Open “IP” – “Firewall” – the tab “Filter Rules”.
Click “Add new” to add a new rule.
Then set the following parameters:
Src. Address: here you can specify the IP address or network with which it is allowed to connect, if everyone is allowed, then we do not specify.
Dst. Port: 80 (or 8291 for Winbox, 21 for ftp, 22 for ssh, 23 for telnet, udp 161 for snmp)
Click “OK” to add a rule.
After that, in the firewall, a rule will be created at the end of the list. Since it will be the last, and before it there is a rule prohibiting everything, then it must be dragged to the very top with the mouse, otherwise it will not be of use.
Through the command line, the rules will look like this:
/ip firewall filter add chain=input protocol=tcp dst-port=80 disabled=no action=accept
To pick up the list, you can do this (where 30 is the ID of the rule added):
/ip firewall filter print /ip firewall filter move 30 destination=1
Or in the command itself, we indicate that you need to place the rule at the very beginning of the list:
/ip firewall filter add chain=input protocol=tcp dst-port=80 disabled=no action=accept place-before 0
Also in the menu “IP” – “Services” in the parameters of the desired service, you can add “Available From” the list of IP addresses from which you want to allow access. Access is restricted to both local and external addresses, so first of all you need to add the IP or subnet with which you are currently connected.
I’ll give an example of specifying IP through a terminal for example for telnet (similar to ftp, www, ssh, winbox):
/ip service set telnet address=192.168.1.0/24,172.16.205.50/32,192.168.3.24/32
See also my article:
Configure Hairpin NAT on RouterOS (Mikrotik)