Problem with blocking ports

ataomega · May 17, 2011, 2:27pm

Hello,

i’ve some abuse complaints from DC. and i should fix spamming problem.

i want to block all ports except some. i run these below but after connectiong (VPN) , there is not internet :

/ip firewall filter

add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=21
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=22
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=80
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=110
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=443
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=5050
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=8080
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=8291
add chain=forward disabled=no action=drop in-interface=LAN

please help me
i wanna prevent spam, viruses, trojans, bit torrentz …

thanks

ataomega · May 17, 2011, 2:29pm

i’ve seen these but need a simpler :

http://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output
http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling
http://wiki.mikrotik.com/wiki/Spam_Filtering_with_Port_Forwarding_and_Geo-Location

i just want , FTP , browsers, remote desktop, telnet, terminal, vnc and messengers to be work

fewi · May 17, 2011, 2:31pm

You’re not permitting DNS - could that be why you “don’t get Internet”?

ataomega · May 17, 2011, 2:32pm

thanks for your reply.

which ports should i allow?

fewi · May 17, 2011, 2:34pm

The ports DNS runs on.
DNS runs on udp/53 and sometimes on tcp/53.

ataomega · May 17, 2011, 2:36pm

add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-port=53
add chain=forward disabled=no action=accept in-interface=LAN protocol=udp dst-port=53

correct, yes? are these enough to prevent spam?

thanks

mahnet · May 17, 2011, 2:42pm

i have a bugger who not only downloads but even uploads via bit torrents and dat fellow tells that his download gets slow if he contains the uploads. Is it so??

I want to drop his uploads. what to do…

fewi · May 17, 2011, 2:47pm

What are you trying to block? Spam (email), or bittorrent?
What you have should be sufficient for both, really, unless someone runs email to bittorrent through the ports you’re permitting.

ataomega · May 17, 2011, 3:07pm

add chain=forward disabled=no action=accept in-interface=External protocol=tcp dst-port=53
add chain=forward disabled=no action=accept in-interface=External protocol=udp dst-port=53
add chain=forward disabled=no action=accept in-interface=External protocol=tcp dst-port=43
add chain=forward disabled=no action=accept in-interface=External protocol=udp dst-port=43

no internet again,

any solution please?

when i enter :

add chain=forward disabled=no action=drop in-interface=External

no internet

normis · May 18, 2011, 11:32am

why are you entering this rule ?

add chain=forward disabled=no action=drop in-interface=External

this rule will block the internet. that is it’s only purpose