Script El Chido

#
# Basic Operational CPE configuration to Star Network

# Save this file as 'configscript.rsc' and drag it to the files window.
# At the command line, type '/import configscript.rsc' and read the
# logs!
#
#
#################################################################
#
# The purpose of this script is to create a standard SOHO type
# configuration which can be used for Star tech dept.
# It does provide a complete solution, just install
# to get you up and running.
#
#################################################################
# WARNING
# As this script stands, it will trash your existing configuration
# so don't run it on a router which has been customised or it won't
# be any more!
#
# DO NOT run this on a live network production system.
#
# We recommend that your configuration be cleared with the command
# '/system routerboard reset-configuration'
# before this script is run.
#################################################################
#
# Variables Site
:local adminpassword "1A2S3D4F5G";
:local soportepassword "50p0rt35TAR";
:local cpename "CPE";
:local clientename "Cpe";
#
#
################################################################
# Don't change anything below this line. Please!
#
################################################################
#
#
# Set up logging so we get more than the standard 100 lines.
/system logging action set memory memory-lines=500
# Cleaning environment
/ip address remove [find];
/system leds remove [find];
/interface wireless enable wlan1
# Add IP default LAN

/ip address add address=192.168.200.254/24 disabled=no interface=ether1
network=192.168.200.0
# Add DHCP Server

/ip pool add name=dhcp_pool1 ranges=192.168.200.20-192.168.200.40;
/ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-
support=\
static disabled=no interface=ether1 lease-time=12h name=dhcp1;
/ip dhcp-server config set store-leases-disk=5m;
/ip dhcp-server network add address=192.168.200.0/24 dns-server=192.168.200.254
gateway=\
192.168.200.254;
# Add DHCP Cliente

/ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=wlan1
# Setting DNS
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
max-udp-packet-size=512 servers=4.2.2.2,4.2.2.4,8.8.8.8;
# Setting FIREWALL completo

/ip firewall address-list
add address=192.168.200.0/24 comment=\
"Lista de direcciones de usuarios con capacidad de administracion" \
disabled=no list=Administradores;
add address=10.56.0.0/16 disabled=no list=Star-Admins
add address=172.17.1.0/24 disabled=no list=Administradores
add address=172.20.2.0/24 disabled=no list=Administradores
/ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-

timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s\ tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s;
/ip firewall filter

