Sunday, 13 February 2011 01:59
MikroTik RB750 - Basic Firewall & Security
RB750/750G Basic Firewall & Security

Documentation links:
Fr om Mi k r oTi k : ht t p://w i k i .mi k r ot i k .c om/w i k i /Manual :I P/Fi r ew al l
Fr om User s: ht t p://w i k i .mi k r ot i k .c om/w i k i /Fi r ew al l
I ' m not f ami l i ar w i t h Mi k r oTi k and Li nux c ommand, honest l y I ' m t ot al l y l ost by r eadi ng t hose w i k i doc ument at i on!
So basi c al l y I j ust f ol l ow t he l i nk s & gui des bel ow , c opy & past e t o set up:
Basi c Ex ampl e: ht t p://w i k i .mi k r ot i k .c om/w i k i /Manual :I P/Fi r ew al l /Fi l t er #Basi c _ex ampl es
Br ut ef or c e l ogi n pr event i on: ht t p://w i k i .mi k r ot i k .c om/w i k i /Br ut ef or c e_l ogi n_pr event i on_%28FTP_%26_SSH%29
Dr op por t sc anner s: ht t p://w i k i .mi k r ot i k .c om/w i k i /Dr op_por t _sc anner s

I c an' t t el l w het her i t ' s r eal l y w or k i ng f i ne or suf f i c i ent enough f or gener al usage pur poses, pl ease not e you use i t
at your ow n r i sk !
Appr ec i at e t hose Mi k r oTi k gur u or anyone w ho i s f ami l i ar i n t hi s aspec t c an advi se/c omment t o f ur t her i mpr ove
t hi s ar t i c l e and hel p begi nner l i k e me, k i ndl y emai l : k l seet @gmai l .c om
Cr edi t w i l l def i ni t el y go t o w hoever c ont r i but e t o i mpr ove t hi s ar t i c l e, many t hank s i n advanc e!

Before starting any new setting, ALWAYS bac k up the current good setting first.
Go to Fi l es and click Bac k up option:
Make sure the backup file is copied to computer folder

Default setting does not has any admin password, it's always advisable to create own admin password to access the router.
Go to Syst em --> Passw or d
Enter own admin password
Since I only use WinBox to configure the router locally and I do not wish to connect or run any other services, therefore I choose to disable
all the following services.
You may choose and decide which services to enable/disable according to your requirement.
Go to I P --> Ser vi c es
Select those services and click Di sabl e button
Make sure it's disabled as follows:
Next go to I P --> Fi r ew al l
Choose Ser vi c e Por t s tab, select those services and click Di sabl e
Make sure it's disabled as follows:
The next step is to setup basic firewall rules.
Pl ease not e t hi s set up i s c ont i nue f r om t he Uni Fi set up ar t i c l e and i s based on t he assumpt i on t hat :
Def aul t net w or k segment :
I nt er net i nt er f ac e: Uni Fi -I nt er net
You may need t o c hange t he above val ue ac c or di ng t o your ac t ual set up.
For first time setup, it's easier to use Terminal and enter codes.
Click New Ter mi nal and it will show you the command entry screen:
To setup firewall rule & filter, type "/i p f i r ew al l f i l t er " and hit enter
Sel ec t & c opy those codes (from the list below after this section), please do it one por t i on at a t i me, DO NOT sel ec t al l at one

then Past e those codes at the terminal:
Re-c onf i r m t he number of ent r i es and mak e sur e t her e i s no er r or (i n r ed c ol our s)
ALWAYS hit enter and make sure return to "[ admi n@Mi k r oTi k ] /i p f i r ew al l f i l t er >" :
Close the Terminal window once confirmed. Now we need to check whether those codes entered are properly listed.
Go to I P --> Fi r ew al l
Noticed the additional firewall rules are now added:
Select the f i r st 4 def aul t r ul es , click Di sabl e since we are creating own rules.
Make sure it's disabled as follows:
Pr oc eed t o c ont i nue ent er t hose c odes by f ol l ow i ng t he same st eps above, por t i on by por t i on, t o c ompl et e t he
f i r ew al l r ul es set up.
Once it's completed, you may see the connection statistic like this:

You may need t o c ont i nue r evi se & enhanc e t he r ul es ac c or di ng t o your needs.
Onc e c onf i r med, agai n, ALWAYS mak e anot her bac k up and c opy i t t o your c omput er !
Codes - Firewall Rules
Not e: Ent er " /i p f i r ew al l f i l t er " at Ter mi nal w i ndow bef or e c opy & past e t he f ol l ow i ng c odes

Al l ow onl y needed i c mp c odes i n i c mp c hai n:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

Bruteforce login prevention
Al l ow s onl y 10 FTP l ogi n i nc or r ec t answ er s per mi nut e:
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-
Pr event a SSH br ut e f or c er t o be banned f or 10 days af t er r epet i t i ve at t empt s:
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-
list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-
list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-
list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-
timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Drop port scanners
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="Port scanners to list " disabled=no
Var i ous c ombi nat i ons of TCP f l ags c an al so i ndi c at e por t sc anner ac t i vi t y:
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="NMAP NULL scan"
Dr op t hose I Ps i n bot h I nput & For w ar d c hai ns:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Rout er pr ot ec t i on :
add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \ comment="Allow Established connections"
add chain=input src-address= action=accept \ in-interface=!UniFi-Internet
add chain=input action=drop comment="Drop everything else"
Cust omer pr ot ec t i on (f or w ar d c hai n - t r af f i c passi ng t hr ough t he r out er ):
add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \ comment="allow already established connections"
add chain=forward connection-state=related action=accept \ comment="allow related connections"
Bl oc k Bogon I P addr esses:
add chain=forward src-address= action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address= action=drop
add chain=forward src-address= action=drop
add chain=forward dst-address= action=drop
add chain=forward src-address= action=drop
add chain=forward dst-address= action=drop
Mak e j umps t o new c hai ns:
add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
Last Updated on Monday, 28 February 2011 23:43
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
Cr eat e TCP c hai n and deny some TCP por t s i n i t (r evi se por t number s as needed) :
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Cr eat e UDP c hai n and deny some UDP por t s i n i t (r evi se por t number s as needed):
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

