on my network. I did something like this in my forward chain:

ip firewall rule forward add dst-port=5050 action=jump jump-target=output

ip firewall rule forward add dst-port=25 action=jump jump-target=output

ip firewall rule forward add dst-port=110 action=jump jump-target=output
ip firewall rule forward add dst-port=!80 action=drop

The only time the rule worked is when i disable the 1st three rules (i.e 5050, 25, and 110). I need this ports while other be dropped.

Pls Help

djape · February 1, 2006, 3:59pm

You want to forbid access to these ports on your network from outside?

henry_ajere · February 1, 2006, 5:06pm

I want access to these ports (80, 5050, 25, and 110)on my network; both inbounds and outbunds. All other ports forwarded (aside from 80, 5050, 25, and 110) should be droped.

meister · February 1, 2006, 7:57pm

Please explain your network. Natted, routed, ect, if you use private ip space. And in human terms what you are trying to accomplish.

ie. Stop people on your network from using anything but http, sip, and mail.

or Allowing your network internet access while keeping hackers out.

henry_ajere · February 2, 2006, 8:23am

thanks,

Meiser said: Please explain your network. Natted, routed, ect, if you use private ip space[/quote].

I have natted network, public ip from my provider: 66.179.254.120/27. I put MT between a satellite gateway (66.179.120.121) and my LAN.

meiser said: And in human terms what you are trying to accomplish.

I dont want PCs on my LAN to forward traffick through any other ports except, ports 80(http), 5050, 25 and 110. In other words, pcs on my LAN should just browse ,do POP mail and Yahoo chat, that’s all!.

The Problem i have on my LAN is that I left all the Ports Opened, while worms and so many other malicious program taking advantage of the opened ports to attack, thereby eating up my bandwidth.

cibernet · February 2, 2006, 9:55am

.

I have natted network, public ip from my provider: 66.179.254.120/27. I put MT between a satellite gateway (66.179.120.121) and my LAN.

meiser said: And in human terms what you are trying to accomplish.

I dont want PCs on my LAN to forward traffick through any other ports except, ports 80(http), 5050, 25 and 110. In other words, pcs on my LAN should just browse ,do POP mail and Yahoo chat, that’s all!.

The Problem i have on my LAN is that I left all the Ports Opened, while worms and so many other malicious program taking advantage of the opened ports to attack, thereby eating up my bandwidth.[/quote]

Then you should only allow this ports on the forward chain ej:

add chain=forward src-address=(your lan) protocol=tcp dst-port=80 action=accept  

add chain=forward src-address=(your lan) protocol=tcp dst-port=5050 action=accept 

add chain=forward src-address=(your lan) protocol=tcp dst-port=110 action=accept

And the add a rule to drop all the other traffic:

add chain=forward src-address=(your lan) action=drop

Regards

henry_ajere · February 2, 2006, 11:10am

Thanks Cibernet

Then you should only allow this ports on the forward chain ej:

I have the following on my forward chain already, added by the hotspot automatically:

3 in-interface=WIRELESS action=jump jump-target=hotspot-temp

4 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

5 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp

6 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

7 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp

8 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

9 ;;; limit access for unauthorized hotspot clients
in-interface=WIRELESS action=jump jump-target=hotspot-temp

10 ;;; account traffic for authorized hotspot clients
action=jump jump-target=hotspot

djape · February 2, 2006, 2:18pm

You must allow udp 53 also or how else will you users resolve domain names?!

andrewluck · February 2, 2006, 4:07pm

Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT.

Regards

Andrew

henry_ajere · February 2, 2006, 6:21pm

Thanks Very Much!

add chain=forward src-address=(your lan) protocol=tcp dst-port=80 action=accept  

add chain=forward src-address=(your lan) protocol=tcp dst-port=5050 action=accept 

add chain=forward src-address=(your lan) protocol=tcp dst-port=110 action=accept[code]

And

add chain=forward src-address=(your lan) action=drop

It worked!!

Best Regards

hmekolli · February 2, 2006, 7:36pm

Better to put UDP 53 in the input chain on the router and force clients to use the DNS server on the MT

Plase tel as code for this because I need this , but no succes to do that
Thanks

cibernet · February 2, 2006, 8:07pm

You need to read the manual…

add chain=forward src-address=(your lan) protocol=udp dst-port=53 action=accept

Regards