Advertisement
albspirit86

mikrotik firewall rules

Jul 1st, 2014
799
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.67 KB | None | 0 0
  1. Codes - Firewall Rules
  2.  
  3. Note: Enter "/ip firewall filter" at Terminal window before copy & paste the following codes
  4.  
  5. # Allow only needed icmp codes in icmp chain:
  6.  
  7. add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
  8. add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
  9. add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
  10. add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
  11. add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
  12. add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
  13. add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
  14. add chain=icmp action=drop comment="deny all other types"
  15.  
  16.  
  17. # Bruteforce login prevention
  18.  
  19. # Allows only 10 FTP login incorrect answers per minute:
  20.  
  21. add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"
  22. add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
  23. add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
  24.  
  25. # Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts:
  26.  
  27. add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
  28. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
  29. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
  30. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
  31. add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
  32. add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=no
  33.  
  34.  
  35. # Drop port scanners
  36.  
  37. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list" disabled=no
  38.  
  39. Various combinations of TCP flags can also indicate port scanner activity:
  40.  
  41. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
  42. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
  43. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
  44. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
  45. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
  46. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
  47.  
  48. # Drop those IPs in both Input & Forward chains:
  49.  
  50. add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
  51. add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
  52.  
  53.  
  54.  
  55. # Router protection :
  56.  
  57. add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
  58. add chain=input connection-state=established action=accept comment="Allow Established connections"
  59. add chain=input src-address=192.168.1.0/24 action=accept in-interface=!Speedy
  60. add chain=input action=drop comment="Drop everything else"
  61.  
  62.  
  63. # Customer protection (forward chain - traffic passing through the router):
  64.  
  65. add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
  66. add chain=forward connection-state=established action=accept comment="allow already established connections"
  67. add chain=forward connection-state=related action=accept comment="allow related connections"
  68.  
  69. # Block Bogon IP addresses:
  70.  
  71. add chain=forward src-address=0.0.0.0/8 action=drop comment="Block Bogon IP addresses"
  72. add chain=forward dst-address=0.0.0.0/8 action=drop
  73. add chain=forward src-address=127.0.0.0/8 action=drop
  74. add chain=forward dst-address=127.0.0.0/8 action=drop
  75. add chain=forward src-address=224.0.0.0/3 action=drop
  76. add chain=forward dst-address=224.0.0.0/3 action=drop
  77.  
  78. # Make jumps to new chains:
  79.  
  80. add chain=forward protocol=tcp action=jump jump-target=tcp comment="Make jumps to new chains"
  81. add chain=forward protocol=udp action=jump jump-target=udp
  82. add chain=forward protocol=icmp action=jump jump-target=icmp
  83.  
  84. # Create TCP chain and deny some TCP ports in it (revise port numbers as needed):
  85.  
  86. add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
  87. add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
  88. add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
  89. add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
  90. add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
  91. add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
  92. add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
  93. add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
  94. add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
  95. add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
  96.  
  97. # Create UDP chain and deny some UDP ports in it (revise port numbers as needed):
  98.  
  99. add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
  100. add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
  101. add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
  102. add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
  103. add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
  104. add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement