ho un hotspot con autenticazione su Radius esterno.
Vorrei limitare gli utenti alla sola navigazione attraverso porte 80 e 443 (http e https); in pratica vorrei droppare tutte le restanti porte.
è un Mikrotik RB750
10.1.1.254/24 è il lato HotSpot
172.18.255.248/24 è il lato WAN
ip firewall filter print all
- Codice: Seleziona tutto
0 chain=forward action=accept protocol=tcp dst-port=8001
1 chain=forward action=accept protocol=tcp dst-port=8002
2 chain=forward action=accept protocol=tcp dst-port=8003
3 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
4 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!aut>
5 D chain=input action=jump jump-target=hs-input hotspot=from-client
6 I chain=hs-input action=jump jump-target=pre-hs-input
7 D chain=hs-input action=accept protocol=udp dst-port=64872
8 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
9 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
10 D chain=hs-unauth action=return dst-address=172.18.255.14
11 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
12 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
13 D chain=hs-unauth-to action=return src-address=172.18.255.14
14 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
15 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
ip firewall nat print all
- Codice: Seleziona tutto
0 chain=dstnat action=dst-nat to-addresses=10.1.1.241 to-ports=8001
protocol=tcp dst-port=8001
1 chain=dstnat action=dst-nat to-addresses=10.1.1.242 to-ports=8002
protocol=tcp dst-port=8002
2 chain=dstnat action=dst-nat to-addresses=10.1.1.243 to-ports=8003
protocol=tcp dst-port=8003
3 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
4 I chain=hotspot action=jump jump-target=pre-hotspot
5 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
6 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
7 D chain=hotspot action=redirect to-ports=64873 protocol=tcp
hotspot=local-dst dst-port=80
8 D chain=hotspot action=redirect to-ports=64875 protocol=tcp
hotspot=local-dst dst-port=443
9 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!aut>
10 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
11 D chain=hs-unauth action=return dst-address=172.18.255.14
12 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
13 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
14 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
15 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
16 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
17 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
18 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
19 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
Le prime tre regole nel firewall e nel nat mi consentono di raggiungere le antenne che "emanano" il segnale wireless.
Le altre regole sono quelle create automaticamente al setup dell hotspot
Ho provato a creare una regola di firewall dopo la num. 15 con chain=forward dest-port= 80,443 action = accept
e subito dopo una con chain=forward action=drop
ma cosi facendo non riesco a navigare.
le ho provate ad inserire tra la #2 e la #3 ma è uguale..
Lo so che mi sto perdendo in un bicchiere d'acqua....
