Community discussions

 
SoporteOP
just joined
Topic Author
Posts: 3
Joined: Thu Jul 18, 2019 6:25 pm

How to allow an URL for a specific port

Thu Jul 18, 2019 6:34 pm

Hi everyone!

First of all, sorry for my english. We have a Mikrotik RouterBoard RB2011Ui AS-RM with RouterOS v6.42.6

We want to open a port to only allow inbound traffic for a specific url. I think it could be possible with Mikrotik webproxy, but I'm not sure.

Is it possible? Could you help us?

Thanks in advance.
 
SoporteOP
just joined
Topic Author
Posts: 3
Joined: Thu Jul 18, 2019 6:25 pm

Re: How to allow an URL for a specific port

Tue Jul 23, 2019 5:42 pm

Good evening,

Any updates about it? Could you help us with this issue?

Thanks in advance.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to allow an URL for a specific port

Tue Jul 23, 2019 5:52 pm

Not quite sure what you mean. A diagram would help.
Did you want to port forward to a specific LANIP?

More info is required.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3787
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to allow an URL for a specific port

Tue Jul 23, 2019 7:11 pm

When you open an url using a browser, the browser resolves the fqdn part of the url to an IP address, then initiates a TCP session to that address and port 80 (plaintext http) or 443 (tls-encrypted http - https). Before the TCP connection is established, the url doesn't appear in contents of any of the initial three packets (SYN>, <SYN+ACK, ACK>). Once the session establishes, the complete url is available in plaintext in the packets from the client, but for https, at best the fqdn alone is available in plaintext, the full url goes encrypted.

So the maximum you can do is to allow all TCP connections to the port but then forcifully break those which do not match the permitted url (if using plaintext) or permitted fqdn (if using https).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4419
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to allow an URL for a specific port

Tue Jul 23, 2019 9:45 pm

If it's only for http (not https), then it might be possible using the poor man's reverse proxy (https://wiki.mikrotik.com/wiki/Multiple_Web_Servers). I've never used it, but the "path" parameter in access list seems to be for this. I don't like the whole thing too much, because it was clearly not made for this, but perhaps for some uses it could be enough.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
SoporteOP
just joined
Topic Author
Posts: 3
Joined: Thu Jul 18, 2019 6:25 pm

Re: How to allow an URL for a specific port

Thu Jul 25, 2019 1:38 pm

Good morning,

First of all, thanks for your answers.

What we need is to open the 3000 port in our Mikrotik but not for all the inbound traffic or all the addresses. We need to open it only for a specific URL that we have for a voting platform.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1241
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: How to allow an URL for a specific port

Thu Jul 25, 2019 1:47 pm

You can open it for a specific IP, not DNS.
But you can make a script that looks at the DNS and if IP changes, update the rule.
Schedule it to run every 5 min.
Last edited by Jotne on Thu Jul 25, 2019 2:31 pm, edited 2 times in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
mkx
Forum Guru
Forum Guru
Posts: 2612
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to allow an URL for a specific port

Thu Jul 25, 2019 2:29 pm

What we need is to open the 3000 port in our Mikrotik but not for all the inbound traffic or all the addresses. We need to open it only for a specific URL that we have for a voting platform.
Port 3000 is not standard port for any particular protocol. So what protocol is it (kids doing programming these days like to do anything over http)? Does it include some textual representation of resource requested in early stage (if protocol is e.g. http over TLS, then the likely answer is no)? If yes, then router might be able to break ongoing connection in case it's not allowed (the server behind the router will notice broken connections which might affect its performance) because the needed information doesn't appear early enough to filter new connection before it hits the actual server.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 71 guests