Port 80 forwarding and port blocking












1















I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



I have tried a few different ways, but I cannot make anything work properly.
I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



/ip firewall filter

add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53

add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53

add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53

add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53

add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80

add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80

add chain=forward action=drop


With a forward like this:



/ip firewall nat

add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 

dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





networking firewall mikrotik







share|improve this question





























    1















    I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



    I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



    I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



    I have tried a few different ways, but I cannot make anything work properly.
    I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



    /ip firewall filter
    
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
    
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
    
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
    
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
    
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
    
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
    
add chain=forward action=drop


    With a forward like this:



    /ip firewall nat
    
add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 
    
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





    networking firewall mikrotik







    share|improve this question



























      1












      1








      1








      I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



      I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



      I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



      I have tried a few different ways, but I cannot make anything work properly.
      I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



      /ip firewall filter
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
      
add chain=forward action=drop


      With a forward like this:



      /ip firewall nat
      
add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 
      
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





      networking firewall mikrotik







      share|improve this question
















      I have a 750Gl that I have a webserver behind. Its address is 10.30.1.70/24.



      I had a problem with it getting hacked. After rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out is to close all outgoing ports except 53 & 80.



      I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.



      I have tried a few different ways, but I cannot make anything work properly.
      I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. How can I get this to work?



      /ip firewall filter
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
      
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
      
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
      
add chain=forward action=drop


      With a forward like this:



      /ip firewall nat
      
add action=dst-nat chain=dstnat comment="Access to Webserver NAT Rule" disabled=no 
      
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80





      networking firewall mikrotik




      networking firewall mikrotik






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 29 '16 at 20:40









      Scott

      16.1k113990




      16.1k113990










      asked Mar 28 '15 at 6:59









      shohelshohel

      63




      63






















          1 Answer
          1






          active

          oldest

          votes


















          0














          The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






          share|improve this answer
























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f895043%2fport-80-forwarding-and-port-blocking%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






            share|improve this answer




























              0














              The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






              share|improve this answer


























                0












                0








                0







                The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.






                share|improve this answer













                The problem with what you are proposing is that connections TO the webserver come from random, high ports, not 80. So with that in place it would not be able to serve webpages. So you are doing exactly what you need to do what you're attempting, but what you are attempting to do is fundamentally flawed.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Apr 9 '17 at 23:54









                Duncan X SimpsonDuncan X Simpson

                1,112823




                1,112823






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f895043%2fport-80-forwarding-and-port-blocking%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Probability when a professor distributes a quiz and homework assignment to a class of n students.

                    Image
                    0 0 $begingroup$ Need help with this problem. Suppose our lazy professor collects a quiz and a homework assignment from a class of n students one day, then distributes both the quizzes and the homework assignments back to the class in a random fashion for grading. Each student receives one quiz and one homework assignment to grade. (a) What is the probability that every student receives someone else's quiz to grade, and someone else's homework to grade? (b) What is the probability that no student receives both their own quiz and their own homework assignment to grade? In this case, some students may receive their own quiz, and others may receive their own homework assignment. (c) Compute the limiting probability as n approaches infinity in each case. ...
                    Read more

                    Aardman Animations

                    Image
                    Aardman Animations, Ltd. Aardman Animations Tipo privada Atividade Animação em stop-motion , Animação em CGI Fundação 1972 Fundador(es) Peter Lord David Sproxton Sede Bristol, Inglaterra  Reino Unido Proprietário(s) Dreamworks Pessoas-chave Peter Lord David Sproxton Nick Park Divisões Aardman Features Aardman Digital Aardman Commercials Aardman Broadcast Aardman International Aardman Rights Aardman Effects Aardman 3-D Systems Aardman Nathan Love AardBoiled Website oficial aardman.com ...
                    Read more

                    Are they similar matrix

                    Image
                    0 $begingroup$ Do $begin{bmatrix} 0&i&0\0&0&1\0&0&0 end{bmatrix} $ and $begin{bmatrix} 0&0&0\-i&0&0\0&1&0 end{bmatrix} $ are similar.Is this True/false Clearly both are nilpotent and one is conjucate transpose of other but how to know if they are similar.i'm stuck. Please help me linear-algebra vector-spaces eigenvalues-eigenvectors generalizedeigenvector share | cite | improve this question edited Dec 10 '18 at 6:38 Vasanth Kris asked Dec 10 '18 at 6:19 ...
                    Read more