Answer the question
In order to leave comments, you need to log in
K
K
Ka4a2015-12-15 13:42:58
Ka4a, 2015-12-15 13:42:58
Blocking traffic on Mikrotik?
Good afternoon. It was necessary on the Mikrotik router to make sure that everything was blocked except for 5 sites. No Skype, no SIP, no torrents, ssh, etc. How to make it easier? I did not work with Mikrotiks, they would look there, it seemed necessary to fence the forest. Is it possible to somehow drop all traffic between 5 sites and mail communication through the client (smtp, imap)?
2 answer(s)
@ka4a
Torrents and skype can create a problem. They have a way of breaking through.
Reminder :
The traffic going to the router gets into the firewall chain input;
The traffic generated by the router enters the firewall's output chain;
Traffic going through the router gets into the forward chain;
6.1. How does traffic go to Mikrotik?
How to block torrent 100%? Only 2 lines. It is solved.
Setting up traffic filtering on Mikrotik. Part 1
@arxont
L
LESHIY_ODESSA, 2015-12-15 @ka4a
/ip firewall filter
\\ open required sites
\\ open POP, SMTP, IMAP
\\ Forbid everything from walking. That is, what is not allowed above is FORBIDDEN!
But the creation of list-allowed must be entrusted to the script. Because you need to resolve IP by domain.
Script - Writing scripts for Mikrotik RouterOS is easy
:local DNSList {"site1.com";"site2.com";"site3.com";"site4.com";"site5.com"}
:local ListName "list-allowed"
:local DNSServers ( [ip dns get dynamic-servers], [ip dns get servers ], 8.8.8.8 )
:foreach addr in $DNSList do={
:foreach DNSServer in $DNSServers do={
:do {:resolve server=$DNSServer $addr} on-error={:log debug ("failed to resolve $addr on $DNSServer")}
}
}
/ip firewall address-list remove [find where list~$ListName]
/ip dns cache all
:foreach i in=[find type="A"] do={
:local bNew true
:local cacheName [get $i name]
:local match false
:foreach addr in=$DNSList do={
:if (:typeof [:find $cacheName $addr] >= 0) do={
:set $match true
}
}
:if ( $match ) do={
:local tmpAddress [/ip dns cache get $i address]
:if ( [/ip firewall address-list find ] = "") do={
:log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress")
/ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew false
}
}
:if ( $bNew ) do={
:log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress")
/ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName
}
}
}
}Torrents and skype can create a problem. They have a way of breaking through.
Reminder :
The traffic going to the router gets into the firewall chain input;
The traffic generated by the router enters the firewall's output chain;
Traffic going through the router gets into the forward chain;
6.1. How does traffic go to Mikrotik?
How to block torrent 100%? Only 2 lines. It is solved.
Setting up traffic filtering on Mikrotik. Part 1
I
Ivan Arxont, 2015-12-15 @arxont
1) Firewall cut all traffic except the 80th port on forward`y
2) Do not prescribe defaul route (to 0.0.0.0), but prescribe to specific addresses of these sites.
This is if it's hardcore.
Another option is to install and configure a web proxy and prohibit everything except your sites in it.
Similar questions
D
B
D
D
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question