Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # oct/23/2018 06:08:52 by RouterOS 6.43.4
- # software id = M1VD-1TMV
- #
- /ip dns
- set allow-remote-requests=yes cache-max-ttl=1d servers=\
- 213.133.98.98,213.133.99.99,213.133.100.100
- #
- /ip firewall nat
- add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface=!inet \
- protocol=udp src-address-list=local4nets to-ports=53
- add action=dst-nat chain=dstnat dst-port=53 in-interface=!inet protocol=udp \
- src-address-list=local4nets to-addresses=8.8.8.8 to-ports=53
- add action=dst-nat chain=dstnat dst-port=80 in-interface=inet protocol=tcp \
- to-addresses=192.168.123.12 to-ports=80
- add action=dst-nat chain=dstnat dst-port=5222 in-interface=inet protocol=tcp \
- to-addresses=192.168.123.11 to-ports=5222
- add action=dst-nat chain=dstnat dst-port=443 in-interface=inet protocol=tcp \
- to-addresses=192.168.123.12 to-ports=443
- add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=inet \
- protocol=udp to-addresses=192.168.123.11 to-ports=10000-20000
- add action=masquerade chain=srcnat out-interface=inet src-address-list=\
- local4nets
- #
- /ip firewall address-list
- add address=X.X.X.X1 comment=krd1 list=whitelist
- add address=X.X.X.X2 comment=krd1 list=whitelist
- add address=192.168.0.0/16 list=local4nets
- add address=192.168.123.17 list=servers
- /ip firewall filter
- add action=fasttrack-connection chain=forward comment=FastTrack \
- connection-state=established,related disabled=yes
- add action=log chain=forward disabled=yes log=yes log-prefix=77 src-address=\
- 192.168.77.0/24
- add action=log chain=forward disabled=yes dst-port=53 in-interface=!inet log=\
- yes log-prefix=DNS_fwd protocol=udp
- add action=log chain=input disabled=yes dst-port=53 in-interface=!inet log=\
- yes log-prefix=DNS_inp protocol=udp
- add action=log chain=output disabled=yes dst-address=192.168.77.0/24 log=yes \
- log-prefix=77
- add action=accept chain=input dst-port=53 in-interface=!inet log=yes \
- log-prefix=dns_in protocol=udp
- add action=accept chain=forward dst-port=53 in-interface=!inet protocol=udp
- add action=accept chain=input protocol=icmp
- add action=accept chain=input in-interface=!inet src-address-list=local4nets
- add action=accept chain=forward in-interface=!inet src-address-list=\
- local4nets
- add action=accept chain=forward in-interface=inet out-interface=all-ppp
- add action=accept chain=forward dst-address=192.168.123.11 out-interface=\
- mikronet
- add action=accept chain=forward dst-address-list=local4nets out-interface=\
- mikronet
- add action=accept chain=forward dst-port=5060 protocol=udp
- add action=accept chain=input dst-port=500,4500,1701 protocol=udp
- add action=accept chain=input protocol=ipsec-esp
- add action=accept chain=input protocol=ipsec-ah
- add action=accept chain=forward dst-port=500,1701 protocol=tcp
- add action=accept chain=forward protocol=gre
- add action=accept chain=forward dst-port=10000-20000 protocol=udp
- add action=accept chain=input dst-port=10000-20000 protocol=udp
- add action=accept chain=input dst-address=192.168.123.11 dst-port=10000-20000 \
- protocol=udp
- add action=accept chain=forward dst-address=192.168.123.11 dst-port=\
- 10000-20000 protocol=udp
- add action=accept chain=forward protocol=udp src-port=5060,5061
- add action=accept chain=forward in-interface=inet out-interface=ovpnofficekrd
- add action=accept chain=input dst-port=1194 in-interface=inet protocol=tcp
- add action=accept chain=input dst-port=20,21,22,80,443,8291,8729 \
- in-interface=!inet protocol=tcp
- add action=accept chain=input src-address-list=whitelist
- add action=accept chain=forward src-address-list=whitelist
- add action=accept chain=input comment="established and related" \
- connection-state=established,related connection-type=""
- add action=accept chain=forward comment="established related" \
- connection-state=established,related connection-type=""
- add action=accept chain=forward connection-state=new connection-type="" \
- dst-port=80,443 in-interface=inet protocol=tcp
- add action=accept chain=output content="530 Login incorrect" dst-limit=\
- 1/1m,9,dst-address/1m protocol=tcp
- add action=accept chain=output content="530 Login incorrect" disabled=yes \
- dst-limit=1/1m,9,dst-address/1m
- add action=accept chain=output
- add action=add-src-to-address-list address-list=ssh_stage1 \
- address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
- in-interface=inet protocol=tcp
- add action=add-src-to-address-list address-list=ssh_stage2 \
- address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
- in-interface=inet protocol=tcp src-address-list=ssh_stage1
- add action=add-src-to-address-list address-list=ssh_stage3 \
- address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
- in-interface=inet protocol=tcp src-address-list=ssh_stage2
- add action=add-src-to-address-list address-list=ssh_blacklist \
- address-list-timeout=1d chain=input connection-state=new dst-port=22,23 \
- in-interface=inet protocol=tcp src-address-list=ssh_stage3
- add action=add-dst-to-address-list address-list=ftp_blacklist \
- address-list-timeout=3h chain=output content="530 Login incorrect" \
- protocol=tcp
- add action=add-src-to-address-list address-list=winbox_stage_1 \
- address-list-timeout=5m chain=input connection-state=new dst-port=8291 \
- in-interface=inet protocol=tcp
- add action=add-src-to-address-list address-list=winbox_stage_2 \
- address-list-timeout=10h chain=input connection-state=new dst-port=8291 \
- in-interface=inet protocol=tcp src-address-list=winbox_stage_1
- add action=add-src-to-address-list address-list=winbox_stage_3 \
- address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
- in-interface=inet protocol=tcp src-address-list=winbox_stage_2
- add action=add-src-to-address-list address-list=winbox_blacklist \
- address-list-timeout=2h chain=input connection-state=new dst-port=8291 \
- in-interface=inet protocol=tcp src-address-list=winbox_stage_3
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="Port scanners to list " \
- protocol=tcp psd=21,3s,3,1
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
- protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
- tcp-flags=fin,syn
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
- tcp-flags=syn,rst
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
- tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
- tcp-flags=fin,syn,rst,psh,ack,urg
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
- tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
- add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
- log-prefix=invalid
- add action=drop chain=input dst-port=21 protocol=tcp src-address-list=\
- ftp_blacklist
- add action=drop chain=input dst-port=22,23 protocol=tcp src-address-list=\
- ssh_blacklist
- add action=drop chain=input comment="dropping port scanners" \
- src-address-list="port scanners"
- add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=\
- winbox_blacklist
- add action=drop chain=input dst-port=53 in-interface=inet protocol=udp
- add action=drop chain=forward in-interface=inet
- add action=drop chain=input in-interface=inet
- /ip firewall mangle
- add action=mark-connection chain=input in-interface=ovpnofficekrd \
- new-connection-mark=from_off_krd passthrough=yes
- add action=mark-connection chain=forward in-interface=ovpnofficekrd \
- new-connection-mark=from_off_krd passthrough=yes
- add action=mark-connection chain=input in-interface=ovpn_petina \
- new-connection-mark=from_petina passthrough=yes
- add action=mark-connection chain=forward in-interface=ovpn_petina \
- new-connection-mark=from_petina passthrough=yes
- add action=mark-connection chain=input in-interface=mikronet \
- new-connection-mark=from_mikronet passthrough=yes src-address=\
- 192.168.0.0/16
- add action=mark-connection chain=forward in-interface=mikronet \
- new-connection-mark=from_mikronet passthrough=yes src-address=\
- 192.168.0.0/16
- add action=mark-routing chain=output connection-mark=from_off_krd \
- new-routing-mark=off_krd passthrough=yes
- add action=mark-routing chain=output connection-mark=from_petina \
- new-routing-mark=to_petina passthrough=yes
- add action=mark-routing chain=output connection-mark=from_mikronet \
- new-routing-mark=mikronet passthrough=yes
- /ip firewall nat
- add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface=!inet \
- protocol=udp src-address-list=local4nets to-ports=53
- add action=dst-nat chain=dstnat dst-port=53 in-interface=!inet protocol=udp \
- src-address-list=local4nets to-addresses=8.8.8.8 to-ports=53
- add action=dst-nat chain=dstnat dst-port=80 in-interface=inet protocol=tcp \
- to-addresses=192.168.123.12 to-ports=80
- add action=dst-nat chain=dstnat dst-port=5222 in-interface=inet protocol=tcp \
- to-addresses=192.168.123.11 to-ports=5222
- add action=dst-nat chain=dstnat dst-port=443 in-interface=inet protocol=tcp \
- to-addresses=192.168.123.12 to-ports=443
- add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=inet \
- protocol=udp to-addresses=192.168.123.11 to-ports=10000-20000
- add action=masquerade chain=srcnat out-interface=inet src-address-list=\
- local4nets
- /ip firewall service-port
- set sip disabled=yes sip-timeout=2h
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement