Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip ipsec proposal
- set [ find default=yes ] enc-algorithms=aes-128-cbc
- /ip pool
- add name=dhcp_pool1 ranges=XX.XX.XX.129-XX.XX.XX.254
- /ip dhcp-server
- add address-pool=dhcp_pool1 disabled=no interface=ether2 lease-time=1d name=\
- dhcp1
- /interface ovpn-client
- add cipher=aes128 connect-to=XX.XX.XX.XX mac-address=XX:XX:XX:XX:XX:XX name=\
- ovpn-out1 password="XXXXX" profile=default-encryption user=xxxxx
- /interface l2tp-client
- add allow=mschap2 connect-to=XX.XX.XX.XX ipsec-secret=xxxxxxxx name=\
- l2tp-out1 password=xxxxxxxx profile=default use-ipsec=yes user=xxxxxxx
- /ip address
- add address=xxxxxxxxxx/30 interface=ether1 network=xx.xx.xx.xx
- add address=xx.xx.xx.1/24 interface=ether2 network=xx.xx.xx.0
- /ip dhcp-server network
- add address=xx.xx.xx.0/24 dns-server=8.8.8.8 domain=\
- somedomain.com gateway=xx.xx.xx.1
- /ip firewall filter
- add action=drop chain=input comment="drop brute forcers" dst-port=21,22,23 \
- protocol=tcp src-address-list=ftp_blacklist
- add action=accept chain=output content="530 Login incorrect" dst-limit=\
- 1/1m,5,dst-address/1m protocol=tcp
- add action=add-dst-to-address-list address-list=ftp_blacklist \
- address-list-timeout=1w3d chain=output content="530 Login incorrect" \
- protocol=tcp
- add action=drop chain=input comment="drop brute forcers" dst-port=21,22,23 \
- protocol=tcp src-address-list=ssh_blacklist
- add action=add-src-to-address-list address-list=ssh_blacklist \
- address-list-timeout=1w3d chain=input connection-state=new dst-port=\
- 21,22,23 protocol=tcp src-address-list=ssh_stage3
- add action=add-src-to-address-list address-list=ssh_stage3 \
- address-list-timeout=10m chain=input connection-state=new dst-port=\
- 21,22,23 protocol=tcp src-address-list=ssh_stage2
- add action=add-src-to-address-list address-list=ssh_stage2 \
- address-list-timeout=5m chain=input connection-state=new dst-port=\
- 21,22,23 protocol=tcp src-address-list=ssh_stage1
- add action=add-src-to-address-list address-list=ssh_stage1 \
- address-list-timeout=1m chain=input connection-state=new dst-port=\
- 21,22,23 protocol=tcp
- /ip firewall mangle
- add action=mark-routing chain=output new-routing-mark=TUNNEL src-address=\
- 10.x.1.0/24
- add action=mark-routing chain=output dst-address=10.1.0.0/16 \
- new-routing-mark=TUNNEL
- add action=mark-routing chain=prerouting dst-address-list=!DIA in-interface=\
- ether2 new-routing-mark=TUNNEL passthrough=yes src-address=xx.xx.xx.0/24
- /ip firewall nat
- add action=masquerade chain=srcnat dst-address-list=DIA
- /ip ipsec policy
- set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
- /ip route
- add distance=1 gateway=XX.XX.XX.1 routing-mark=TUNNEL
- add distance=1 dst-address=XX.XX.XX.0/24 gateway=XX.XX.XX.1 routing-mark=TUNNEL
- add distance=1 gateway=xx.xx.xx.xx
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www disabled=yes
- set api disabled=yes
- set api-ssl disabled=yes
- /system clock
- set time-zone-autodetect=no time-zone-name=CST6CDT
- /system identity
- set name=nunya
- /system logging
- add topics=ipsec
- add topics=l2tp
- /system ntp client
- set enabled=yes primary-ntp=192.5.41.40 secondary-ntp=192.5.41.41
- /system watchdog
- set watchdog-timer=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement