Securing the dns/web proxy

RouterOS Beginner Basics
1

i have tried securing the DNS and web proxy from being used by external sources to my network but it is becoming dificult any body with an idea of doing so. To stop the open proxy factor
Thanks

web proxy
Web Proxy is using a lot of Bandwidth
WAN eat alot bandwidth while LAN doesn't eat anything
2

You have not pointed, what is difficult.

Use firewall to filter traffic going to the router, chain=input should be used for that, allow only local users traffic and addresses that are used to manage the router, then drop other traffic. Look at the firewall documentation examples to build firewall configuration.

3

/ip firewall
chain=input
src-address=0.0.0.0/0
protocol=tcp
dst-port=
interface=WAN

action=drop

very simple

ASHISH.

4

Thank you it has contained the misuse. unfortunately i had been blacklisted by certain mail servers for spamming. but it is now its okay.

5

Ashish,

The rule works well with traffic destined for port 8080, but when i use the same rule to prevent dns requests on the dns server set on the router, the rule doesnt seem to work. Any idea? The rule i have implemented is blocking requests on port 53.as shown below: 4 chain=input action=drop in-interface=ether1 src-address=0.0.0.0/0 dst-port=53 protocol=tcp

6

DNS lookups uses UDP not TCP.

-Louis

7

I have tried this rule, and it is blocking internet users from accessing my web proxy, my firewall counter is constantly adding up, however when i check my web proxy status it is no longer adding any request or hits, when i disable this rule it starts adding requests and hits again. This rule seems to simply disable my web proxy all together.

chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
ether1 is my internet port interface.

Any help or insight would be greatly appreciated.

8

Are you permitting established and related traffic before dropping with that rule?

9

No I have not, would I simply create 2 rules similar to it allowing established and related then deny the rest ?

10

Something like:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
add chain=output action=accept

Of course adjust that to also account for the result of your rules. the lines with ‘connection-state’ should be the first listed in the input chain.

The idea is that you want to ensure that while traffic initiated to the router should be dropped, but that all connections that the router itself established should be unconditionally allowed.

I do not use the built in (or any other) proxy so this is a guess, but at worst it just won’t have any effect.

11

Thank you for the reply that appears to be working properly. I believe the underlying issue is the fact that the web proxy is sending so much traffic out to the internet. Does anyone have a link to a discussion to help resolve this issue. My bandwidth usage increases by 3 fold when the web proxy is on. This is defeating the overall goal of using the proxy. The goal is for clients to used the cached web pages so less internet bandwidth is used.

Thank you in advance

12

Did you enabled serialize connection in the web proxy? Try tougle it the other way and see the result.
Enable always from cache.