JAWUG:Firewall for Mikrotik

From WugWiki

Jump to: navigation, search

[edit] Mikrotik Firewall Filter Rules

How to apply the new rules:

1. Open Winbox

2. Connect to your Mikrotik Router

3. Go to IP > Firewall

4. Select the Filter tab

5. If you have old rules in there, delete them

6. Open a New Terminal (Its in the menu on the left)

7. Copy everything in the box below

8. Paste into Terminal (right click, and paste)

Its fairly comprehensive as a start. It also has a means of tracking your data usage,it also blocks a few hack attack types. To disable, disable the drop all filter rule.

You can add rules as your needs further dictate.

Nitrious

/ip firewall filter

add action=add-src-to-address-list address-list=knock address-list-timeout= 15s chain=input comment="fw rules start here" disabled=no dst-port=1337 protocol=tcp

add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input comment="" disabled=no dst-port=7331 protocol=tcp src-address-list=knock

add action=accept chain=input comment="accept established connection packets" connection-state=established disabled=no

add action=accept chain=input comment="accept related connection packets" connection-state=related disabled=no

add action=drop chain=input comment="drop invalid packets" connection-state= invalid disabled=no

add action=accept chain=input comment= "Allow access to router from known network" disabled=no src-address-list= safe

add action=drop chain=input comment="detect and drop port scan connections" disabled=no protocol=tcp psd=21,3s,3,1

add action=tarpit chain=input comment="suppress DoS attack" connection-limit= 3,32 disabled=no protocol=tcp src-address-list=black_list

add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 disabled=no protocol=tcp

add action=jump chain=input comment="jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp

add action=jump chain=input comment="jump to chain services" disabled=no jump-target=services

add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no dst-address-type=broadcast

add action=log chain=input comment="" disabled=no log-prefix=Filter:

add action=drop chain=input comment="drop ftp brute forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist

add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content= "530 Login incorrect" disabled=no protocol=tcp

add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist

add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3

add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2

add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1

add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 protocol=tcp

add action=drop chain=input comment="drop everything else" disabled=yes

add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp

add action=drop chain=forward comment="drop ssh brute downstream" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist

add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp

add action=drop chain=ICMP comment="Drop everything else" disabled=no protocol=icmp

add action=accept chain=services comment="accept localhost" disabled=no dst-address=127.0.0.1 src-address-list=127.0.0.1

add action=accept chain=services comment="allow MACwinbox " disabled=no dst-port=20561 protocol=udp

add action=accept chain=services comment=winbox disabled=no dst-port=8291 protocol=tcp

add action=accept chain=services comment=Telnet disabled=no dst-port=23 protocol=tcp

add action=accept chain=services comment="SSH for secure shell" disabled=no dst-port=22 protocol=tcp

add action=accept chain=services comment="Bandwidth server" disabled=no dst-port=2000 protocol=tcp

add action=accept chain=services comment=" MT Discovery Protocol" disabled=no dst-port=5678 protocol=udp

add action=accept chain=services comment=uTorrent disabled=no dst-port=53658 protocol=tcp

add action=accept chain=services comment="" disabled=no dst-port=53658 protocol=udp

add action=accept chain=services comment="allow SNMP" disabled=no dst-port= 161 protocol=tcp

add action=accept chain=services comment="Allow BGP" disabled=no dst-port=179 protocol=tcp

add action=accept chain=services comment="allow BGP" disabled=no dst-port= 5000-5100 protocol=udp

add action=accept chain=services comment="Allow NTP" disabled=no dst-port=123 protocol=udp

add action=accept chain=services comment="Allow PPTP" disabled=no dst-port= 1723 protocol=tcp

add action=accept chain=services comment="allow PPTP and EoIP" disabled=no protocol=gre

add action=accept chain=services comment="allow DNS request" disabled=no dst-port=53 protocol=tcp

add action=accept chain=services comment="Allow DNS request" disabled=no dst-port=53 protocol=udp

add action=accept chain=services comment=UPnP disabled=no dst-port=1900 protocol=udp

add action=accept chain=services comment=UPnP disabled=no dst-port=2828 protocol=tcp

add action=accept chain=services comment="allow DHCP" disabled=no dst-port= 67-68 protocol=udp

add action=accept chain=services comment="DC++ TLS 13336" disabled=no dst-port=13336 protocol=tcp

add action=accept chain=services comment="DC++ TCP 19030" disabled=no dst-port=19030 protocol=tcp

add action=accept chain=services comment="DC++ UDP 12620" disabled=no dst-port=12620 protocol=udp

add action=accept chain=services comment="allow Web Proxy" disabled=no dst-port=8080 protocol=tcp

add action=accept chain=services comment="allow IPIP" disabled=no protocol= ipencap

add action=accept chain=services comment="allow https for Hotspot" disabled= no dst-port=443 protocol=tcp

add action=accept chain=services comment="allow Socks for Hotspot" disabled= no dst-port=1080 protocol=tcp

add action=accept chain=services comment="allow IPSec connections" disabled= no dst-port=500 protocol=udp

add action=accept chain=services comment="allow IPSec" disabled=no protocol=ipsec-esp

add action=accept chain=services comment="allow IPSec" disabled=no protocol= ipsec-ah

add action=accept chain=services comment="allow RIP" disabled=no dst-port= 520-521 protocol=udp

add action=accept chain=services comment="allow OSPF" disabled=no protocol= ospf

add action=return chain=services comment="" disabled=no

Retrieved from "http://www.wug.za.net/wiki/index.php/JAWUG:Firewall_for_Mikrotik"

JAWUG:Firewall for Mikrotik

From WugWiki

[edit] Mikrotik Firewall Filter Rules

Views

Personal tools

Navigation

Search

Toolbox