API tools faq
paste
Hafixie93

Awards

Hafixie93
Dec 10th, 2020
370
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 5 5.80 KB | None | 0 0
raw download clone embed print report
  1. /ip ssh
  2. set strong-crypto=yes
  3. /system clock
  4. set time-zone-name=Europe/Madrid
  5. /ip dns
  6. set servers=8.8.8.8,8.8.4.4 allow-remote-requests=no
  7. /tool bandwidth-server
  8. set enabled=no
  9. /ip proxy
  10. set enabled=no
  11. /ip socks
  12. set enabled=no
  13. /ip upnp
  14. set enabled=no
  15. /ip cloud
  16. set ddns-enabled=yes ddns-update-interval=15m
  17. /system ntp client
  18. set enabled=yes server-dns-names=ntp.roa.es,hora.roa.es
  19. /ip dns
  20. set allow-remote-requests=no
  21.  
  22. /user
  23. add name=power password="brubaker" group=full
  24.  
  25. /user
  26. disable admin
  27.  
  28. /ip firewall service-port
  29. disable dccp
  30. disable ftp
  31. disable h323
  32. disable irc
  33. disable pptp
  34. disable sctp
  35. disable sip
  36. disable tftp
  37. disable udplite
  38.  
  39. /ip firewall filter
  40. add action=accept chain=input comment="default configuration" connection-state=established,related
  41. add action=accept chain=input src-address-list=allowed_to_router
  42. add action=accept chain=input protocol=icmp
  43. add action=drop chain=input connection-state=invalid log=yes
  44.  
  45. /ip firewall address-list
  46. add address=192.168.83.0/27 list=allowed_to_router
  47.  
  48. /ip address
  49. add address=192.168.83.1/27 interface=bridge network=192.168.83.0
  50.  
  51. /ip dhcp-server
  52. add address-pool="LAN DHCP" disabled=no interface=bridge name="LAN DHCP" lease-time=12h
  53.  
  54. /ip dhcp-server network
  55. add address=192.168.83.0/27 comment="LAN DHCP" gateway=192.168.83.1 dns-server=9.9.9.9,149.112.112.112 ntp-server=150.214.94.10,150.214.94.5
  56.  
  57. /ip pool add name="LAN DHCP" ranges=192.168.83.1-192.168.83.30
  58.  
  59. /ip firewall filter
  60. add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
  61. add action=accept chain=forward comment="Established, Related"  connection-state=established,related
  62. add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
  63. add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
  64. add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
  65. add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
  66. add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.83.0/27
  67.  
  68. /ip firewall address-list
  69. add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
  70. add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
  71. add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
  72. add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
  73. add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
  74. add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
  75. add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
  76. add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
  77. add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
  78. add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
  79. add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
  80. add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
  81. add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
  82. add address=224.0.0.0/4 comment=Multicast list=not_in_internet
  83. add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
  84. add address=255.255.255.255/32 comment=RFC6890 list=not_in_internet
  85.  
  86. /ip firewall filter
  87. add action=add-src-to-address-list address-list="port scanners" \
  88.     address-list-timeout=12w chain=input comment="Port scanners to list " \
  89.     protocol=tcp psd=21,3s,3,1
  90. add action=add-src-to-address-list address-list="port scanners" \
  91.     address-list-timeout=12w chain=input comment="NMAP FIN Stealth scan" \
  92.     protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  93. add action=add-src-to-address-list address-list="port scanners" \
  94.     address-list-timeout=12w chain=input comment="SYN/FIN scan" protocol=\
  95.     tcp tcp-flags=fin,syn
  96. add action=add-src-to-address-list address-list="port scanners" \
  97.     address-list-timeout=12w chain=input comment="SYN/RST scan" protocol=\
  98.     tcp tcp-flags=syn,rst
  99. add action=add-src-to-address-list address-list="port scanners" \
  100.     address-list-timeout=12w chain=input comment="FIN/PSH/URG scan" \
  101.     protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
  102. add action=add-src-to-address-list address-list="port scanners" \
  103.     address-list-timeout=12w chain=input comment="ALL/ALL scan" protocol=\
  104.     tcp tcp-flags=fin,syn,rst,psh,ack,urg
  105. add action=add-src-to-address-list address-list="port scanners" \
  106.     address-list-timeout=12w chain=input comment="NMAP NULL scan" protocol=\
  107.     tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
  108. add action=drop chain=input comment="dropping port scanners" \
  109.     src-address-list="port scanners"
  110.  
  111. /ip settings set tcp-syncookies=yes
  112.  
  113. /ip firewall filter
  114.  
  115. add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
  116. add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no
  117. add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no
  118.  
  119. /ip service
  120. set api disabled=yes
  121. set api-ssl tls-version=only-1.2 disabled=yes
  122. set ftp disabled=yes
  123. set ssh address=192.168.83.0/27 port=22 disabled=no
  124. set telnet disabled=yes
  125. set winbox disabled=yes
  126. set www address=192.168.83.0/27 port=80 disabled=no
  127. set www-ssl tls-version=only-1.2 disabled=yes
  128.  
  129. /tool graphing interface
  130. add allow-address=192.168.83.0/27
  131. /tool graphing queue
  132. add allow-address=192.168.83.0/27
  133. /tool graphing resource
  134. add allow-address=192.168.83.0/27
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!