MikroTik

Community discussions
https://forum.mikrotik.com/

web proxy

https://forum.mikrotik.com/viewtopic.php?t=31463

Page 1 of 1

web proxy

Posted: Wed Apr 29, 2009 11:33 am
by norocel
hello,
how to secure mikrotik web proxy? too many clients from outside is connected to my proxy.
10x

Re: web proxy

Posted: Wed Apr 29, 2009 11:35 am
by mrz
add firewall rule to block access to your proxy from outside

Re: web proxy

Posted: Wed Apr 29, 2009 11:40 am
by norocel
add firewall rule to block access to your proxy from outside

u can explain me pls ?
10x in advance

Re: web proxy

Posted: Wed Apr 29, 2009 11:46 am
by mrz
Lets say proxy port is 8080 and public interface is "internet"

/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop

Re: web proxy

Posted: Wed Apr 29, 2009 11:55 am
by norocel
Lets say proxy port is 8080 and public interface is "internet"

/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop
proxy port is 3128
but this rule dont stop outside clients :(

Re: web proxy

Posted: Wed Apr 29, 2009 11:56 am
by normis
of course it does.

Re: web proxy

Posted: Wed Apr 29, 2009 12:08 pm
by norocel
Lets say proxy port is 8080 and public interface is "internet"

/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop
I put this rule first in firewall filter but is never hit-ed, and outside clients is steel connected to my proxy

Re: web proxy

Posted: Wed Apr 29, 2009 12:23 pm
by normis
make sure you move this rule to the top of your firewall, make sure you specified the correct in-interface

Re: web proxy

Posted: Wed Apr 29, 2009 1:28 pm
by norocel
make sure you move this rule to the top of your firewall, make sure you specified the correct in-interface
all it`s correct ...i stoped the proxy server because too manny connection from outside (300 clients from outside)

Re: web proxy

Posted: Wed Apr 29, 2009 1:32 pm
by normis
type "/ip firewall filter export" in the command line, and paste here the output, so we can help you

Re: web proxy

Posted: Wed Apr 29, 2009 1:48 pm
by norocel
type "/ip firewall filter export" in the command line, and paste here the output, so we can help you

this is my firewall

/ ip firewall filter
add chain=input in-interface=Public src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-limit=0,32 limit=0,5 dst-limit=0,5,dst-address/1m40s \
nth=0,0,0 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 \
action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 \
action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward connection-state=established src-address-list=lan_computer action=accept \
comment="Established connections" disabled=no
add chain=forward connection-state=related src-address-list=lan_computer action=accept comment="Related \
connections" disabled=no
add chain=forward protocol=udp dst-port=53 src-address-list=lan_computer action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=53 src-address-list=lan_computer action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=80 src-address-list=lan_computer action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=443 src-address-list=lan_computer action=accept comment="" \
disabled=no

Re: web proxy

Posted: Wed Apr 29, 2009 1:50 pm
by mrz
remove src-address=0.0.0.0

Re: web proxy

Posted: Wed Apr 29, 2009 1:54 pm
by norocel
remove src-address=0.0.0.0
I did it , but ...outside clients steel connected

Re: web proxy

Posted: Wed Apr 29, 2009 2:35 pm
by skillful
You can us proxy access list to control who has access to the proxy and then deny all others.
Code: Select all
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no dst-port=23-25
add action=allow comment="" disabled=no src-address=192.168.0.0/16
add action=deny comment="deny all others" disabled=no
Replace src-address with your local IP Range.

Re: web proxy

Posted: Thu Apr 30, 2009 1:38 pm
by norocel
my mistake
i have pppoe conection

wrong

/ ip firewall filter
add chain=input in-interface=Public src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment="" \
disabled=no

correct

/ ip firewall filter
add chain=input in-interface=pppoe-01 src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment="" \
disabled=no


10x

Re: web proxy

Posted: Fri Sep 03, 2010 7:33 pm
by rumiclord
I have tried this rule, and it is blocking internet users from accessing my web proxy, my firewall counter is constantly adding up, however when i check my web proxy status it is no longer adding any request or hits, when i disable this rule it starts adding requests and hits again. This rule seems to simply disable my web proxy all together.

chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
ether1 is my internet port interface.

Any help or insight would be greatly appreciated.

Re: web proxy

Posted: Fri Sep 03, 2010 8:29 pm
by fewi
Same discussion below
http://forum.mikrotik.com/viewtopic.php?f=13&t=18750
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/