add action=accept chain=forward comment="Aceptar establecidas" connection-
state=established disabled=no
add action=accept chain=forward comment="Aceptar relacionadas" connection-
state=related disabled=no
add action=accept chain=forward comment="Aceptar nuevas" connection-state=new
disabled=no
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS"
disabled=no dst-port=25 protocol=\
tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d
chain=forward comment=\
"Detect and add-list SMTP virus or spammers" connection-limit=30,32 disabled=no
dst-port=25 limit=50,5 \
protocol=tcp
add action=accept chain=input comment="conexiones establecidas" connection-
state=established disabled=no
add action=accept chain=input comment="Permite acceso a Paginas WEB a
Administradores" disabled=no \
dst-port=443 protocol=tcp src-address-list=Star-Admins
add action=drop chain=input comment="Negar acceso general a puerto 443" disabled=no
dst-port=443 protocol=\
tcp
add action=drop chain=input comment="Tirar trafico WEB entrante" disabled=no dst-
port=80 protocol=tcp
add action=accept chain=input comment="Conexions nuevas" connection-state=new
disabled=no
add action=accept chain=input comment="conexiones Relacionadas" connection-
state=related disabled=no
add action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w chain=input \
comment="Port scanners to list " disabled=no protocol=tcp psd=21,3s,3,1
comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!
rst,!psh,!ack,!urg
comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!
syn,!rst,!ack
comment="ALL/ALL scan" disabled=no protocol=tcp tcp-
flags=fin,syn,rst,psh,ack,urg
comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!
psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-
address-list="port scanners"
add action=drop chain=input comment="Rechazar conexiones invalidas" connection-
state=invalid disabled=no
add action=drop chain=input comment="Detecta y descarta las conexiones de Port-
SCAN" disabled=no protocol=\
tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suprime los ataques DOS" connection-
limit=3,32 disabled=no \
protocol=tcp src-address-list=back-list
add action=add-src-to-address-list address-list=back-list address-list-timeout=1d
chain=input comment=\
"Detecta Ataques DOS" connection-limit=10,32 disabled=no protocol=tcp
add action=accept chain=input comment="Acceso a Administradores" disabled=no src-
address-list=\
Administradores
add action=jump chain=input disabled=no jump-target=ICMP
add action=accept chain=ICMP comment="0:0 And Limit for 5pac/s\"" disabled=no icmp-
options=0:0-255 \
ipv4-options=strict-source-routing limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 And limit for 5pac/s" disabled=no icmp-
options=3:3 limit=5,5 \
protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-
options=3:4 limit=5,5 \
protocol=icmp
options=8:0-255 limit=5,5 \
protocol=icmp
options=11:0-255 limit=\
5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop Everything ICMP" disabled=no protocol=icmp
add action=drop chain=input comment="Drop FTP Brute Forcers" disabled=no dst-
port=21 protocol=tcp \
src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login Incorrect" disabled=no dst-
limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-
timeout=3h chain=output \
content="530 Login Incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="Drop SSH brute forcers" disabled=no dst-
port=22 protocol=tcp \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-
timeout=1w3d chain=input \
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-
list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m
chain=input \
list=ssh_stage2
chain=input \
list=ssh_stage1
chain=input \
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=accept chain=forward comment="Administradores pueden hacer forward"
disabled=no \
src-address-list=Administradores
add action=jump chain=forward comment="FWD - saltar a chain virus" disabled=no
jump-target=virus
add action=drop chain=input disabled=no
add action=drop chain=forward comment="Descarta todo Forward no autorizado"
disabled=no
add action=drop chain=forward disabled=no
add action=drop chain=virus comment="LISTA DE virus" disabled=no protocol=tcp src-
port=445
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no protocol=udp
src-port=445
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445
protocol=udp
add action=drop chain=virus disabled=no protocol=tcp src-port=135-139
add action=drop chain=virus disabled=no protocol=udp src-port=135-139
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment=NA disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment=NA disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080
protocol=tcp
add action=drop chain=virus comment=NA disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363
protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364
protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434
protocol=tcp
add action=drop chain=virus comment="Bagle virus" disabled=no dst-port=2745
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=3127
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080
protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374
protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-
add action=drop chain=virus disabled=no dst-port=513 protocol=udp
add action=drop chain=virus comment="2000 cracks" disabled=no dst-port=6776
protocol=tcp
add action=drop chain=virus comment="Acid Battery" disabled=no dst-port=32418
protocol=tcp
add action=drop chain=virus comment="Acid Shivers" disabled=no dst-port=10520
protocol=tcp
add action=drop chain=virus comment="Agent 31" disabled=no dst-port=31 protocol=tcp
add action=drop chain=virus comment="Agent 40421" disabled=no dst-port=40421
protocol=tcp
add action=drop chain=virus comment="Aim Spy" disabled=no dst-port=777 protocol=tcp
add action=drop chain=virus comment=Ambush disabled=no dst-port=10666 protocol=tcp
add action=drop chain=virus comment="AOL Trojan" disabled=no dst-port=30029
protocol=tcp
add action=drop chain=virus comment="Attack FTP" disabled=no dst-port=666
protocol=tcp
add action=drop chain=virus comment="Back Orifice" disabled=no dst-port=31337-31338
protocol=tcp
add action=drop chain=virus comment="Back Orifice 2000" disabled=no dst-port=54320-
54321 protocol=tcp
add action=drop chain=virus comment="Back Orifice DLL" disabled=no dst-port=1349
protocol=udp
add action=drop chain=virus comment=BackDoor disabled=no dst-port=1999 protocol=tcp
add action=drop chain=virus comment=BackDoor-G disabled=no dst-port=1243
protocol=tcp
add action=drop chain=virus comment=BackDoor-QE disabled=no dst-port=10452
protocol=tcp
add action=drop chain=virus comment=BackDoor-QO disabled=no dst-port=3332
protocol=tcp
add action=drop chain=virus comment=BackDoor-QR disabled=no dst-port=12973-12975
protocol=tcp
add action=drop chain=virus comment=BackFire disabled=no dst-port=31337
protocol=tcp
add action=drop chain=virus comment="Baron Night" disabled=no dst-port=31337
protocol=tcp
add action=drop chain=virus comment="Big Gluck (TN)" disabled=no dst-port=34324
protocol=tcp
add action=drop chain=virus comment=BioNet disabled=no dst-port=12349 protocol=tcp
add action=drop chain=virus comment=Bla disabled=no dst-port=1042 protocol=tcp
add action=drop chain=virus comment="BO client" disabled=no dst-port=31337
protocol=tcp
add action=drop chain=virus comment="BO Facil" disabled=no dst-port=5556-5557
protocol=tcp
add action=drop chain=virus comment="Bo Wack" disabled=no dst-port=31336
protocol=tcp
add action=drop chain=virus comment=BoBo disabled=no dst-port=4321 protocol=tcp
add action=drop chain=virus comment="BOWhack " disabled=no dst-port=31666
protocol=tcp
add action=drop chain=virus comment="BrainSpy " disabled=no dst-port=10101
protocol=tcp
add action=drop chain=virus comment=Bubbel disabled=no dst-port=5000 protocol=tcp
add action=drop chain=virus comment=BugBear disabled=no dst-port=36794 protocol=tcp
add action=drop chain=virus comment=Bugs disabled=no dst-port=2115 protocol=tcp
add action=drop chain=virus comment=Bunker-Hill disabled=no dst-port=61348
protocol=tcp
add action=drop chain=virus comment="Cain e Abel" disabled=no dst-port=666
protocol=tcp
add action=drop chain=virus comment=Chargen disabled=no dst-port=9 protocol=udp
add action=drop chain=virus comment=Chupacabra disabled=no dst-port=20203
protocol=tcp
add action=drop chain=virus comment=Coma disabled=no dst-port=10607 protocol=tcp
add action=drop chain=virus comment="Cyber Attacker" disabled=no dst-port=9876
protocol=tcp
add action=drop chain=virus comment="Dark Shadow " disabled=no dst-port=911
protocol=tcp
add action=drop chain=virus comment=Death disabled=no dst-port=2 protocol=tcp
add action=drop chain=virus comment="Deep Back Orifice" disabled=no dst-port=31338
protocol=tcp
add action=drop chain=virus comment="Deep Throat" disabled=no dst-port=41
protocol=tcp
add action=drop chain=virus comment="Deep Throat v2" disabled=no dst-port=6670
protocol=tcp
add action=drop chain=virus comment="Deep Throat v3" disabled=no dst-port=6674
protocol=tcp
add action=drop chain=virus comment=DeepBO disabled=no dst-port=31337 protocol=udp
add action=drop chain=virus comment=DeepThroat disabled=no dst-port=999
protocol=tcp
add action=drop chain=virus comment="Delta Source" disabled=no dst-port=26274
protocol=udp
add action=drop chain=virus comment="Der Spacher 3" disabled=no dst-port=1000-1001
protocol=tcp
add action=drop chain=virus comment=Devil disabled=no dst-port=65000 protocol=tcp
add action=drop chain=virus comment="Digital RootBeer" disabled=no dst-port=2600
protocol=tcp
add action=drop chain=virus comment="DMsetup " disabled=no dst-port=58-59
protocol=tcp
add action=drop chain=virus comment="Donald Dick" disabled=no dst-port=23476-23477
protocol=tcp
add action=drop chain=virus comment=DRAT disabled=no dst-port=48 protocol=tcp
add action=drop chain=virus comment="DUN Control" disabled=no dst-port=12623
protocol=udp
add action=drop chain=virus comment=Eclipse disabled=no dst-port=2000 protocol=tcp
add action=drop chain=virus comment=Eclypse disabled=no dst-port=3801 protocol=udp
