sa_drug

[MT]: IP filter default settings

Oct 20th, 2021 (edited)
199
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #
  2. /ip firewall address-list add address=10.0.0.0/8 list=alst-ALLOW-TO-CONNECT
  3. /ip firewall address-list add address=192.168.0.0/16 list=alst-ALLOW-TO-CONNECT
  4. /ip firewall address-list add address=172.16.0.0/12 list=alst-ALLOW-TO-CONNECT
  5. /ip firewall address-list add address=10.2.4.0/24 list=alst-WHITE-LIST
  6. #
  7. /ip firewall connection tracking set generic-timeout=3m tcp-established-timeout=2h tcp-max-retrans-timeout=2m tcp-unacked-timeout=2m
  8. #
  9. /ip firewall filter add action=log chain=recent comment="=RECENT=" disabled=yes
  10. /ip firewall filter add action=add-src-to-address-list address-list=alst-BAN-MNGMT address-list-timeout=30m chain=recent comment="Stage #4 - ban action" log=yes log-prefix=banned-mngmt src-address-list=alst-RECENT-ST3
  11. /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST3 address-list-timeout=1m chain=recent comment="Stage #3 - third connection match" src-address-list=alst-RECENT-ST2
  12. /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST2 address-list-timeout=1m chain=recent comment="Stage #2 - second connection match" src-address-list=alst-RECENT-ST1
  13. /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST1 address-list-timeout=1m20s chain=recent comment="Stage #1 - initial connection attempt"
  14. /ip firewall filter add action=accept chain=recent comment="Default rule"
  15. #
  16. /ip firewall filter add action=log chain=mngmt comment="=MNGMT=" disabled=yes
  17. /ip firewall filter add action=accept chain=mngmt comment="Access :: WHITE-LIST networks" dst-limit=1/5m,9,src-address/5m src-address-list=alst-WHITE-LIST
  18. /ip firewall filter add action=reject chain=mngmt log=yes protocol=tcp reject-with=tcp-reset src-address-list=alst-WHITE-LIST
  19. /ip firewall filter add action=jump chain=mngmt comment="Default rule" dst-limit=1/5m,9,src-address/5m jump-target=recent protocol=tcp src-address-list=alst-ALLOW-TO-CONNECT
  20. /ip firewall filter add action=drop chain=mngmt log-prefix=drop protocol=tcp
  21. #
  22. /ip firewall filter add action=log chain=icmp comment="=ICMP=" disabled=yes
  23. /ip firewall filter add action=accept chain=icmp comment="Allow certain types of ICMP types" icmp-options=0 protocol=icmp
  24. /ip firewall filter add action=accept chain=icmp icmp-options=3:0-4 protocol=icmp
  25. /ip firewall filter add action=accept chain=icmp icmp-options=11 protocol=icmp
  26. /ip firewall filter add action=accept chain=icmp comment="Limit ICMP echo replies" dst-limit=300,50,src-address/1s icmp-options=8 protocol=icmp
  27. #
  28. /ip firewall filter add action=drop chain=icmp comment="Default rule"
  29. /ip firewall filter add action=log chain=input comment="=INPUT=" disabled=yes
  30. /ip firewall filter add action=accept chain=input comment="Management :: Watchdog" dst-address=127.0.0.0/8 src-address-type=local
  31. /ip firewall filter add action=drop chain=input protocol=tcp src-address=127.0.0.0/8
  32. /ip firewall filter add action=jump chain=input comment="Management :: ICMP" jump-target=icmp protocol=icmp
  33. /ip firewall filter add action=jump chain=input comment="Management :: FTP,SSH,TELNET,WINBOX" connection-state=new dst-address-type=local dst-port=21,22,23,8291 jump-target=mngmt protocol=tcp
  34. /ip firewall filter add chain=input comment="Management :: SNMP,MDP,CAPSMAN" connection-state=new dst-address-type=local dst-port=161,5246,5247,5678 protocol=udp src-address-list=alst-ALLOW-TO-CONNECT
  35. /ip firewall filter add action=accept chain=input comment="Established & related" connection-state=established,related
  36. /ip firewall filter add action=drop chain=input comment=Invalid connection-state=invalid
  37. /ip firewall filter add action=add-src-to-address-list address-list=alst-BAN-PSD address-list-timeout=1d chain=input comment="Other :: Portscanning detect" psd=21,5m,3,1
  38. /ip firewall filter add action=drop chain=input comment="Default rule"
  39. #
  40. /ip firewall filter add action=log chain=output comment="=OUTPUT=" disabled=yes
  41. /ip firewall filter add action=accept chain=output comment="FTP :: Block password bruteforce" content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
  42. /ip firewall filter add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="530 Login incorrect" dst-address-list=!alst-WHITE-LIST log=yes log-prefix=banned-ftp protocol=tcp
  43. /ip firewall filter add action=accept chain=output comment="TELNET :: Block password bruteforce" content="Login failed, incorrect username or password" dst-limit=1/1m,4,dst-address/1m protocol=tcp
  44. /ip firewall filter add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="Login failed, incorrect username or password" dst-address-list=!alst-WHITE-LIST log=yes log-prefix=banned-telnet protocol=tcp
  45. /ip firewall filter add action=accept chain=output comment="Default rule" src-address-type=local
  46. /ip firewall filter add action=drop chain=output
  47. #
  48. /ip firewall filter add action=log chain=forward comment="=FORWARD=" disabled=yes
  49. /ip firewall filter add action=drop chain=forward comment="Default rule"
  50. #
  51. /ip firewall raw add action=drop chain=prerouting comment="=DROP-SMB=" dst-port=135,137-139,445 protocol=udp
  52. /ip firewall raw add action=drop chain=prerouting dst-port=1024-65535 protocol=udp src-port=137
  53. /ip firewall raw add action=drop chain=prerouting dst-port=135,139,445 protocol=tcp
  54. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-ANYWAY=" src-address-list=alst-BAN-ANYWAY
  55. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-MNGMT=" src-address-list=alst-BAN-MNGMT
  56. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-FTP-TELNET=" dst-address-type=local dst-port=20,21,23 protocol=tcp src-address-list=alst-BAN-CLRTXT
  57. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-PSD=" src-address-list=alst-BAN-PSD
  58.  
RAW Paste Data