Page 1 of 1

only mail is allowed

Posted: Sat Jan 15, 2011 9:55 pm
by shadowskippie
Howzit

i need some help.

We have been asked to setup a client connection that will only allow mail through and nothing else, how do i go about this

our clients connect via a PPPoE connection to our towers

Can anyone help me with this

Re: only mail is allowed

Posted: Sat Jan 15, 2011 10:03 pm
by fewi
Make firewall rules that only allow the required mail protocols for the IP address of that user, and drop all other traffic.

Re: only mail is allowed

Posted: Fri Jan 21, 2011 4:05 pm
by shadowskippie
right, i'm gonna need a little help with this. i'm planning the set this client to a different ip range then the rest of them.
then using the filter rules that that ip range (eg. 192.168.120.0/24) can only get port 110 and port 25. doing this means that if there are any other clients who want this i just move their profile into that ip range.

This is where i get stuck, i know should be done but i have no idea how to do it. if someone could show me that would be great :)

Re: only mail is allowed

Posted: Fri Jan 21, 2011 5:43 pm
by fewi
Something like this:
/ip firewall filter
add chain=forward dst-address=192.168.120.0/24 connection-state=established action=accept
add chain=forward dst-address=192.168.120.0/24 connection-state=related action=accept
add chain=forward dst-address=192.168.120.0/24 connection-state=invalid action=drop
add chain=forward src-address=192.168.120.0/24 protocol=tcp dst-port=25,110 action=accept
add chain=forward src-address=192.168.120.0/24 action=drop
Just make sure it's somewhere sensible in the existing ruleset.
That allows all traffic back to 192.168.120.0/24 for connections that have already been established and OK'd before. Then it allows all traffic from 192.168.120.0/24 to tcp/25 and tcp/110, and then drops all other traffic sourced from that subnet.

Re: only mail is allowed

Posted: Mon Jan 24, 2011 6:56 am
by shadowskippie
thanks :)

Re: only mail is allowed

Posted: Mon Jan 24, 2011 2:03 pm
by NAB
You may also want to allow DNS lookups too. Assuming the ROS box is configured to permit DNS requests, add the following rule:
/ip firewall filter
add chain=input src-address=192.168.120.0/24 protocol=udp dst-port=53 action=accept
add chain=input src-address=192.168.120.0/24 action=drop
And then you may want to think about what ICMP (if any) traffic you want to permit...

Re: only mail is allowed

Posted: Fri Jan 28, 2011 4:06 pm
by shadowskippie
thank you, i'll add those extra ones now :)

haven't had an opportunity yet to test this as i haven't got round to the client yet to check (been trying to track down a sudden noise issue in town) but i should get ther soon

thanks for all the help

there is one more thing though. what if the client is using something like Gmail. how could i allow her to veiw that site and nothing else

Re: only mail is allowed

Posted: Fri Jan 28, 2011 4:20 pm
by janisk
that will bring some challenge - if customer is using web interface you will have to allow access to certain web services. you can restrict web access using proxy (no proxying just control tools that proxy provides).

http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

or continue in a way you started with firewall, using proxy would be easier.

Re: only mail is allowed

Posted: Sat Jan 29, 2011 2:05 pm
by shadowskippie
ya, just as a thought, a headache and a half.

Okay, screw what the client wants, her mail is being downloaded to mail browser or she pays the full internet cost....the choice is hers 8)

thanks for all the help