add action=drop chain=virus comment="Evil FTP" disabled=no dst-port=23456
protocol=tcp
add action=drop chain=virus comment="File Nail" disabled=no dst-port=4567
protocol=tcp
add action=drop chain=virus comment=Firehotcker disabled=no dst-port=79
protocol=tcp
add action=drop chain=virus comment=Fore disabled=no dst-port=50766 protocol=tcp
add action=drop chain=virus comment=FTP99cmp disabled=no dst-port=1492 protocol=tcp
add action=drop chain=virus comment="Gaban Bus" disabled=no dst-port=12345-12346
protocol=tcp
add action=drop chain=virus comment="GirlFriend " disabled=no dst-port=21554
protocol=tcp
add action=drop chain=virus comment=Gjamer disabled=no dst-port=12076 protocol=tcp
add action=drop chain=virus comment="Hack '99 KeyLogger" disabled=no dst-port=12223
protocol=tcp
add action=drop chain=virus comment="Hack 'a' Tack" disabled=no dst-port=31780-
31785 protocol=tcp
add action=drop chain=virus comment="Hack 'a' Tack" disabled=no dst-port=31791-
31792 protocol=udp
add action=drop chain=virus comment="HackCity Ripper Pro" disabled=no dst-port=2023
protocol=tcp
add action=drop chain=virus comment="Hackers Paradise " disabled=no dst-port=31
protocol=tcp
add action=drop chain=virus comment=HackOffice disabled=no dst-port=8897
protocol=tcp
add action=drop chain=virus comment="Happy 99" disabled=no dst-port=119
protocol=tcp
add action=drop chain=virus comment="Hidden Port" disabled=no dst-port=99
protocol=tcp
add action=drop chain=virus comment="Host Control " disabled=no dst-port=6669
protocol=tcp
add action=drop chain=virus comment="HVL Rat5" disabled=no dst-port=2283
protocol=tcp
add action=drop chain=virus comment=icKiller disabled=no dst-port=7789 protocol=tcp
add action=drop chain=virus comment="ICQ (ICQ.com - community, people search and
messaging service!)" \
disabled=no dst-port=1027-1029 protocol=tcp
add action=drop chain=virus comment="ICQ Revenge" disabled=no dst-port=16772
protocol=tcp
add action=drop chain=virus comment="ICQ Revenge" disabled=no dst-port=19864
protocol=tcp
add action=drop chain=virus comment="ICQ Trojan" disabled=no dst-port=4590
protocol=tcp
add action=drop chain=virus comment="Illusion Mailer" disabled=no dst-port=2155
protocol=tcp
add action=drop chain=virus comment=InCommand disabled=no dst-port=9400
protocol=tcp
add action=drop chain=virus comment=Indoctrination disabled=no dst-port=6939
protocol=tcp
add action=drop chain=virus comment=Infector disabled=no dst-port=146 protocol=tcp
add action=drop chain=virus comment=iNi-Killer disabled=no dst-port=555
protocol=tcp
add action=drop chain=virus comment="Insane Network" disabled=no dst-port=2000
protocol=tcp
add action=drop chain=virus comment=IRC-3 disabled=no dst-port=6969 protocol=tcp
add action=drop chain=virus comment=JammerKillah disabled=no dst-port=121
protocol=tcp
add action=drop chain=virus comment=Kazimas disabled=no dst-port=113 protocol=tcp
add action=drop chain=virus comment="Kuang2 " disabled=no dst-port=17300
protocol=tcp
add action=drop chain=virus comment=Logged disabled=no dst-port=20203 protocol=tcp
add action=drop chain=virus comment="Masters' Paradise" disabled=no dst-port=3129
protocol=tcp
add action=drop chain=virus comment="Mavericks Matrix" disabled=no dst-port=1269
protocol=tcp
add action=drop chain=virus comment=Millenium disabled=no dst-port=20000-20001
protocol=tcp
add action=drop chain=virus comment=MiniCommand disabled=no dst-port=1050
protocol=tcp
add action=drop chain=virus comment=Mosucker disabled=no dst-port=16484
protocol=tcp
add action=drop chain=virus comment=Nephron disabled=no dst-port=17777 protocol=tcp
add action=drop chain=virus comment="Net Controller" disabled=no dst-port=123
protocol=tcp
add action=drop chain=virus comment="Netbios datagram (DoS Attack)" disabled=no
dst-port=138 protocol=tcp
add action=drop chain=virus comment="Netbios name (DoS Attack)" disabled=no dst-
add action=drop chain=virus comment="Netbios session (DoS Attack)" disabled=no dst-
add action=drop chain=virus comment="NetBus Pro" disabled=no dst-port=20034
protocol=tcp
add action=drop chain=virus comment=NetMetropolitan disabled=no dst-port=5031
protocol=tcp
add action=drop chain=virus comment=NetMonitor disabled=no dst-port=7300-7301
protocol=tcp
add action=drop chain=virus comment=NetRaider disabled=no dst-port=57341
protocol=tcp
add action=drop chain=virus comment=NETrojan disabled=no dst-port=1313 protocol=tcp
add action=drop chain=virus comment=NetSphere disabled=no dst-port=30100-30103
protocol=tcp
add action=drop chain=virus comment=NetSpy disabled=no dst-port=1024-1033
protocol=tcp
add action=drop chain=virus comment=NoBackO disabled=no dst-port=1200-1201
protocol=udp
add action=drop chain=virus comment="One of the Last Trojan (OOTLT)" disabled=no
dst-port=5011 protocol=\
tcp
add action=drop chain=virus comment="OpC BO" disabled=no dst-port=1969 protocol=tcp
add action=drop chain=virus comment="Phineas Phucker" disabled=no dst-port=2801
protocol=tcp
add action=drop chain=virus comment="Portal of Doom" disabled=no dst-port=10067
protocol=udp
