Hafixie93

Awards

Dec 10th, 2020
375
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 5 5.80 KB | None | 0 0
  1. /ip ssh
  2. set strong-crypto=yes
  3. /system clock
  4. set time-zone-name=Europe/Madrid
  5. /ip dns
  6. set servers=8.8.8.8,8.8.4.4 allow-remote-requests=no
  7. /tool bandwidth-server
  8. set enabled=no
  9. /ip proxy
  10. set enabled=no
  11. /ip socks
  12. set enabled=no
  13. /ip upnp
  14. set enabled=no
  15. /ip cloud
  16. set ddns-enabled=yes ddns-update-interval=15m
  17. /system ntp client
  18. set enabled=yes server-dns-names=ntp.roa.es,hora.roa.es
  19. /ip dns
  20. set allow-remote-requests=no
  21.  
  22. /user
  23. add name=power password="brubaker" group=full
  24.  
  25. /user
  26. disable admin
  27.  
  28. /ip firewall service-port
  29. disable dccp
  30. disable ftp
  31. disable h323
  32. disable irc
  33. disable pptp
  34. disable sctp
  35. disable sip
  36. disable tftp
  37. disable udplite
  38.  
  39. /ip firewall filter
  40. add action=accept chain=input comment="default configuration" connection-state=established,related
  41. add action=accept chain=input src-address-list=allowed_to_router
  42. add action=accept chain=input protocol=icmp
  43. add action=drop chain=input connection-state=invalid log=yes
  44.  
  45. /ip firewall address-list
  46. add address=192.168.83.0/27 list=allowed_to_router
  47.  
  48. /ip address
  49. add address=192.168.83.1/27 interface=bridge network=192.168.83.0
  50.  
  51. /ip dhcp-server
  52. add address-pool="LAN DHCP" disabled=no interface=bridge name="LAN DHCP" lease-time=12h
  53.  
  54. /ip dhcp-server network
  55. add address=192.168.83.0/27 comment="LAN DHCP" gateway=192.168.83.1 dns-server=9.9.9.9,149.112.112.112 ntp-server=150.214.94.10,150.214.94.5
  56.  
  57. /ip pool add name="LAN DHCP" ranges=192.168.83.1-192.168.83.30
  58.  
  59. /ip firewall filter
  60. add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
  61. add action=accept chain=forward comment="Established, Related"  connection-state=established,related
  62. add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
  63. add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
  64. add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
  65. add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
  66. add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.83.0/27
  67.  
  68. /ip firewall address-list
  69. add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
  70. add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
  71. add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
  72. add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
  73. add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
  74. add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
  75. add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
  76. add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
  77. add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
  78. add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
  79. add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
  80. add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
  81. add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
  82. add address=224.0.0.0/4 comment=Multicast list=not_in_internet
  83. add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
  84. add address=255.255.255.255/32 comment=RFC6890 list=not_in_internet
  85.  
  86. /ip firewall filter
  87. add action=add-src-to-address-list address-list="port scanners" \
  88.     address-list-timeout=12w chain=input comment="Port scanners to list " \
  89.     protocol=tcp psd=21,3s,3,1
  90. add action=add-src-to-address-list address-list="port scanners" \
  91.     address-list-timeout=12w chain=input comment="NMAP FIN Stealth scan" \
  92.     protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  93. add action=add-src-to-address-list address-list="port scanners" \
  94.     address-list-timeout=12w chain=input comment="SYN/FIN scan" protocol=\
  95.     tcp tcp-flags=fin,syn
  96. add action=add-src-to-address-list address-list="port scanners" \
  97.     address-list-timeout=12w chain=input comment="SYN/RST scan" protocol=\
  98.     tcp tcp-flags=syn,rst
  99. add action=add-src-to-address-list address-list="port scanners" \
  100.     address-list-timeout=12w chain=input comment="FIN/PSH/URG scan" \
  101.     protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
  102. add action=add-src-to-address-list address-list="port scanners" \
  103.     address-list-timeout=12w chain=input comment="ALL/ALL scan" protocol=\
  104.     tcp tcp-flags=fin,syn,rst,psh,ack,urg
  105. add action=add-src-to-address-list address-list="port scanners" \
  106.     address-list-timeout=12w chain=input comment="NMAP NULL scan" protocol=\
  107.     tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
  108. add action=drop chain=input comment="dropping port scanners" \
  109.     src-address-list="port scanners"
  110.  
  111. /ip settings set tcp-syncookies=yes
  112.  
  113. /ip firewall filter
  114.  
  115. add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
  116. add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no
  117. add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no
  118.  
  119. /ip service
  120. set api disabled=yes
  121. set api-ssl tls-version=only-1.2 disabled=yes
  122. set ftp disabled=yes
  123. set ssh address=192.168.83.0/27 port=22 disabled=no
  124. set telnet disabled=yes
  125. set winbox disabled=yes
  126. set www address=192.168.83.0/27 port=80 disabled=no
  127. set www-ssl tls-version=only-1.2 disabled=yes
  128.  
  129. /tool graphing interface
  130. add allow-address=192.168.83.0/27
  131. /tool graphing queue
  132. add allow-address=192.168.83.0/27
  133. /tool graphing resource
  134. add allow-address=192.168.83.0/27
Add Comment
Please, Sign In to add comment