Community discussions

MikroTik App
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

web proxy

Wed Apr 29, 2009 11:33 am

hello,
how to secure mikrotik web proxy? too many clients from outside is connected to my proxy.
10x
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6043
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: web proxy

Wed Apr 29, 2009 11:35 am

add firewall rule to block access to your proxy from outside
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Wed Apr 29, 2009 11:40 am

add firewall rule to block access to your proxy from outside

u can explain me pls ?
10x in advance
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6043
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: web proxy

Wed Apr 29, 2009 11:46 am

Lets say proxy port is 8080 and public interface is "internet"

/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Wed Apr 29, 2009 11:55 am

Lets say proxy port is 8080 and public interface is "internet"

/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop
proxy port is 3128
but this rule dont stop outside clients :(
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24605
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: web proxy

Wed Apr 29, 2009 11:56 am

of course it does.
No answer to your question? How to write posts
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Wed Apr 29, 2009 12:08 pm

Lets say proxy port is 8080 and public interface is "internet"

/ip firewall filter
add chain=input dst-port=8080 protocol=tcp in-interface=internet action=drop
I put this rule first in firewall filter but is never hit-ed, and outside clients is steel connected to my proxy
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24605
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: web proxy

Wed Apr 29, 2009 12:23 pm

make sure you move this rule to the top of your firewall, make sure you specified the correct in-interface
No answer to your question? How to write posts
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Wed Apr 29, 2009 1:28 pm

make sure you move this rule to the top of your firewall, make sure you specified the correct in-interface
all it`s correct ...i stoped the proxy server because too manny connection from outside (300 clients from outside)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24605
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: web proxy

Wed Apr 29, 2009 1:32 pm

type "/ip firewall filter export" in the command line, and paste here the output, so we can help you
No answer to your question? How to write posts
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Wed Apr 29, 2009 1:48 pm

type "/ip firewall filter export" in the command line, and paste here the output, so we can help you

this is my firewall

/ ip firewall filter
add chain=input in-interface=Public src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-limit=0,32 limit=0,5 dst-limit=0,5,dst-address/1m40s \
nth=0,0,0 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 \
action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 \
action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward connection-state=established src-address-list=lan_computer action=accept \
comment="Established connections" disabled=no
add chain=forward connection-state=related src-address-list=lan_computer action=accept comment="Related \
connections" disabled=no
add chain=forward protocol=udp dst-port=53 src-address-list=lan_computer action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=53 src-address-list=lan_computer action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=80 src-address-list=lan_computer action=accept comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=443 src-address-list=lan_computer action=accept comment="" \
disabled=no
Last edited by norocel on Wed Apr 29, 2009 1:52 pm, edited 1 time in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6043
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: web proxy

Wed Apr 29, 2009 1:50 pm

remove src-address=0.0.0.0
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Wed Apr 29, 2009 1:54 pm

remove src-address=0.0.0.0
I did it , but ...outside clients steel connected
 
User avatar
skillful
Trainer
Trainer
Posts: 557
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: web proxy

Wed Apr 29, 2009 2:35 pm

You can us proxy access list to control who has access to the proxy and then deny all others.
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no dst-port=23-25
add action=allow comment="" disabled=no src-address=192.168.0.0/16
add action=deny comment="deny all others" disabled=no
Replace src-address with your local IP Range.
 
norocel
newbie
Topic Author
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: web proxy

Thu Apr 30, 2009 1:38 pm

my mistake
i have pppoe conection

wrong

/ ip firewall filter
add chain=input in-interface=Public src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment="" \
disabled=no

correct

/ ip firewall filter
add chain=input in-interface=pppoe-01 src-address=0.0.0.0 protocol=tcp dst-port=3128 action=drop comment="" \
disabled=no


10x
 
rumiclord
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jul 23, 2010 10:20 pm

Re: web proxy

Fri Sep 03, 2010 7:33 pm

I have tried this rule, and it is blocking internet users from accessing my web proxy, my firewall counter is constantly adding up, however when i check my web proxy status it is no longer adding any request or hits, when i disable this rule it starts adding requests and hits again. This rule seems to simply disable my web proxy all together.

chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
ether1 is my internet port interface.

Any help or insight would be greatly appreciated.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: web proxy

Fri Sep 03, 2010 8:29 pm

Who is online

Users browsing this forum: fsurmain, Kindis, rubynitian and 82 guests