add action=drop chain=virus comment=Priority disabled=no dst-port=16969
protocol=tcp
add action=drop chain=virus comment=Progenic disabled=no dst-port=11223
protocol=tcp
add action=drop chain=virus comment=Prosiak disabled=no dst-port=22222 protocol=tcp
add action=drop chain=virus comment="Psyber Stream Server" disabled=no dst-
add action=drop chain=virus comment=Rasmin disabled=no dst-port=531 protocol=tcp
add action=drop chain=virus comment=RAT disabled=no dst-port=1095 protocol=tcp
add action=drop chain=virus comment=RC disabled=no dst-port=65535 protocol=tcp
add action=drop chain=virus comment=Rcon disabled=no dst-port=8989 protocol=tcp
add action=drop chain=virus comment="Remote Grab" disabled=no dst-port=7000
protocol=tcp
add action=drop chain=virus comment="Remote Windows Shutdown" disabled=no dst-
add action=drop chain=virus comment=Robo-Hack disabled=no dst-port=5596
protocol=tcp
add action=drop chain=virus comment="Satanz backDoor" disabled=no dst-port=666
protocol=tcp
add action=drop chain=virus comment=ScheduleAgent disabled=no dst-port=6667
protocol=tcp
add action=drop chain=virus comment="School Bus" disabled=no dst-port=54321
protocol=tcp
add action=drop chain=virus comment=Schwindler disabled=no dst-port=21554
protocol=tcp
add action=drop chain=virus comment="Secret Agent " disabled=no dst-port=11223
protocol=tcp
add action=drop chain=virus comment="Secret Service" disabled=no dst-port=605
protocol=tcp
add action=drop chain=virus comment="Senna Spy FTP Server" disabled=no dst-
add action=drop chain=virus comment=ServeMe disabled=no dst-port=5555 protocol=tcp
add action=drop chain=virus comment="Shit Heep" disabled=no dst-port=6912
protocol=tcp
add action=drop chain=virus comment=ShockRave disabled=no dst-port=1981
protocol=tcp
add action=drop chain=virus comment=Sivka-Burka disabled=no dst-port=1600
protocol=tcp
add action=drop chain=virus comment="SK Silencer" disabled=no dst-port=1001
protocol=tcp
add action=drop chain=virus comment=Socket25 disabled=no dst-port=30303
protocol=tcp
add action=drop chain=virus comment=SoftWAR disabled=no dst-port=1207 protocol=tcp
add action=drop chain=virus comment="Spirit 2001a " disabled=no dst-port=33911
protocol=tcp
add action=drop chain=virus comment=SpySender disabled=no dst-port=1807
protocol=tcp
add action=drop chain=virus comment="Streaming Audio trojan" disabled=no dst-
add action=drop chain=virus comment=Striker disabled=no dst-port=2565 protocol=tcp
add action=drop chain=virus comment=SubSeven disabled=no dst-port=1243 protocol=tcp
add action=drop chain=virus comment="SubSeven Apocalypse" disabled=no dst-port=1243
protocol=tcp
add action=drop chain=virus comment=Syphillis disabled=no dst-port=10086
protocol=tcp
add action=drop chain=virus comment="TCP Wrappers" disabled=no dst-port=421
protocol=tcp
add action=drop chain=virus comment=TeleCommando disabled=no dst-port=61466
protocol=tcp
add action=drop chain=virus comment="The Invasor" disabled=no dst-port=2140
protocol=tcp
add action=drop chain=virus comment="The Prayer" disabled=no dst-port=2716
protocol=tcp
add action=drop chain=virus comment="The Spy" disabled=no dst-port=40412
protocol=tcp
add action=drop chain=virus comment="The Thing" disabled=no dst-port=6000
protocol=tcp
add action=drop chain=virus comment="The Thing" disabled=no dst-port=6400
protocol=tcp
add action=drop chain=virus comment="The Traitor" disabled=no dst-port=65432
protocol=tcp
add action=drop chain=virus comment="The Trojan Cow" disabled=no dst-port=2001
protocol=tcp
add action=drop chain=virus comment="The Unexplained" disabled=no dst-port=29891
protocol=udp
add action=drop chain=virus comment="Tiny Telnet Server" disabled=no dst-port=34324
protocol=tcp
add action=drop chain=virus comment=TransScout disabled=no dst-port=1999-2005
protocol=tcp
add action=drop chain=virus comment=Trinoo disabled=no dst-port=34555 protocol=udp
add action=drop chain=virus comment="Ugly FTP" disabled=no dst-port=23456
protocol=tcp
add action=drop chain=virus comment="Ultor's Trojan" disabled=no dst-port=1234
protocol=tcp
add action=drop chain=virus comment=Vampire disabled=no dst-port=1020 protocol=tcp
add action=drop chain=virus comment="Vampyre " disabled=no dst-port=6669
protocol=tcp
add action=drop chain=virus comment="Virtual Hacking Machine " disabled=no dst-
add action=drop chain=virus comment=Voice disabled=no dst-port=1170 protocol=tcp
add action=drop chain=virus comment="Voodoo Doll" disabled=no dst-port=1245
protocol=tcp
add action=drop chain=virus comment="Wack-a-mole " disabled=no dst-port=12361-12362
protocol=tcp
add action=drop chain=virus comment="Web Ex" disabled=no dst-port=1001 protocol=tcp
add action=drop chain=virus comment=WhackJob disabled=no dst-port=12631
protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=1080-1082
protocol=tcp
add action=drop chain=virus comment=Xplorer disabled=no dst-port=2300 protocol=tcp
add action=drop chain=virus comment=Xtcp disabled=no dst-port=5550 protocol=tcp
add action=drop chain=virus comment=YAT disabled=no dst-port=37651 protocol=tcp
/ip firewall mangle

