only mail is allowed

shadowskippie · January 15, 2011, 7:55pm

Howzit

i need some help.

We have been asked to setup a client connection that will only allow mail through and nothing else, how do i go about this

our clients connect via a PPPoE connection to our towers

Can anyone help me with this

fewi · January 15, 2011, 8:03pm

Make firewall rules that only allow the required mail protocols for the IP address of that user, and drop all other traffic.

shadowskippie · January 21, 2011, 2:05pm

right, i’m gonna need a little help with this. i’m planning the set this client to a different ip range then the rest of them.
then using the filter rules that that ip range (eg. 192.168.120.0/24) can only get port 110 and port 25. doing this means that if there are any other clients who want this i just move their profile into that ip range.

This is where i get stuck, i know should be done but i have no idea how to do it. if someone could show me that would be great

fewi · January 21, 2011, 3:43pm

Something like this:

/ip firewall filter
add chain=forward dst-address=192.168.120.0/24 connection-state=established action=accept
add chain=forward dst-address=192.168.120.0/24 connection-state=related action=accept
add chain=forward dst-address=192.168.120.0/24 connection-state=invalid action=drop
add chain=forward src-address=192.168.120.0/24 protocol=tcp dst-port=25,110 action=accept
add chain=forward src-address=192.168.120.0/24 action=drop

Just make sure it’s somewhere sensible in the existing ruleset.
That allows all traffic back to 192.168.120.0/24 for connections that have already been established and OK’d before. Then it allows all traffic from 192.168.120.0/24 to tcp/25 and tcp/110, and then drops all other traffic sourced from that subnet.

shadowskippie · January 24, 2011, 4:56am

thanks

NAB · January 24, 2011, 12:03pm

You may also want to allow DNS lookups too. Assuming the ROS box is configured to permit DNS requests, add the following rule:

/ip firewall filter
add chain=input src-address=192.168.120.0/24 protocol=udp dst-port=53 action=accept
add chain=input src-address=192.168.120.0/24 action=drop

And then you may want to think about what ICMP (if any) traffic you want to permit…

shadowskippie · January 28, 2011, 2:06pm

thank you, i’ll add those extra ones now

haven’t had an opportunity yet to test this as i haven’t got round to the client yet to check (been trying to track down a sudden noise issue in town) but i should get ther soon

thanks for all the help

there is one more thing though. what if the client is using something like Gmail. how could i allow her to veiw that site and nothing else

janisk · January 28, 2011, 2:20pm

that will bring some challenge - if customer is using web interface you will have to allow access to certain web services. you can restrict web access using proxy (no proxying just control tools that proxy provides).

http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

or continue in a way you started with firewall, using proxy would be easier.

shadowskippie · January 29, 2011, 12:05pm

ya, just as a thought, a headache and a half.

Okay, screw what the client wants, her mail is being downloaded to mail browser or she pays the full internet cost…the choice is hers

thanks for all the help