Port 80 forwarding and port blocking












1















I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



I have tried a few different ways, but I cannot make anything work properly.
I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



/ip firewall filter

add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53

add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53

add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53

add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53

add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80

add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80

add chain=forward action=drop


With a forward like this:



/ip firewall nat

add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 

dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





networking firewall mikrotik







share|improve this question





























    1















    I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



    I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



    I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



    I have tried a few different ways, but I cannot make anything work properly.
    I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



    /ip firewall filter
    
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
    
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
    
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
    
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
    
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
    
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
    
add chain=forward action=drop


    With a forward like this:



    /ip firewall nat
    
add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 
    
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





    networking firewall mikrotik







    share|improve this question



























      1












      1








      1








      I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



      I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



      I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



      I have tried a few different ways, but I cannot make anything work properly.
      I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



      /ip firewall filter
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
      
add chain=forward action=drop


      With a forward like this:



      /ip firewall nat
      
add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 
      
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





      networking firewall mikrotik







      share|improve this question
















      I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



      I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



      I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



      I have tried a few different ways, but I cannot make anything work properly.
      I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



      /ip firewall filter
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
      
add chain=forward action=drop


      With a forward like this:



      /ip firewall nat
      
add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 
      
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





      networking firewall mikrotik




      networking firewall mikrotik






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 29 '16 at 20:40









      Scott

      16.1k113990




      16.1k113990










      asked Mar 28 '15 at 6:59









      shohelshohel

      63




      63






















          1 Answer
          1






          active

          oldest

          votes


















          0














          The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






          share|improve this answer
























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f895043%2fport-80-forwarding-and-port-blocking%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






            share|improve this answer




























              0














              The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






              share|improve this answer


























                0












                0








                0







                The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






                share|improve this answer













                The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Apr 9 '17 at 23:54









                Duncan X SimpsonDuncan X Simpson

                1,112823




                1,112823






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f895043%2fport-80-forwarding-and-port-blocking%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    How do I know what Microsoft account the skydrive app is syncing to?

                    Image
                    up vote 4 down vote favorite 1 Some time ago, I set up skydrive for my wife on her mac. But now she wants to access the files online, I cannot remember what Microsoft account I setup and linked her skydive app to and nor can I see anything in the skydrive app settings to tell me either? How can I see the name of the Microsoft account the skydive app is currently linked to? I would like to know this for skydrive app for Mac and PC onedrive share | improve this question asked Feb 25 '13 at 4:52 Gary Barrett 260 2 5 12
                    Read more

                    When does type information flow backwards in C++?

                    Image
                    up vote 62 down vote favorite 19 I just watched Stephan T. Lavavej talk at CppCon 2018 on "Class Template Argument Deduction", where at some point he incidentally says: In C++ type information almost never flows backwards ... I had to say "almost" because there's one or two cases, possibly more but very few . Despite trying to figure out which cases he might be referring to, I couldn't come up with anything. Hence the question: In which cases the C++17 standard mandates that type information propagate backwards? c++ language-lawyer c++17 share | improve this question edited 7 hours ago scohe0
                    Read more

                    Grease: Live!

                    Image
                    A tradução deste artigo está abaixo da qualidade média aceitável. É possível que tenha sido feita por um tradutor automático ou por alguém que não conhece bem o português ou a língua original do texto. Caso queira colaborar com a Wikipédia, tente encontrar a página original e melhore este verbete conforme o guia de tradução. Grease: Live! Grease: Live!  (PRT/BRA)  Estados Unidos 2016 •   cor •   130 min. min   Direção Thomas Kail Alex Rudzinski Produção Marc Platt Adam Siegel Roteiro Allan Carr Robert Cary Warren Casey Jim Jacobs Jonathan Tolins Bronte Woodard Baseado em Grease (musical) Grease (filme) Elenco Julianne Hough Aaron Tveit Vanessa Hudgens Carlos Pena Jr. Keke Palmer Carly Rae Jepsen Kether Donohue Jordan Fisher David Del Rio Andrew Call Gênero Musical Música Tom Kitt Figurino William Ivey Long Companhia(s) produtora(s) Warner Bros. Studios Distribuição Fox Lançamento 31 de Janei
                    Read more