API tools faq
paste
Advertisement
albspirit86

mikrotik firewall rules

albspirit86
Jul 1st, 2014
798
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.67 KB | None | 0 0
raw download clone embed print report
  1. Codes - Firewall Rules
  2.  
  3. Note: Enter "/ip firewall filter" at Terminal window before copy & paste the following codes
  4.  
  5. # Allow only needed icmp codes in icmp chain:
  6.  
  7. add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
  8. add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
  9. add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
  10. add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
  11. add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
  12. add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
  13. add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
  14. add chain=icmp action=drop comment="deny all other types"
  15.  
  16.  
  17. # Bruteforce login prevention
  18.  
  19. # Allows only 10 FTP login incorrect answers per minute:
  20.  
  21. add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"
  22. add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
  23. add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
  24.  
  25. # Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts:
  26.  
  27. add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
  28. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
  29. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
  30. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
  31. add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
  32. add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=no
  33.  
  34.  
  35. # Drop port scanners
  36.  
  37. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list" disabled=no
  38.  
  39. Various combinations of TCP flags can also indicate port scanner activity:
  40.  
  41. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
  42. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
  43. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
  44. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
  45. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
  46. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
  47.  
  48. # Drop those IPs in both Input & Forward chains:
  49.  
  50. add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
  51. add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
  52.  
  53.  
  54.  
  55. # Router protection :
  56.  
  57. add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
  58. add chain=input connection-state=established action=accept comment="Allow Established connections"
  59. add chain=input src-address=192.168.1.0/24 action=accept in-interface=!Speedy
  60. add chain=input action=drop comment="Drop everything else"
  61.  
  62.  
  63. # Customer protection (forward chain - traffic passing through the router):
  64.  
  65. add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
  66. add chain=forward connection-state=established action=accept comment="allow already established connections"
  67. add chain=forward connection-state=related action=accept comment="allow related connections"
  68.  
  69. # Block Bogon IP addresses:
  70.  
  71. add chain=forward src-address=0.0.0.0/8 action=drop comment="Block Bogon IP addresses"
  72. add chain=forward dst-address=0.0.0.0/8 action=drop
  73. add chain=forward src-address=127.0.0.0/8 action=drop
  74. add chain=forward dst-address=127.0.0.0/8 action=drop
  75. add chain=forward src-address=224.0.0.0/3 action=drop
  76. add chain=forward dst-address=224.0.0.0/3 action=drop
  77.  
  78. # Make jumps to new chains:
  79.  
  80. add chain=forward protocol=tcp action=jump jump-target=tcp comment="Make jumps to new chains"
  81. add chain=forward protocol=udp action=jump jump-target=udp
  82. add chain=forward protocol=icmp action=jump jump-target=icmp
  83.  
  84. # Create TCP chain and deny some TCP ports in it (revise port numbers as needed):
  85.  
  86. add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
  87. add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
  88. add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
  89. add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
  90. add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
  91. add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
  92. add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
  93. add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
  94. add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
  95. add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
  96.  
  97. # Create UDP chain and deny some UDP ports in it (revise port numbers as needed):
  98.  
  99. add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
  100. add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
  101. add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
  102. add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
  103. add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
  104. add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!