/ip firewall filteradd action=drop chain=input comment=";;; Drop all INVALID"

1. /ip firewall filter
2. add action=drop chain=input comment=";;; Drop all INVALID" connection-state=invalid
3. add action=drop chain=forward connection-state=invalid
4. add action=accept chain=input comment=";;; Allow all ESTABLISHED" connection-state=established
5. add action=accept chain=forward connection-state=established
6. add action=accept chain=input comment=";;; Allow all RELATED" connection-state=related
7. add action=accept chain=forward connection-state=related
8. add action=accept chain=input comment=";;; Allow ICMP from all" protocol=icmp
9. add action=accept chain=forward protocol=icmp
10. add action=accept chain=input comment=";;; Enable IPsec" port=1701,500,4500 protocol=udp
11. add action=accept chain=input protocol=ipsec-esp
12. add action=accept chain=input comment="Allow DNS from LAN" dst-port=53 protocol=udp src-address=192.168.28.0/24
13. add action=drop chain=input comment=";;; SSH anti-bruteforce" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
14. add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
15. add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
16. add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
17. add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
18. add action=accept chain=input connection-state=new dst-port=22 protocol=tcp
19. add action=accept chain=input comment=";;; Allow SSH from local network only" dst-port=22 protocol=tcp
20. add action=accept chain=input comment=";;; Allow HTTP from local network" dst-port=80 protocol=tcp src-address=192.168.28.0/24
21. add action=accept chain=input comment=";;; Allow HTTPS from all" dst-port=443 protocol=tcp
22. add action=accept chain=input comment=";;; Allow WINBOX from Home" dst-port=8291 protocol=tcp src-address=192.168.28.0/24
23. add action=accept chain=input comment=";;; Allow NTP from LAN" dst-port=123 protocol=udp src-address=192.168.28.0/24
24. add action=accept chain=forward comment=";;; Allow Internet from LAN" src-address=192.168.28.0/24
25. add action=accept chain=input dst-port=1900 protocol=udp src-address=192.168.28.0/24
26. add action=accept chain=input dst-port=2828 protocol=tcp src-address=192.168.28.0/24
27. add action=drop chain=input comment=";;; DROP ALL REQUEST"
28. add action=drop chain=forward disabled=yes src-address=!192.168.28.0/24
29. /ip firewall mangle
30. add action=mark-routing chain=prerouting dst-address-list=VPN new-routing-mark=vpn
31. /ip firewall nat
32. add action=masquerade chain=srcnat out-interface=ether1
33. dd action=dst-nat chain=dstnat comment="Web server" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=80
34. add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=443
35. add action=dst-nat chain=dstnat dst-port=8980 in-interface=ether1 protocol=tcp to-addresses=192.168.28.146 to-ports=8980
36. add action=dst-nat chain=dstnat comment="Enable Jabber server port forwarding" dst-port=5222 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=5222
37. add action=dst-nat chain=dstnat dst-port=5269 in-interface=ether1 protocol=tcp to-addresses=192.168.28.10 to-ports=5269