Scribd Logo
Upload

Welcome to Scribd!

  • 130 views

    Firewall Mikrotik

    Uploaded by

    tec_danielsoto
    This firewall configuration document contains rules for the MikroTik routerboard firewall to filter traffic inbound and outbound. It defines address lists for bogon IPs and spammers. It sets rules for the forward, input, tcp, udp and icmp chains to drop invalid traffic, block access to ports and IPs, and allow established connections. It also implements rules to detect and block port scanning and brute force attacks.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Firewall Mikrotik

    Uploaded by

    tec_danielsoto
    130 views4 pages
    This firewall configuration document contains rules for the MikroTik routerboard firewall to filter traffic inbound and outbound. It defines address lists for bogon IPs and spammers. It sets rules for the forward, input, tcp, udp and icmp chains to drop invalid traffic, block access to ports and IPs, and allow established connections. It also implements rules to detect and block port scanning and brute force attacks.

    Original Description:

    Mikrotik

    Original Title

    Firewall mikrotik

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This firewall configuration document contains rules for the MikroTik routerboard firewall to filter traffic inbound and outbound. It defines address lists for bogon IPs and spammers. It sets rules for the forward, input, tcp, udp and icmp chains to drop invalid traffic, block access to ports and IPs, and allow established connections. It also implements rules to detect and block port scanning and brute force attacks.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    130 views4 pages

    Firewall Mikrotik

    Uploaded by

    tec_danielsoto
    This firewall configuration document contains rules for the MikroTik routerboard firewall to filter traffic inbound and outbound. It defines address lists for bogon IPs and spammers. It sets rules for the forward, input, tcp, udp and icmp chains to drop invalid traffic, block access to ports and IPs, and allow established connections. It also implements rules to detect and block port scanning and brute force attacks.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 4

    /ip firewall address-list

    add address=0.0.0.0/8 list=Bogon-IPs


    add address=127.0.0.0/8 list=Bogon-IPs
    add address=203.0.113.0/24 list=Bogon-IPs
    add address=224.0.0.0/4 list=Bogon-IPs
    add address=240.0.0.0/4 list=Bogon-IPs

    /ip firewall filter

    -- FORWARD --
    add action=accept chain=forward comment="PERMITO RED APs DEL NODO" src-address-
    list=Red_APs
    add action=drop chain=forward comment="DROP BOGON IPs" src-address-list=Bogon-IPs
    add action=drop chain=forward dst-address-list=Bogon-IPs

    -- EDITAR in-interface por la interface/bridge donde estan los clientes


    add action=drop chain=forward comment="DROP BCP38 - IP SPOOFING -DDOS - NAT-
    CLIENTES" in-interface=BR-CLIENTES log=no src-address-list=!NAT-CLIENTES

    -- REGLA POR SI TENGO UN DHCP-GESTION - EDITAR EL SRC-ADDRESS SEGUN CONFIG DE CADA


    UNO
    add action=drop chain=forward comment="DROP BCP38 - IP SPOOFING -DDOS - RED DHCP
    GESTION" in-interface=BR-BAJADA log=no src-address=!192.168.2.0/24

    -- BLOQUEO SPAM
    add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" dst-
    port=25,465,587 protocol=tcp src-address-list=spammer
    add action=add-src-to-address-list address-list=spammer address-list-timeout=1d
    chain=forward connection-limit=25,32 dst-port=25,465,587 limit=40,5:packet
    protocol=tcp

    add action=accept chain=forward comment="CONTROL DE CONEXIONES" connection-


    state=established,related
    add action=drop chain=forward connection-state=invalid

    -- AQUI SALTO A DROPEAR COSAS BASICAS EN LAS CADENAS TCP-UDP-ICMP


    add action=jump chain=forward jump-target=tcp protocol=tcp
    add action=jump chain=forward jump-target=udp protocol=udp
    add action=jump chain=forward jump-target=icmp protocol=icmp

    -- EDITAR LA in-interface por la ether-wan que corresponda:


    1era regla:
    add chain=forward action=accept in-interface=wan_interface connection-nat-
    state=dstnat connection-state=established,related

    2da regla: guardo las direcciones para revisarlas si es necesario. No es


    obligatorio el uso de esta.
    add action=add-src-to-address-list address-list=ConnStateDSTNAT address-list-
    timeout=1d chain=forward comment="DROP CONEXIONES NUEVAS DESDE LA WAN A LA LAN CON
    DSTNAT" \
    connection-nat-state=!dstnat connection-state=new dst-address-list=!Red_APs in-
    interface=ether1-WAN

    3ra regla:
    add action=drop chain=forward comment="DROP CONEXIONES NUEVAS DESDE LA WAN A LA LAN
    CON DSTNAT" connection-nat-state=!dstnat connection-state=new dst-address-list=\
    !Red_APs in-interface=ether1-WAN
    -- INPUT --

    add action=accept chain=input comment="ACEPTO ICMP" protocol=icmp


    add action=accept chain=input comment="CONTROL DE CONEXIONES" connection-
    state=established,related
    add action=drop chain=input connection-state=invalid

    -- BLOQUEO ACCESOS AL DNS DESDE AFUERA


    add action=reject chain=input dst-port=53 in-interface=ether1-WAN log-prefix=rejec-
    dns protocol=udp reject-with=icmp-port-unreachable
    add action=reject chain=input dst-port=53 in-interface=ether1-WAN log-prefix=rejec-
    dns protocol=tcp reject-with=icmp-port-unreachable
    -- BLOQUEO ACCESO DESDE AFUERA A PUERTOS MAS CONOCIDOS
    add action=drop chain=input dst-port=3128,8080 in-interface=ether1-WAN protocol=tcp
    add action=drop chain=input dst-port=3128,8080 in-interface=ether1-WAN protocol=tcp
    add action=drop chain=input dst-port=123 in-interface=ether1-WAN protocol=udp
    add action=drop chain=input dst-port=123 in-interface=ether1-WAN protocol=udp
    add action=drop chain=input dst-port=161,162 in-interface=ether1-WAN protocol=udp
    add action=drop chain=input dst-port=161,162 in-interface=ether1-WAN protocol=udp
    -- BLOQUEO INTENTOS ACCESOS A FTP-SSH BRUTE FORCE
    add action=drop chain=input comment="drop ftp brute forcers" dst-port=21
    protocol=tcp src-address-list=ftp_blacklist
    add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-
    address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist address-list-
    timeout=3h chain=output content="530 Login incorrect" protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,23
    protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-
    timeout=1w3d chain=input connection-state=new dst-port=22,23 protocol=tcp src-
    address-list=\
    ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m
    chain=input connection-state=new dst-port=22,23 protocol=tcp src-address-list=\
    ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
    chain=input connection-state=new dst-port=22,23 protocol=tcp src-address-list=\
    ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m
    chain=input connection-state=new dst-port=22,23 protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=0s chain=input comment="detect and drop port scan connections" protocol=tcp
    psd=\
    21,3s,3,1

    -- BLOQUEO INTENTOS ACCESOS TIPO PORT SCANNER


    add action=drop chain=input comment="detect and drop port scan connections"
    protocol=tcp src-address-list="port scanners"
    add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32
    protocol=tcp src-address-list=black_list
    add action=add-src-to-address-list address-list=black_list address-list-timeout=1d
    chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-
    flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg

    -- BLOQUEOS VARIOS TCP -- OJO CON LOS SERVICIOS QUE CADA UNO PUEDE ESTAR OCUPANDO Y
    QUE PUEDEN QUEDAR FILTRADOS

    add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp


    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
    add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
    add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
    add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
    add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
    add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp

    -- BLOQUEOS VARIOS UDP -- OJO CON LOS SERVICIOS QUE CADA UNO PUEDE ESTAR OCUPANDO Y
    QUE PUEDEN QUEDAR FILTRADOS

    add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp


    add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
    add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
    add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
    add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp

    -- LIMITO ICMP -- OJO CON LOS SERVICIOS QUE CADA UNO PUEDE ESTAR OCUPANDO Y QUE
    PUEDEN QUEDAR FILTRADOS
    add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
    add action=accept chain=icmp comment="net unreachable" icmp-options=3:0
    protocol=icmp
    add action=accept chain=icmp comment="host unreachable" icmp-options=3:1
    protocol=icmp
    add action=accept chain=icmp comment="host unreachable fragmentation required"
    icmp-options=3:4 protocol=icmp
    add action=accept chain=icmp comment="allow source quench" icmp-options=4:0
    protocol=icmp
    add action=accept chain=icmp comment="allow echo request" icmp-options=8:0
    protocol=icmp
    add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0
    protocol=icmp
    add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0
    protocol=icmp
    add action=drop chain=icmp comment="deny all other types"

    ESTA REGLA ES PARA QUE FUNCIONE EL DHCP SI ES QUE LO TENES CORRIENDO EN LA


    INTERFACE QUE QUIERAS (RAW SE PROCESA ANTES QUE OTRAS)
    /ip firewall raw
    add action=accept chain=prerouting comment="PERMITO NEGOCIACION DE DHCP" in-
    interface=ETHER-CON-DHCP protocol=udp src-port=68

    You might also like