Hello,
We have deployed hotspot for public and students, free of charge, but recently our upstream have complained of botnet and the IP has been banned by mailspike, is there any firewall setting which can limit this happening ? as we do not want to stop the free internet for students. The firewall in place does not allow port 25 but the infected pc could be using other ports, how can we block all of this and allow only few common ports.
Many thanks.
I can help you.
This mangle rule intercept all smtp (non-ssl) and imap (non-ssl) traffic and block:
Paste this on terminal, on script are not working if you not remove first "" in front of various “?”
/ip firewall layer7-protocol
add name=prot-smtp regexp="^220[\t-\r -~]* (E\?SMTP|e\?smtp|[Ss]imple [Mm]ail)"
add name=prot-imap regexp="^(\\* ok|a[0-9]+ noop)"
/ip firewall mangle
add action=mark-packet new-packet-mark=to-drop chain=prerouting comment="Drop SMTP" layer7-protocol=prot-smtp protocol=tcp src-address-list=hotspot-ip-list passthrough=yes
add action=mark-packet new-packet-mark=to-drop chain=prerouting comment="Drop IMAP" layer7-protocol=prot-imap protocol=tcp src-address-list=hotspot-ip-list passthrough=yes
/ip firewall filter
add action=drop chain=forward packet-mark=to-drop
/ip firewall address-list
add address=192.168.66.0/24 comment="HotSpot used IP Addresses" list=hotspot-ip-list
On address list remember to set the IP range used from HotSpot users.
If anyone like this method or use the rules, please add Karma. Thanks.