Blocking traffic on Mikrotik?

K

Ka4a2015-12-15 13:42:58

Mikrotik

Ka4a, 2015-12-15 13:42:58

Good afternoon. It was necessary on the Mikrotik router to make sure that everything was blocked except for 5 sites. No Skype, no SIP, no torrents, ssh, etc. How to make it easier? I did not work with Mikrotiks, they would look there, it seemed necessary to fence the forest. Is it possible to somehow drop all traffic between 5 sites and mail communication through the client (smtp, imap)?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

L

LESHIY_ODESSA, 2015-12-15
@ka4a

/ip firewall filter
\\ open required sites
\\ open POP, SMTP, IMAP
\\ Forbid everything from walking. That is, what is not allowed above is FORBIDDEN!
But the creation of list-allowed must be entrusted to the script. Because you need to resolve IP by domain.
Script - Writing scripts for Mikrotik RouterOS is easy

:local DNSList {"site1.com";"site2.com";"site3.com";"site4.com";"site5.com"}
:local ListName "list-allowed"
:local DNSServers ( [ip dns get dynamic-servers], [ip dns get servers ], 8.8.8.8 )
:foreach addr in $DNSList do={
     :foreach DNSServer in $DNSServers do={
          :do {:resolve server=$DNSServer $addr} on-error={:log debug ("failed to resolve $addr on $DNSServer")}
     }
}
/ip firewall address-list remove [find where list~$ListName]
/ip dns cache all
:foreach i in=[find type="A"] do={
    :local bNew true
    :local cacheName [get $i name]
    :local match false
    :foreach addr in=$DNSList do={
       :if (:typeof [:find $cacheName $addr] >= 0) do={
           :set $match true
       }
    }
    :if ( $match ) do={
        :local tmpAddress [/ip dns cache get $i address]
        :if ( [/ip firewall address-list find ] = "") do={
            :log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress")
            /ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName
        } else={
            :foreach j in=[/ip firewall address-list find ] do={
                :if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
                    :set bNew false
                }
            }
            :if ( $bNew ) do={
                :log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress")
                /ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName
            }
        }
    }
}

Torrents and skype can create a problem. They have a way of breaking through.
Reminder :
The traffic going to the router gets into the firewall chain input;
The traffic generated by the router enters the firewall's output chain;
Traffic going through the router gets into the forward chain;
6.1. How does traffic go to Mikrotik?
How to block torrent 100%? Only 2 lines. It is solved.
Setting up traffic filtering on Mikrotik. Part 1

I

Ivan Arxont, 2015-12-15
@arxont

1) Firewall cut all traffic except the 80th port on forward`y
2) Do not prescribe defaul route (to 0.0.0.0), but prescribe to specific addresses of these sites.
This is if it's hardcore.
Another option is to install and configure a web proxy and prohibit everything except your sites in it.