add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Redirect mail traffic to a specified server
p firewall nat add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to- addresses=10.0.0.1( ip server email ) to-ports=25
Block Websites & Stop Downloading Using Proxy /ip proxy enabled: yes src-address: 0.0.0.0 port: 8080 parent-proxy: 0.0.0.0:0 cache-drive: system cache-administrator: "webmaster" max-disk-cache-size: none max-ram-cache-size: none cache-only-on-disk: no maximal-client-connections: 1000 maximal-server-connections: 1000 max-object-size: 512KiB max-fresh-time: 3d
Now, Make it Transparent /ip firewall nat chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
Make sure that your proxy is NOT a Open Proxy /ip firewall filter chain=input in-interface=<Your WAN Port>src-address=0.0.0.0/0 protocol=tcp dst- port=8080 action=drop
Now for Blocking Websites /ip proxy access dst-host=www.vansol27.com action=deny
We can also stop downloading files like.mp3, .exe, .dat, .avi,etc. /ip proxy access path=*.exe action=deny path=*.mp3 action=deny path=*.zip action=deny path=*.rar action=deny. /ip proxy access dst-host=:mail action=deny
How to autodetect infected or spammer users and temporary block the SMTP output /ip firewall filter
/ ip firewall filter add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic \(between router applications\)" add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks" add chain=input action=jump jump-target=sanity-check comment="Sanity Check" add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic" add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate \(5 per sec\)" add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network" add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet" add chain=input action=jump jump-target=drop add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept add chain=local-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)" add chain=local-services connection-mark=dns action=accept comment="DNS" add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy \(3128/TCP\)" add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)" disabled=no add chain=local-services action=drop comment="Drop Other Local Services" add chain=public-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)" add chain=public-services connection-mark=pptp action=accept comment="PPTP \(1723/TCP\)" add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP" add chain=public-services action=drop comment="Drop Other Public Services"
Proxying everything / ip firewall nat add chain=dstnat in-interface=Local connection-mark=dns action=redirect comment="proxy for DNS requests" add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect to-ports=3128 comment="proxy for HTTP requests" add chain=dstnat in-interface=Local connection-mark=ntp action=redirect comment="proxy for NTP requests"
Enable Proxy servers / system ntp server set enabled=yes broadcast=no multicast=no manycast=no / system ntp client set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0 / ip proxy set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000 maximal-server-connections=1000 / ip dns set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w