Hi all,
this is my configuration…
Eth1 public 192.168.0.10 (just an example)
Eth2 dmz - 10.10.80.1/30
Dmz zone is web server with multiply virtual hosts on 1 server and they all use 1 ip wich is 10.10.80.2
What i wont to do is to route the trafic from MT public to dmz the trafic would be only http 80 and to disable that server is allow to go on the internet only to serve request on port 80 for visitors. The next step is to secure both as much as posible on MT side and web server.
This is my configuration for now.
Filter rules:
0: chain input dst.address 192.168.0.10 protocol icmp action reject icmp host unreachable (i wont to disable ping for web server and mikrotik)
1: chain input 10.10.80.2 action accept
2: chain input action drop
3: chain forward action log log prefix drop input
Nat rule:
0: chain dstnat dst.address 192.168.0.10 protocol tcp dst.port 80 in interface public action dst.nat to address 10.10.80.2
- plus all services on mt are disabled, except winbox access on mt from 10.10.80.0 network onl.
Is this good, or do i need something to change, what should you do in my place…