hello,
how to secure mikrotik web proxy? too many clients from outside is connected to my proxy.
10x
add firewall rule to block access to your proxy from outside
u can explain me pls ?
10x in advance
Lets say proxy port is 8080 and public interface is “internet”
/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop
proxy port is 3128
but this rule dont stop outside clients 
of course it does.
I put this rule first in firewall filter but is never hit-ed, and outside clients is steel connected to my proxy
make sure you move this rule to the top of your firewall, make sure you specified the correct in-interface
all it`s correct …i stoped the proxy server because too manny connection from outside (300 clients from outside)
type “/ip firewall filter export” in the command line, and paste here the output, so we can help you
this is my firewall
/ ip firewall filter
add chain=input in-interface=Public src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment=“”
disabled=no
add chain=input protocol=tcp dst-port=22 connection-limit=0,32 limit=0,5 dst-limit=0,5,dst-address/1m40s
nth=0,0,0 src-address-list=ssh_blacklist action=drop comment=“drop ssh brute forcers” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3
action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2
action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list
address-list=ssh_stage1 address-list-timeout=1m comment=“” disabled=no
add chain=forward connection-state=established src-address-list=lan_computer action=accept
comment=“Established connections” disabled=no
add chain=forward connection-state=related src-address-list=lan_computer action=accept comment=“Related
connections” disabled=no
add chain=forward protocol=udp dst-port=53 src-address-list=lan_computer action=accept comment=“”
disabled=no
add chain=forward protocol=tcp dst-port=53 src-address-list=lan_computer action=accept comment=“”
disabled=no
add chain=forward protocol=tcp dst-port=80 src-address-list=lan_computer action=accept comment=“”
disabled=no
add chain=forward protocol=tcp dst-port=443 src-address-list=lan_computer action=accept comment=“”
disabled=no
remove src-address=0.0.0.0
I did it , but …outside clients steel connected
You can us proxy access list to control who has access to the proxy and then deny all others.
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no dst-port=23-25
add action=allow comment="" disabled=no src-address=192.168.0.0/16
add action=deny comment="deny all others" disabled=no
Replace src-address with your local IP Range.
my mistake
i have pppoe conection
wrong
/ ip firewall filter
add chain=input in-interface=Public src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment=“”
disabled=no
correct
/ ip firewall filter
add chain=input in-interface=pppoe-01 src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment=“”
disabled=no
10x
I have tried this rule, and it is blocking internet users from accessing my web proxy, my firewall counter is constantly adding up, however when i check my web proxy status it is no longer adding any request or hits, when i disable this rule it starts adding requests and hits again. This rule seems to simply disable my web proxy all together.
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
ether1 is my internet port interface.
Any help or insight would be greatly appreciated.
Same discussion below
http://forum.mikrotik.com/t/securing-the-dns-web-proxy/16204/1