API tools faq
paste
Advertisement
Maxmen77

mikrotikpaste

Maxmen77
Oct 23rd, 2018
121
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.91 KB | None | 0 0
raw download clone embed print report
  1. # oct/23/2018 06:08:52 by RouterOS 6.43.4
  2. # software id = M1VD-1TMV
  3. #
  4. /ip dns
  5. set allow-remote-requests=yes cache-max-ttl=1d servers=\
  6. 213.133.98.98,213.133.99.99,213.133.100.100
  7. #
  8. /ip firewall nat
  9. add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface=!inet \
  10. protocol=udp src-address-list=local4nets to-ports=53
  11. add action=dst-nat chain=dstnat dst-port=53 in-interface=!inet protocol=udp \
  12. src-address-list=local4nets to-addresses=8.8.8.8 to-ports=53
  13. add action=dst-nat chain=dstnat dst-port=80 in-interface=inet protocol=tcp \
  14. to-addresses=192.168.123.12 to-ports=80
  15. add action=dst-nat chain=dstnat dst-port=5222 in-interface=inet protocol=tcp \
  16. to-addresses=192.168.123.11 to-ports=5222
  17. add action=dst-nat chain=dstnat dst-port=443 in-interface=inet protocol=tcp \
  18. to-addresses=192.168.123.12 to-ports=443
  19. add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=inet \
  20. protocol=udp to-addresses=192.168.123.11 to-ports=10000-20000
  21. add action=masquerade chain=srcnat out-interface=inet src-address-list=\
  22. local4nets
  23. #
  24. /ip firewall address-list
  25. add address=X.X.X.X1 comment=krd1 list=whitelist
  26. add address=X.X.X.X2 comment=krd1 list=whitelist
  27. add address=192.168.0.0/16 list=local4nets
  28. add address=192.168.123.17 list=servers
  29. /ip firewall filter
  30. add action=fasttrack-connection chain=forward comment=FastTrack \
  31. connection-state=established,related disabled=yes
  32. add action=log chain=forward disabled=yes log=yes log-prefix=77 src-address=\
  33. 192.168.77.0/24
  34. add action=log chain=forward disabled=yes dst-port=53 in-interface=!inet log=\
  35. yes log-prefix=DNS_fwd protocol=udp
  36. add action=log chain=input disabled=yes dst-port=53 in-interface=!inet log=\
  37. yes log-prefix=DNS_inp protocol=udp
  38. add action=log chain=output disabled=yes dst-address=192.168.77.0/24 log=yes \
  39. log-prefix=77
  40. add action=accept chain=input dst-port=53 in-interface=!inet log=yes \
  41. log-prefix=dns_in protocol=udp
  42. add action=accept chain=forward dst-port=53 in-interface=!inet protocol=udp
  43. add action=accept chain=input protocol=icmp
  44. add action=accept chain=input in-interface=!inet src-address-list=local4nets
  45. add action=accept chain=forward in-interface=!inet src-address-list=\
  46. local4nets
  47. add action=accept chain=forward in-interface=inet out-interface=all-ppp
  48. add action=accept chain=forward dst-address=192.168.123.11 out-interface=\
  49. mikronet
  50. add action=accept chain=forward dst-address-list=local4nets out-interface=\
  51. mikronet
  52. add action=accept chain=forward dst-port=5060 protocol=udp
  53. add action=accept chain=input dst-port=500,4500,1701 protocol=udp
  54. add action=accept chain=input protocol=ipsec-esp
  55. add action=accept chain=input protocol=ipsec-ah
  56. add action=accept chain=forward dst-port=500,1701 protocol=tcp
  57. add action=accept chain=forward protocol=gre
  58. add action=accept chain=forward dst-port=10000-20000 protocol=udp
  59. add action=accept chain=input dst-port=10000-20000 protocol=udp
  60. add action=accept chain=input dst-address=192.168.123.11 dst-port=10000-20000 \
  61. protocol=udp
  62. add action=accept chain=forward dst-address=192.168.123.11 dst-port=\
  63. 10000-20000 protocol=udp
  64. add action=accept chain=forward protocol=udp src-port=5060,5061
  65. add action=accept chain=forward in-interface=inet out-interface=ovpnofficekrd
  66. add action=accept chain=input dst-port=1194 in-interface=inet protocol=tcp
  67. add action=accept chain=input dst-port=20,21,22,80,443,8291,8729 \
  68. in-interface=!inet protocol=tcp
  69. add action=accept chain=input src-address-list=whitelist
  70. add action=accept chain=forward src-address-list=whitelist
  71. add action=accept chain=input comment="established and related" \
  72. connection-state=established,related connection-type=""
  73. add action=accept chain=forward comment="established related" \
  74. connection-state=established,related connection-type=""
  75. add action=accept chain=forward connection-state=new connection-type="" \
  76. dst-port=80,443 in-interface=inet protocol=tcp
  77. add action=accept chain=output content="530 Login incorrect" dst-limit=\
  78. 1/1m,9,dst-address/1m protocol=tcp
  79. add action=accept chain=output content="530 Login incorrect" disabled=yes \
  80. dst-limit=1/1m,9,dst-address/1m
  81. add action=accept chain=output
  82. add action=add-src-to-address-list address-list=ssh_stage1 \
  83. address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
  84. in-interface=inet protocol=tcp
  85. add action=add-src-to-address-list address-list=ssh_stage2 \
  86. address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
  87. in-interface=inet protocol=tcp src-address-list=ssh_stage1
  88. add action=add-src-to-address-list address-list=ssh_stage3 \
  89. address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
  90. in-interface=inet protocol=tcp src-address-list=ssh_stage2
  91. add action=add-src-to-address-list address-list=ssh_blacklist \
