How to block everything on Mikrotik but leave access to certain sites / domains?

J

Jan2015-11-19 10:40:56

Mikrotik

Jan, 2015-11-19 10:40:56

The bottom line is, you need to block the ENTIRE Internet (http, https) for a certain subnet, but leave access only to certain sites and domains.
I tried this:
chain=forward action=accept protocol=tcp src-address=192.168.1.0/24 content=ya.ru log=no log-prefix=""
chain=forward action=reject reject-with=tcp-reset protocol= tcp src-address=192.168.1.0/24 dst-port=80 log=no log-prefix=""
These rules don't work. Everything is blocked, it is impossible to go to ya.ru.
I tried the same through Layer7, it still doesn't work.
The Internet says that you need to try through a proxy, but https will still pass.
In which direction do you need to dig or what do you need to read?

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

Y

Yaroslav Eremin, 2015-11-19
@YaroslavEremin

The easiest way is to filter all the same by ip-addresses. Make a list of ip-addresses or subnets where allowed sites are located and block packets on port 80 that are not sent to these addresses.

M

Maksim, 2015-11-19
@chumayu

Add port 443 to DST-PORT

C

cdelphi78, 2015-11-19
@cdelphi78

Add port 443 to DST-PORT

I'm no expert, but how does this help?

G

Gregory, 2015-11-22
@Maxlinus

for now, I’m spinning the following idea in my head: mikrotik + openwrt via MetaROUTERs , we put 3proxy on openwrt itself , it has support for HTTP, HTTPS , SOCKS, POP3, SMTP protocols ;, and let traffic through it :)
this is just an idea in my head :)

C

cckfnn, 2015-11-27
@cckfnn

I'm not sure what will work, but it makes sense to let traffic transparently through the Mikrotik proxy, and it already has the rules to prohibit and allow the necessary.