Hi all -
Subject line says it all. I just started my web proxy on Mikrotik 2.9.51. I am still very much a newbie with Mikrotik.
Anyway, I have only 5 machines with web-proxy configured on. However, it is reporting 7 clients. I need to know how to restrict access to just my IPs, both public and private.
By the way - is there any obvious reason for me to upgrade to a newer version?
One more question - is there a way to tell the IPs or MAC addresses of machines using the web-proxy?
Thank you.
Anyone? Surely someone out there knows how to do these things.
Use the Firewall to block access to the router (not just proxy) from all unknown addresses.
Add rules in the Input chain, with action “accept” for all known IPs, including your own, and then add an universal rule with no IP specified, with action “deny”. This will first accept good proxy users, and deny everyone else (including internet users who could get access to your proxy!)
Everything that goes into the Input chain, only controls access to the router’s internal system (like proxy) this will not affect internet usage without proxy (that is controlled by chain Forward)
OK, I think I understand it. I have a few more questions. Here is my currrent filter list:
0 ;;; port block warning
chain=Virus action=drop dst-port=1434 protocol=tcp
1 chain=Virus action=drop dst-port=1434 protocol=udp
2 chain=Virus action=drop dst-port=2745 protocol=udp
3 chain=Virus action=drop dst-port=6344-6381 protocol=tcp
4 chain=Virus action=drop dst-port=6344-6381 protocol=udp
5 X ;;; MyDoom
chain=Virus action=drop dst-port=1080 protocol=tcp
6 chain=Virus action=drop dst-port=1214 protocol=tcp
7 chain=Virus action=drop dst-port=593 protocol=tcp
8 chain=Virus action=drop dst-port=1024-1030 protocol=tcp
9 ;;; Blaster Worm
chain=Virus action=drop dst-port=135-139 protocol=tcp
10 ;;; Messenger Worm
chain=Virus action=drop dst-port=135-139 protocol=udp
11 ;;; Blaster Worm
chain=Virus action=drop dst-port=445 protocol=tcp
12 ;;; Blaster Worm
chain=Virus action=drop dst-port=445 protocol=udp
13 ;;; ndm requester
chain=Virus action=drop dst-port=1363 protocol=tcp
14 ;;; ndm server
chain=Virus action=drop dst-port=1364 protocol=tcp
15 ;;; screen cast
chain=Virus action=drop dst-port=1368 protocol=tcp
16 ;;; hromgrafx
chain=Virus action=drop dst-port=1373 protocol=tcp
17 ;;; cichlid
chain=Virus action=drop dst-port=1377 protocol=tcp
18 ;;; Worm
chain=Virus action=drop dst-port=1433-1434 protocol=tcp
19 ;;; Bagle Virus
chain=Virus action=drop dst-port=2745 protocol=tcp
20 ;;; Drop Dumaru.Y
chain=Virus action=drop dst-port=2283 protocol=tcp
21 ;;; Drop Beagle
chain=Virus action=drop dst-port=2235 protocol=tcp
22 ;;; Drop Beagle.C-K
chain=Virus action=drop dst-port=2745 protocol=tcp
23 ;;; Drop MyDoom
chain=Virus action=drop dst-port=3127-3128 protocol=tcp
24 ;;; Drop Backdoor OptixPro
chain=Virus action=drop dst-port=3410 protocol=tcp
25 ;;; Worm
chain=Virus action=drop dst-port=4444 protocol=tcp
26 ;;; Worm
chain=Virus action=drop dst-port=4444 protocol=udp
27 ;;; Drop Sasser
chain=Virus action=drop dst-port=5554 protocol=tcp
28 ;;; Drop Beagle.B
chain=Virus action=drop dst-port=8866 protocol=tcp
29 ;;; Drop Dabber.A-B
chain=Virus action=drop dst-port=9898 protocol=tcp
30 X ;;; Drop Dumaru.Y
chain=Virus action=drop dst-port=10000 protocol=tcp
31 ;;; Drop MyDoom.B
chain=Virus action=drop dst-port=10080 protocol=tcp
32 ;;; Drop NetBus
chain=Virus action=drop dst-port=12345 protocol=tcp
33 ;;; Drop Kuang2
chain=Virus action=drop dst-port=17300 protocol=tcp
34 ;;; Drop PhatBot, Agobot, Gaobot
chain=Virus action=drop dst-port=65506 protocol=tcp
35 ;;; Drop SubSeven
chain=Virus action=drop dst-port=27374 protocol=tcp
36 ;;; Drop Invalid connections
chain=forward action=drop connection-state=invalid
37 chain=forward action=accept connection-state=related
38 ;;; Allow Established connections
chain=forward action=accept connection-state=established
39 chain=forward action=jump jump-target=Virus
40 chain=input action=drop connection-state=invalid
41 chain=input action=accept connection-state=related
42 chain=input action=accept connection-state=established
43 chain=input action=jump jump-target=Virus
My question is: I use winbox whenever possible. Where in this list do I insert such rules, or does Mikrotik know where to insert it when I create it? Can you give me a brief example?
One more thing - Does the actual processing start at line 36 and go down or does it start at 43 and go up?
Thank you. Still a newbie, but learning.
Each packet is inspected against your rule criteria. It starts at rule #0 and goes down. If it meets a criteria for example at rule #14, the specified ACTION is taken, and the processing stops - next packet is now inspected, and starts from #0 …
You can add rules like this to the end:
scr-address=1.1.1.1 chain=input action=accept
scr-address=1.1.1.2 chain=input action=accept
scr-address=1.1.1.3 chain=input action=accept
(for your proxy clients)
scr-address=2.1.1.1 chain=input action=accept
scr-address=2.1.1.2 chain=input action=accept
(for your PCs - for access with Winbox, Telnet, SSH etc)
and then
action=drop chain=input
(this will drop all other connections TO the router itself, from IP’s that weren’t mentioned earlier).