  92. address-list-timeout=1d chain=input connection-state=new dst-port=22,23 \
  93. in-interface=inet protocol=tcp src-address-list=ssh_stage3
  94. add action=add-dst-to-address-list address-list=ftp_blacklist \
  95. address-list-timeout=3h chain=output content="530 Login incorrect" \
  96. protocol=tcp
  97. add action=add-src-to-address-list address-list=winbox_stage_1 \
  98. address-list-timeout=5m chain=input connection-state=new dst-port=8291 \
  99. in-interface=inet protocol=tcp
  100. add action=add-src-to-address-list address-list=winbox_stage_2 \
  101. address-list-timeout=10h chain=input connection-state=new dst-port=8291 \
  102. in-interface=inet protocol=tcp src-address-list=winbox_stage_1
  103. add action=add-src-to-address-list address-list=winbox_stage_3 \
  104. address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
  105. in-interface=inet protocol=tcp src-address-list=winbox_stage_2
  106. add action=add-src-to-address-list address-list=winbox_blacklist \
  107. address-list-timeout=2h chain=input connection-state=new dst-port=8291 \
  108. in-interface=inet protocol=tcp src-address-list=winbox_stage_3
  109. add action=add-src-to-address-list address-list="port scanners" \
  110. address-list-timeout=2w chain=input comment="Port scanners to list " \
  111. protocol=tcp psd=21,3s,3,1
  112. add action=add-src-to-address-list address-list="port scanners" \
  113. address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
  114. protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  115. add action=add-src-to-address-list address-list="port scanners" \
  116. address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
  117. tcp-flags=fin,syn
  118. add action=add-src-to-address-list address-list="port scanners" \
  119. address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
  120. tcp-flags=syn,rst
  121. add action=add-src-to-address-list address-list="port scanners" \
  122. address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
  123. tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
  124. add action=add-src-to-address-list address-list="port scanners" \
  125. address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
  126. tcp-flags=fin,syn,rst,psh,ack,urg
  127. add action=add-src-to-address-list address-list="port scanners" \
  128. address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
  129. tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
  130. add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
  131. log-prefix=invalid
  132. add action=drop chain=input dst-port=21 protocol=tcp src-address-list=\
  133. ftp_blacklist
  134. add action=drop chain=input dst-port=22,23 protocol=tcp src-address-list=\
  135. ssh_blacklist
  136. add action=drop chain=input comment="dropping port scanners" \
  137. src-address-list="port scanners"
  138. add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=\
  139. winbox_blacklist
  140. add action=drop chain=input dst-port=53 in-interface=inet protocol=udp
  141. add action=drop chain=forward in-interface=inet
  142. add action=drop chain=input in-interface=inet
  143. /ip firewall mangle
  144. add action=mark-connection chain=input in-interface=ovpnofficekrd \
  145. new-connection-mark=from_off_krd passthrough=yes
  146. add action=mark-connection chain=forward in-interface=ovpnofficekrd \
  147. new-connection-mark=from_off_krd passthrough=yes
  148. add action=mark-connection chain=input in-interface=ovpn_petina \
  149. new-connection-mark=from_petina passthrough=yes
  150. add action=mark-connection chain=forward in-interface=ovpn_petina \
  151. new-connection-mark=from_petina passthrough=yes
  152. add action=mark-connection chain=input in-interface=mikronet \
  153. new-connection-mark=from_mikronet passthrough=yes src-address=\
  154. 192.168.0.0/16
  155. add action=mark-connection chain=forward in-interface=mikronet \
  156. new-connection-mark=from_mikronet passthrough=yes src-address=\
  157. 192.168.0.0/16
  158. add action=mark-routing chain=output connection-mark=from_off_krd \
  159. new-routing-mark=off_krd passthrough=yes
  160. add action=mark-routing chain=output connection-mark=from_petina \
  161. new-routing-mark=to_petina passthrough=yes
  162. add action=mark-routing chain=output connection-mark=from_mikronet \
  163. new-routing-mark=mikronet passthrough=yes
  164. /ip firewall nat
  165. add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface=!inet \
  166. protocol=udp src-address-list=local4nets to-ports=53
  167. add action=dst-nat chain=dstnat dst-port=53 in-interface=!inet protocol=udp \
  168. src-address-list=local4nets to-addresses=8.8.8.8 to-ports=53
  169. add action=dst-nat chain=dstnat dst-port=80 in-interface=inet protocol=tcp \
  170. to-addresses=192.168.123.12 to-ports=80
  171. add action=dst-nat chain=dstnat dst-port=5222 in-interface=inet protocol=tcp \
  172. to-addresses=192.168.123.11 to-ports=5222
  173. add action=dst-nat chain=dstnat dst-port=443 in-interface=inet protocol=tcp \
  174. to-addresses=192.168.123.12 to-ports=443
  175. add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=inet \
  176. protocol=udp to-addresses=192.168.123.11 to-ports=10000-20000
  177. add action=masquerade chain=srcnat out-interface=inet src-address-list=\
  178. local4nets
  179. /ip firewall service-port
  180. set sip disabled=yes sip-timeout=2h
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!