add action=mark-connection chain=prerouting comment=SIP connection-type=sip
disabled=\
no new-connection-mark=SIP-TRAFFIC passthrough=yes
add action=mark-connection chain=prerouting comment="UDP Alestra" connection-
bytes=0 \
disabled=no dst-address-list="!Segmento VoIP Alestra" new-connection-mark=\
SIP-TRAFFIC passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=SIP-UDP-ALESTRA connection-mark=\
SIP-TRAFFIC disabled=no new-packet-mark=PAQUETES_VOIP passthrough=no
add action=mark-connection chain=prerouting comment=IPTV disabled=no \
new-connection-mark=IPTV-TRAFFIC passthrough=yes src-address-list=Streamers
add action=mark-packet chain=prerouting connection-mark=IPTV-TRAFFIC disabled=no \
new-packet-mark=PAQUETES-IPTV passthrough=no
add action=mark-connection chain=prerouting comment="ICMP (Ping)" disabled=no \
new-connection-mark=icmp_conn passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp_conn disabled=no \
new-packet-mark=icmp passthrough=no
add action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=53 \
new-connection-mark=dns_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=dns_conn disabled=no \
new-packet-mark=dns passthrough=no
add action=mark-connection chain=prerouting comment=Http disabled=no dst-port=80 \
new-connection-mark=http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http_conn disabled=no \
new-packet-mark=http passthrough=no
add action=mark-connection chain=prerouting comment=Https disabled=no dst-
port=443 \
new-connection-mark=https_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=https_conn disabled=no \
new-packet-mark=https passthrough=no
add action=mark-connection chain=prerouting comment=Winbox disabled=no dst-
port=8291 \
new-connection-mark=winbox_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=winbox_conn disabled=no \
new-packet-mark=winbox passthrough=no
add action=mark-connection chain=prerouting comment=Otros disabled=no \
new-connection-mark=otras_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=otras_conn disabled=no \
new-packet-mark=other passthrough=no
/ip firewall nat

add action=masquerade chain=srcnat disabled=no out-interface=wlan1 src-address=\
192.168.200.0/24;
add action=dst-nat chain=dstnat disabled=no in-interface=wlan1 protocol=icmp \
to-addresses=192.168.200.254;
add action=dst-nat chain=dstnat disabled=no dst-port=2000 in-interface=wlan1 \
protocol=tcp to-addresses=192.168.200.254 to-ports=2000;
protocol=udp to-addresses=192.168.200.254 to-ports=2000;
add action=dst-nat chain=dstnat disabled=yes in-interface=wlan1 to-addresses=\
192.168.200.254;
# Setting UPnP
/ip upnp interfaces
add disabled=no interface=wlan1 type=external
add disabled=no interface=ether1 type=internal
# Setting SERVICIOS and ports

/ip service
set telnet disabled=no port=23
set ftp disabled=no port=21
set www disabled=yes port=80
set ssh disabled=no port=22
set www-ssl address=10.56.0.10/32,10.56.0.20/32 certificate=none disabled=no \
port=443;
set api disabled=yes port=8728
set winbox disabled=no port=8291
# Setting PROXY
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=yes enabled=yes max-cache-size=10000KiB \
max-client-connections=600 max-fresh-time=2d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0;
# QUEUE
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-
limit=2M \
name=Up packet-mark="" parent=wlan1 priority=1
limit=7M \
name=Down packet-mark="" parent=ether1 priority=1
limit=5M \
name=IPTV-VoIP packet-mark="" parent=Down priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=2M max-
limit=\
2M name=WEB packet-mark="" parent=Down priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=512k \
max-limit=2M name=Up-IPTV-VoIP packet-mark="" parent=Up priority=1
max-limit=2M name=Up-WEB packet-mark="" parent=Up priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=3M max-
limit=\
5M name=IPTV packet-mark=PAQUETES-IPTV parent=IPTV-VoIP priority=2
queue=default
max-limit=1M name=VoIP packet-mark=PAQUETES_VOIP parent=IPTV-VoIP priority=1 \
queue=default
limit=\
32k name=ICMP packet-mark=icmp parent=WEB priority=3 queue=default
limit=0 \
name=DNS packet-mark=dns parent=WEB priority=3 queue=default
limit=0 \
name=HTTP packet-mark=http parent=WEB priority=3 queue=default
limit=0 \
name=HTTPS packet-mark=https parent=WEB priority=3 queue=default
limit=0 \
name=WINBOX packet-mark=winbox parent=Down priority=6 queue=default
limit=0 \
name=OTHER packet-mark=other parent=WEB priority=6 queue=default
max-limit=1M name=Up-VoIP packet-mark=PAQUETES_VOIP parent=Up-IPTV-VoIP
priority=\
1 queue=default
limit=0 \
name=Up-IPTV packet-mark=PAQUETES-IPTV parent=Up-IPTV-VoIP priority=2 queue=\
default
max-limit=2M name=Up-HTTP packet-mark=http parent=Up-WEB priority=3
queue=default
limit=0 \
name=Up-DNS packet-mark=dns parent=Up-WEB priority=3 queue=default
max-limit=2M name=Up-HTTPS packet-mark=https parent=Up-WEB priority=3 queue=\
default
limit=\
32k name=Up-ICMP packet-mark=icmp parent=Up-WEB priority=3 queue=default
limit=0 \
name=Up-OTHER packet-mark=other parent=Up-WEB priority=6 queue=default
limit=0 \
name=Up.WINBOX packet-mark=winbox parent=Up priority=6 queue=default
# Setting IDENTIDAD del CPE

/system identity
set name=REY-01265;
# Setting NTP Client

/system clock
set time-zone-name=America/Mexico_City;
/system clock manual
#time-zone=+06:00;
# Setting USUARIOS
/user group
add name=soporte policy="read,winbox,!local,!telnet,!ssh,!ftp,!reboot,!write,!\
policy,!test,!password,!web,!sniff,!sensitive,!api" skin=default;
/user
add
address=10.56.0.20/32,10.56.0.10/32,192.168.200.150/32,172.20.2.0/24,172.17.1.0/24
comment="Usuario Administrativo de Star network" \
disabled=no group=full name=star-manager;
add address=192.168.200.200/32 disabled=no group=soporte name=star-soporte;
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no;
/user set star-manager password="1A2S3D4F5G";
/user set star-soporte password="50p0rt35TAR";
# Setting WIRELESS
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s management-protection=disabled \
management-protection-key="" mode=none name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn channel-width=20/40mhz-Ce
country=argentina ht-basic-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mc\
s-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-
17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" nv2-preshared-key=\
1a2s3d4f5g nv2-security=enabled rate-set=configured wireless-protocol=nv2
# Setting LEDS
/system leds
add disabled=no interface=ether1 leds=user-led type=interface-activity;
add disabled=no interface=wlan1 leds=led1,led2,led3,led4,led5 type=wireless-signal-
strength;
# Setting LOG
/system logging
add action=memory disabled=no prefix="" topics=wireless
add action=memory disabled=no prefix="" topics=interface
############################################################
# #
# Procesos finales #
# #
############################################################
#
:log info "Auto configuration ended.";
:put "";
:put "Auto configuration ended. Please check the system log.";
:put "";

Script El Chido

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Script El Chido

Uploaded by

Copyright:

Available Formats

#

# Basic Operational CPE configuration to Star Network

# Add IP default LAN

# Add DHCP Server

# Add DHCP Cliente

# Setting FIREWALL completo

/ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-

/ip firewall filter

/ip firewall mangle

/ip firewall nat

# Setting SERVICIOS and ports

# Setting IDENTIDAD del CPE

# Setting NTP Client

You might also like