Advertisement
Guest User

Untitled

a guest
Nov 4th, 2017
428
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.43 KB | None | 0 0
  1. /ip firewall filter
  2. add action=drop chain=input comment=";;; Drop all INVALID" connection-state=invalid
  3. add action=drop chain=forward connection-state=invalid
  4. add action=accept chain=input comment=";;; Allow all ESTABLISHED" connection-state=established
  5. add action=accept chain=forward connection-state=established
  6. add action=accept chain=input comment=";;; Allow all RELATED" connection-state=related
  7. add action=accept chain=forward connection-state=related
  8. add action=accept chain=input comment=";;; Allow ICMP from all" protocol=icmp
  9. add action=accept chain=forward protocol=icmp
  10. add action=accept chain=input comment=";;; Enable IPsec" port=1701,500,4500 protocol=udp
  11. add action=accept chain=input protocol=ipsec-esp
  12. add action=accept chain=input comment="Allow DNS from LAN" dst-port=53 protocol=udp src-address=192.168.28.0/24
  13. add action=drop chain=input comment=";;; SSH anti-bruteforce" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
  14. add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
  15. add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
  16. add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
  17. add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
  18. add action=accept chain=input connection-state=new dst-port=22 protocol=tcp
  19. add action=accept chain=input comment=";;; Allow SSH from local network only" dst-port=22 protocol=tcp
  20. add action=accept chain=input comment=";;; Allow HTTP from local network" dst-port=80 protocol=tcp src-address=192.168.28.0/24
  21. add action=accept chain=input comment=";;; Allow HTTPS from all" dst-port=443 protocol=tcp
  22. add action=accept chain=input comment=";;; Allow WINBOX from Home" dst-port=8291 protocol=tcp src-address=192.168.28.0/24
  23. add action=accept chain=input comment=";;; Allow NTP from LAN" dst-port=123 protocol=udp src-address=192.168.28.0/24
  24. add action=accept chain=forward comment=";;; Allow Internet from LAN" src-address=192.168.28.0/24
  25. add action=accept chain=input dst-port=1900 protocol=udp src-address=192.168.28.0/24
  26. add action=accept chain=input dst-port=2828 protocol=tcp src-address=192.168.28.0/24
  27. add action=drop chain=input comment=";;; DROP ALL REQUEST"
  28. add action=drop chain=forward disabled=yes src-address=!192.168.28.0/24
  29. /ip firewall mangle
  30. add action=mark-routing chain=prerouting dst-address-list=VPN new-routing-mark=vpn
  31. /ip firewall nat
  32. add action=masquerade chain=srcnat out-interface=ether1
  33. dd action=dst-nat chain=dstnat comment="Web server" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=80
  34. add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=443
  35. add action=dst-nat chain=dstnat dst-port=8980 in-interface=ether1 protocol=tcp to-addresses=192.168.28.146 to-ports=8980
  36. add action=dst-nat chain=dstnat comment="Enable Jabber server port forwarding" dst-port=5222 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=5222
  37. add action=dst-nat chain=dstnat dst-port=5269 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=5269
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement