Community discussions

 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

only mail is allowed

Sat Jan 15, 2011 9:55 pm

Howzit

i need some help.

We have been asked to setup a client connection that will only allow mail through and nothing else, how do i go about this

our clients connect via a PPPoE connection to our towers

Can anyone help me with this
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: only mail is allowed

Sat Jan 15, 2011 10:03 pm

Make firewall rules that only allow the required mail protocols for the IP address of that user, and drop all other traffic.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: only mail is allowed

Fri Jan 21, 2011 4:05 pm

right, i'm gonna need a little help with this. i'm planning the set this client to a different ip range then the rest of them.
then using the filter rules that that ip range (eg. 192.168.120.0/24) can only get port 110 and port 25. doing this means that if there are any other clients who want this i just move their profile into that ip range.

This is where i get stuck, i know should be done but i have no idea how to do it. if someone could show me that would be great :)
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: only mail is allowed

Fri Jan 21, 2011 5:43 pm

Something like this:
/ip firewall filter
add chain=forward dst-address=192.168.120.0/24 connection-state=established action=accept
add chain=forward dst-address=192.168.120.0/24 connection-state=related action=accept
add chain=forward dst-address=192.168.120.0/24 connection-state=invalid action=drop
add chain=forward src-address=192.168.120.0/24 protocol=tcp dst-port=25,110 action=accept
add chain=forward src-address=192.168.120.0/24 action=drop
Just make sure it's somewhere sensible in the existing ruleset.
That allows all traffic back to 192.168.120.0/24 for connections that have already been established and OK'd before. Then it allows all traffic from 192.168.120.0/24 to tcp/25 and tcp/110, and then drops all other traffic sourced from that subnet.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: only mail is allowed

Mon Jan 24, 2011 6:56 am

thanks :)
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: only mail is allowed

Mon Jan 24, 2011 2:03 pm

You may also want to allow DNS lookups too. Assuming the ROS box is configured to permit DNS requests, add the following rule:
/ip firewall filter
add chain=input src-address=192.168.120.0/24 protocol=udp dst-port=53 action=accept
add chain=input src-address=192.168.120.0/24 action=drop
And then you may want to think about what ICMP (if any) traffic you want to permit...
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: only mail is allowed

Fri Jan 28, 2011 4:06 pm

thank you, i'll add those extra ones now :)

haven't had an opportunity yet to test this as i haven't got round to the client yet to check (been trying to track down a sudden noise issue in town) but i should get ther soon

thanks for all the help

there is one more thing though. what if the client is using something like Gmail. how could i allow her to veiw that site and nothing else
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: only mail is allowed

Fri Jan 28, 2011 4:20 pm

that will bring some challenge - if customer is using web interface you will have to allow access to certain web services. you can restrict web access using proxy (no proxying just control tools that proxy provides).

http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

or continue in a way you started with firewall, using proxy would be easier.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: only mail is allowed

Sat Jan 29, 2011 2:05 pm

ya, just as a thought, a headache and a half.

Okay, screw what the client wants, her mail is being downloaded to mail browser or she pays the full internet cost....the choice is hers 8)

thanks for all the help

Who is online

Users browsing this forum: No registered users and 95 guests