System information

ManualsBrandsAXIOMTEK ManualsComputer AccessoriesDSA-132 Series

171

172

173

174

175

176

177

178

179

180

Manual:IP/Proxy

175

0 chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000

[admin@MikroTik] ip firewall nat>

The web proxy can be used as transparent and normal web proxy at the same time. In transparent mode it is possible

to use it as standard web proxy, too. However, in this case, proxy users may have trouble to reach web pages which

are accessed transparently.

Proxy based firewall – Access List

Access list is implemented in the same way as MikroTik firewall rules processed from the top to the bottom. First

matching rule specifies decision of what to do with this connection. Connections can be matched by its source

address, destination address, destination port, sub-string of requested URL (Uniform Resource Locator) or request

method. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not

(deny). If connection does not match any rule, it will be allowed.

In this example assume that we have configured transparent proxy server as given in example above.

Block particular Websites.

/ip proxy access add dst-host=www.facebook.com action=deny

It will block website http:/ / www. facebook. com

[1]

, we can always block the same for different networks by giving

src-address.

/ip proxy access add src-address=192.168.1.0/24 dst-host=www.facebook.com action=deny

Users from network 192.168.1.0/24 will not be able to access website www.facebook.com

[1]

You can block also websites that contain specific words in URL:

/ip proxy access add dst-host=:mail action=deny

This statement will block all websites which contain word “mail” in URL. Like www.mail.com

[2]

www.hotmail.com

[3]

, mail.yahoo.com etc.

We can also stop downloading specific types of files like .flv, .avi, .mp4, .mp3, .exe, .dat, …etc.

/ip proxy access

add path=*.flv action=deny

add path=*.avi action=deny

add path=*.mp4 action=deny

add path=*.mp3 action=deny

add path=*.zip action=deny

add path=*.rar action=deny.

Here are available also different wildcard characters, to creating specific conditions and to match it by proxy access

list.

Wildcard properties (dst-host and dst-path) match a complete string (i.e., they will not match "example.com" if they

are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one

character).

Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should

start with a colon (':').

To show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern.

To specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern.