mt firewall

1. /ip firewall filter
2. add action=log chain=input disabled=yes in-interface=WAN1-SFP log-prefix=in_wan1_
3. add action=log chain=input disabled=yes in-interface=sfpplus log-prefix=in_wan2_
4. add action=log chain=output disabled=yes log-prefix=out_wan1_ out-interface=WAN1-SFP
5. add action=log chain=output disabled=yes log-prefix=out_wan2_ out-interface=sfpplus
6. add action=log chain=input comment="LOG NTP Request" dst-address=192.168.1.1 dst-port=123 in-interface=LAN log=yes log-prefix=NTP protocol=udp
7. add action=accept chain=input comment="accept established connection packets" connection-state=established
8. add action=accept chain=input comment="accept related connection packets" connection-state=related
9. add action=drop chain=input comment="drop invalid packets" connection-state=invalid
10. add action=accept chain=input comment="Allow access to router from known network (addresses): safe" src-address-list=safe
11. add action=drop chain=input comment="detect and drop port scan connections" log=yes log-prefix=port-scan-detected protocol=tcp psd=21,3s,3,1
12. add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 log=yes log-prefix=DoS-TARPIT protocol=tcp src-address-list=black_list
13. add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
14. add action=jump chain=input comment="jump: services" jump-target=services
15. add action=jump chain=input comment="jump: ICMP" jump-target=ICMP protocol=icmp
16. add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
17. add action=log chain=input disabled=yes log-prefix=Filter:
18. add action=drop chain=input comment="Drop anything else" log-prefix=in-drop-
19. add action=jump chain=forward comment="Go to chain for banning computers access" jump-target=internet_ban
20. add action=accept chain=ICMP comment="0:0 and limit for 5p/sec" icmp-options=0:0-255 limit=5,5 protocol=icmp
21. add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
22. add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
23. add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5 protocol=icmp
24. add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5 protocol=icmp
25. add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
26. add action=return chain=ICMP
27. add action=accept chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
28. add action=accept chain=services comment="allow MACwinbox " dst-port=20561 in-interface=LAN protocol=udp
29. add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
30. add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 in-interface=LAN protocol=udp
31. add action=accept chain=services comment="allow SNMP" dst-port=161 in-interface=LAN protocol=tcp
32. add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
33. add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
34. add action=accept chain=services comment="Allow NTP" dst-port=123 in-interface=LAN protocol=udp
35. add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
36. add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
37. add action=accept chain=services comment="allow OpenVPN" dst-port=22897 protocol=tcp
38. add action=accept chain=services comment="allow DNS request" dst-port=53 in-interface=LAN protocol=tcp
39. add action=accept chain=services comment="Allow DNS request" dst-port=53 in-interface=LAN protocol=udp
40. add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
41. add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
42. add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
43. add action=accept chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
44. add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
45. add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
46. add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
47. add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
48. add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
49. add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
50. add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
51. add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
52. add action=accept chain=services comment="Allow remote WinBox IP" disabled=yes dst-port=8291 protocol=tcp
53. add action=accept chain=services comment="COMPUTER: xxxx - RDP" dst-port=18654 log=yes log-prefix=spc-fw-filter protocol=udp
54. add action=accept chain=services comment="COMPUTER: xxxx - RDP" dst-port=18654 protocol=tcp
55. add action=return chain=services comment="end: SERVICES"
56. add action=reject chain=internet_ban comment="BAN: XXXXX internet" reject-with=icmp-net-prohibited src-mac-address=11:22:22:33:44:55
57. add action=return chain=internet_ban comment="END BAN LIST