API tools faq
paste
wandibudiana

Mikrotik RouterOS Firewall Filter

wandibudiana
Feb 4th, 2013
1,344
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.00 KB | None | 0 0
raw download clone embed print report
  1. ##################################
  2. Mikrotik RouterOS Firewall Filter
  3. ##################################
  4.  
  5. o Block Invalid Connection
  6. o Block Open Proxy User
  7. o Block Bogus IP Address
  8. o Block Torrent
  9. o Bruteforce login prevention (FTP)
  10. o Drop SSH brute forcers
  11. o Port Scanners to list
  12. o Filter FTP to Box
  13. o Separate Protocol into Chains
  14. - UDP :: Blocking UDP Packet
  15. - TCP :: Bloking TCP Packet
  16. - ICMP :: Limited Ping Flood
  17. o Allow Broadcast Traffic
  18. o Add Game Traffic to Address-list
  19. o Add Facebook Traffic to Address-list
  20. o Add Youtube Traffic to Address-list
  21. o Connection State
  22.  
  23.  
  24. Basic Rules
  25.  
  26. /ip firewall address-list
  27. add address=192.168.2.0/24 disabled=no list=Local-Address
  28. add address=192.168.3.2/32 disabled=no list=Proxy-Address
  29.  
  30. /interface ethernet
  31. set 0 name=Public
  32. set 1 name=Local
  33. set 2 name=Proxy
  34.  
  35. /interface pppoe-client
  36. add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
  37. "PPPoE Speedy" dial-on-demand=no disabled=no interface=Public max-mru=\
  38. 1480 max-mtu=1480 mrru=disabled name=Speedy password=ABCDEF12GH profile=\
  39. default service-name="" use-peer-dns=no [email protected]
  40.  
  41. o Block Invalid Connection
  42. /ip firewall filter
  43. add action=drop chain=input comment="Drop Invalid connections" \
  44. connection-state=invalid disabled=no
  45.  
  46. o Block Open Proxy User
  47. /ip firewall filter
  48. add action=drop chain=input comment="Blok Open Proxy User" disabled=no \
  49. dst-port=3128,8080,3229 in-interface=Speedy protocol=tcp src-address=\
  50. 0.0.0.0/0
  51.  
  52. o Block Bogus IP Address
  53. /ip firewall filter
  54. add action=drop chain=forward comment="Block Bogus IP Address" disabled=no \
  55. src-address=0.0.0.0/8
  56. add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
  57. add action=drop chain=forward disabled=no src-address=127.0.0.0/8
  58. add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
  59. add action=drop chain=forward disabled=no src-address=224.0.0.0/3
  60. add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
  61.  
  62. o Block Torrent
  63. /ip firewall layer7-protocol
  64. add name=p2p_sites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
  65. add comment="" name=p2p_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
  66.  
  67. /ip firewall filter
  68. add action=drop chain=forward comment="block p2p_sites" disabled=no layer7-protocol=p2p_sites
  69. add action=drop chain=forward comment="block p2p_dns" disabled=no dst-port=53 layer7-protocol=p2p_dns protocol=udp
  70.  
  71.  
  72. /ip firewall filter
  73. add action=drop chain=input comment="Drop FTP brute forcers" disabled=no \
  74. dst-port=21 protocol=tcp src-address-list=ftp_blacklist
  75. add action=accept chain=output content="530 Login incorrect" disabled=no \
  76. dst-limit=1/1m,9,dst-address/1m protocol=tcp
  77. add action=add-dst-to-address-list address-list=ftp_blacklist \
  78. address-list-timeout=3h chain=output content="530 Login incorrect" \
  79. disabled=no protocol=tcp
  80.  
  81. add action=drop chain=input comment="Drop SSH brute forcers" disabled=no \
  82. dst-port=22 protocol=tcp src-address-list=ssh_blacklist
  83. add action=add-src-to-address-list address-list=ssh_blacklist \
  84. address-list-timeout=1w3d chain=input connection-state=new disabled=no \
  85. dst-port=22 protocol=tcp src-address-list=ssh_stage3
  86. add action=add-src-to-address-list address-list=ssh_stage3 \
  87. address-list-timeout=1m chain=input connection-state=new disabled=no \
  88. dst-port=22 protocol=tcp src-address-list=ssh_stage2
  89. add action=add-src-to-address-list address-list=ssh_stage2 \
  90. address-list-timeout=1m chain=input connection-state=new disabled=no \
  91. dst-port=22 protocol=tcp src-address-list=ssh_stage1
  92. add action=add-src-to-address-list address-list=ssh_stage1 \
  93. address-list-timeout=1m chain=input connection-state=new disabled=no \
  94. dst-port=22 protocol=tcp
  95. add action=drop chain=forward comment="Drop SSH brute downstream" disabled=no \
  96. dst-port=22 protocol=tcp src-address-list=ssh_blacklist
  97. add action=drop chain=input comment="SYN filter" connection-state=new \
  98. disabled=no protocol=tcp tcp-flags=!syn
  99. add action=add-src-to-address-list address-list="port scanners" \
  100. address-list-timeout=2w chain=input comment="Port scanners to list " \
  101. disabled=no protocol=tcp psd=21,3s,3,1
  102. add action=add-src-to-address-list address-list="port scanners" \
  103. address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
  104. disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  105. add action=add-src-to-address-list address-list="port scanners" \
  106. address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
  107. protocol=tcp tcp-flags=fin,syn
  108. add action=add-src-to-address-list address-list="port scanners" \
  109. address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
  110. protocol=tcp tcp-flags=syn,rst
  111. add action=add-src-to-address-list address-list="port scanners" \
  112. address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
  113. no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
  114. add action=add-src-to-address-list address-list="port scanners" \
  115. address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
  116. protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
  117. add action=add-src-to-address-list address-list="port scanners" \
  118. address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
  119. protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
  120. add action=add-src-to-address-list address-list="port scanners" \
  121. address-list-timeout=1d chain=input comment="NMAP UDP scan" disabled=no \
  122. packet-size=0-28 protocol=udp
  123. add action=drop chain=input comment="dropping port scanners" disabled=no \
  124. src-address-list="port scanners"
  125. add action=drop chain=forward comment="dropping port scanners" disabled=no \
  126. src-address-list="port scanners"
  127.  
  128. o Part of Block Invalid Connection
  129. /ip firewall filter
  130. add action=accept chain=input comment="Allow established connections" \
  131. connection-state=established disabled=no
  132. add action=accept chain=input comment="Allow related connections" \
  133. connection-state=related disabled=no
  134. add action=accept chain=input comment="Allow local traffic" disabled=no \
  135. dst-address-type=local src-address-type=local
  136. add action=accept chain=input comment="Allow ICMP from LOCAL network" \
  137. disabled=no protocol=icmp src-address-list=Local-Address
  138. add action=accept chain=input comment="Allow ICMP from PROXY" disabled=no \
  139. protocol=icmp src-address-list=Proxy-Address
  140. add action=accept chain=input comment="Allow input from LOCAL network" \
  141. disabled=no src-address-list=Local-Address
  142. add action=accept chain=input comment="Allow input from PROXY" disabled=no \
  143. src-address-list=Proxy-Address
  144. add action=accept chain=input comment=\
  145. "Allow Winbox Access ---------- CHECK BEFORE ENABLED" disabled=no \
  146. dst-port=8291 in-interface=Speedy protocol=tcp
  147. add action=accept chain=forward comment=\
  148. "Allow SSH Access ----- CHECK BEFORE ENABLED" disabled=yes dst-port=22 \
  149. in-interface=Speedy protocol=tcp
  150. add action=drop chain=input comment="Drop everything else" disabled=no
  151.  
  152.  
  153. add action=jump chain=forward comment="Packet filtering" disabled=no \
  154. jump-target=tcp protocol=tcp
  155. add action=jump chain=forward disabled=no jump-target=udp protocol=udp
  156. add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
  157. add action=drop chain=tcp comment="Drop BLACKLIST silakan bikin" disabled=no \
  158. dst-address-list=Blacklist protocol=tcp
  159. add action=drop chain=tcp comment="Drop Telnet" disabled=no dst-port=23 \
  160. protocol=tcp
  161. add action=drop chain=tcp comment="Drop SMTP" disabled=no dst-port=25 \
  162. protocol=tcp
  163. add action=drop chain=tcp comment="Drop DHCP" disabled=no dst-port=67-68 \
  164. protocol=tcp
  165. add action=drop chain=tcp comment="Drop TFTP" disabled=no dst-port=69 \
  166. protocol=tcp
  167. add action=drop chain=tcp comment="Drop Finger" disabled=no dst-port=79 \
  168. protocol=tcp
  169. add action=drop chain=tcp comment="Drop POP3" disabled=no dst-port=110 \
  170. protocol=tcp
  171. add action=reject chain=tcp comment="Reject ident probes" disabled=no \
  172. dst-port=113 protocol=tcp reject-with=tcp-reset
  173. add action=drop chain=tcp comment="Drop NNTP" disabled=no dst-port=119 \
  174. protocol=tcp
  175. add action=drop chain=tcp comment="Drop RPC portmapper, NFS" disabled=no \
  176. dst-port=111,645,2049,32769 protocol=tcp
  177. add action=drop chain=tcp comment="Drop NetBIOS" disabled=no dst-port=135-139 \
  178. protocol=tcp
  179. add action=drop chain=tcp comment="Drop IMAP" disabled=no dst-port=143 \
  180. protocol=tcp
  181. add action=drop chain=tcp comment="Drop LDAP" disabled=no dst-port=389 \
  182. protocol=tcp
  183. add action=drop chain=tcp comment="Drop cifs" disabled=no dst-port=\
  184. 445,1433,1434 protocol=tcp
  185. add action=drop chain=tcp comment="Drop ms-ils" disabled=no dst-port=1002 \
  186. protocol=tcp
  187. add action=drop chain=tcp comment="Drop DCOM" disabled=no dst-port=1024-1030 \
  188. protocol=tcp
  189. add action=drop chain=tcp comment="Drop UPnP" disabled=no dst-port=5000 \
  190. protocol=tcp
  191. add action=drop chain=tcp comment="Drop Bla, Attack FTP" disabled=no \
  192. dst-port=666,1042 protocol=tcp
  193. add action=drop chain=tcp comment="Drop Ultors Trojan" disabled=no dst-port=\
  194. 1243 protocol=tcp
  195. add action=drop chain=tcp comment="Drop Remote Explorer 2000" disabled=no \
  196. dst-port=2000 protocol=tcp
  197. add action=drop chain=tcp comment="Drop P2P Edonkey2000" disabled=no \
  198. dst-port=4661,4671 protocol=tcp
  199. add action=drop chain=tcp comment="Drop SubSeven" disabled=no dst-port=\
  200. 1243,6711,6712,6713,6776,27374 protocol=tcp
  201. add action=drop chain=tcp comment="Drop Dark FTP, IRC, Backdoor, DeepThroat" \
  202. disabled=no dst-port=6667,6670,6711,6969,7000 protocol=tcp
  203. add action=drop chain=tcp comment="Drop NetBus, Exploiter, Donald Dick" \
  204. disabled=no dst-port=12345,12346,21554,22222 protocol=tcp
  205. add action=drop chain=tcp comment="Drop DuckToy" disabled=no dst-port=29559 \
  206. protocol=tcp
  207. add action=drop chain=tcp comment="Drop Back Orifice" disabled=no dst-port=\
  208. 31337,31338 protocol=tcp
  209. add action=drop chain=udp comment="Drop BLACKLIST udp bikin sendiri" \
  210. disabled=no dst-address-list=Blacklist protocol=udp
  211. add action=drop chain=udp comment="Drop RPC portmapper, NFS" disabled=no \
  212. dst-port=111,644,2049,32770 protocol=udp
  213. add action=drop chain=udp comment="Drop NetBIOS" disabled=no dst-port=135-139 \
  214. protocol=udp
  215. add action=drop chain=udp comment="Drop cifs" disabled=no dst-port=445 \
  216. protocol=udp
  217. add action=drop chain=udp comment="Drop Dynamic RPC" disabled=no dst-port=\
  218. 1025-1035 protocol=udp
  219. add action=drop chain=udp comment="Drop BackOriffice" disabled=no dst-port=\
  220. 31337,31338 protocol=udp
  221. add action=add-dst-to-address-list address-list=facebook \
  222. address-list-timeout=10m chain=tcp comment=FACEBOOK content=.facebook.com \
  223. disabled=no dst-address=!192.168.3.2 dst-address-list=!Local-Address \
  224. dst-port=80,433 protocol=tcp
  225. add action=add-dst-to-address-list address-list=facebook \
  226. address-list-timeout=10m chain=tcp content=.akamaihd.net disabled=no \
  227. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=80,443 \
  228. protocol=tcp
  229. add action=add-dst-to-address-list address-list=facebook \
  230. address-list-timeout=10m chain=tcp content=.fbcdn.net disabled=no \
  231. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=80,443 \
  232. protocol=tcp
  233. add action=add-dst-to-address-list address-list=game-facebook \
  234. address-list-timeout=10m chain=tcp content=.zynga.com disabled=no \
  235. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=80,443 \
  236. protocol=tcp
  237. add action=add-dst-to-address-list address-list=game-facebook \
  238. address-list-timeout=10m chain=tcp comment="Zynga Poker" disabled=no \
  239. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=\
  240. 843,9339 protocol=tcp
  241. add action=add-dst-to-address-list address-list=games_iix \
  242. address-list-timeout=10m chain=tcp comment=GAMES content=.gemscool.com \
  243. disabled=no dst-address=!192.168.3.2 dst-address-list=!Local-Address \
  244. dst-port=80,443 protocol=tcp
  245. add action=add-dst-to-address-list address-list=games_iix \
  246. address-list-timeout=10m chain=tcp content=.megaxus.com disabled=no \
  247. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=80,443 \
  248. protocol=tcp
  249. add action=add-dst-to-address-list address-list=games_iix \
  250. address-list-timeout=10m chain=tcp comment="GAMES TCP" disabled=no \
  251. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=\
  252. 1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,7777 \
  253. protocol=tcp
  254. add action=add-dst-to-address-list address-list=games_iix \
  255. address-list-timeout=10m chain=tcp disabled=no dst-address=!192.168.3.2 \
  256. dst-address-list=!Local-Address dst-port=\
  257. 7341-7350,7451,8085,9600,9601-9602,9300,9376-9377,9400,9700,10001-10011 \
  258. protocol=tcp
  259. add action=add-dst-to-address-list address-list=games_iix \
  260. address-list-timeout=10m chain=tcp disabled=no dst-address=!192.168.3.2 \
  261. dst-address-list=!Local-Address dst-port="10402,11011-11041,12011,12110,13\
  262. 008,13413,15000-15002,16402-16502,16666,18901-18909,19000" protocol=tcp
  263. add action=add-dst-to-address-list address-list=games_iix \
  264. address-list-timeout=10m chain=tcp disabled=no dst-address=!192.168.3.2 \
  265. dst-address-list=!Local-Address dst-port=\
  266. 19101,22100,27780,28012,29000,29200,39100,39110,39220,39190,40000,49100 \
  267. protocol=tcp
  268. add action=add-dst-to-address-list address-list=games_iix \
  269. address-list-timeout=10m chain=tcp disabled=no dst-address=!192.168.3.2 \
  270. dst-address-list=!Local-Address dst-port=14009-14010 protocol=tcp
  271. add action=add-dst-to-address-list address-list=games_iix \
  272. address-list-timeout=10m chain=tcp comment="GAME UDP" disabled=no \
  273. dst-address=!192.168.3.2 dst-address-list=!Local-Address dst-port=\
  274. 14009-14010 protocol=udp
  275. add action=add-dst-to-address-list address-list=games_iix \
  276. address-list-timeout=10m chain=tcp disabled=no dst-address=!192.168.3.2 \
  277. dst-address-list=!Local-Address dst-port="1293,1479,6100-6152,7777-7977,80\
  278. 01,9401,9600-9602,12020-12080,30000,40000-40010" protocol=udp
  279. add action=add-dst-to-address-list address-list=games_iix \
  280. address-list-timeout=10m chain=tcp disabled=no dst-address=!192.168.3.2 \
  281. dst-address-list=!Local-Address dst-port=\
  282. 42051-42052,11100-11125,11440-11460 protocol=udp
  283. add action=accept chain=icmp comment="Limit packets 5/secs" disabled=no \
  284. icmp-options=0:0-255 limit=5,5 protocol=icmp
  285. add action=accept chain=icmp comment="Limit packets 5/secs" disabled=no \
  286. icmp-options=3:0 protocol=icmp
  287. add action=accept chain=icmp comment="Limit packets 5/secs" disabled=no \
  288. icmp-options=3:3 limit=5,5 protocol=icmp
  289. add action=accept chain=icmp comment="Limit packets 5/secs" disabled=no \
  290. icmp-options=3:4 limit=5,5 protocol=icmp
  291. add action=accept chain=icmp comment="Limit packets 5/secs" disabled=no \
  292. icmp-options=8:0-255 limit=5,5 protocol=icmp
  293. add action=accept chain=icmp comment="Limit packets 5/secs" disabled=no \
  294. icmp-options=11:0-255 limit=5,5 protocol=icmp
  295. add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
  296. add action=drop chain=forward comment="Drop invalid connections" \
  297. connection-state=invalid disabled=no
  298. add action=accept chain=forward comment="Allow established connections" \
  299. connection-state=established disabled=no
  300. add action=accept chain=forward comment="Allow related connections" \
  301. connection-state=related disabled=no
  302. add action=accept chain=forward comment="Allow forward from Local network" \
  303. disabled=no src-address-list=Local-Address
  304. add action=accept chain=forward comment="Allow forward from PROXY" disabled=\
  305. no src-address-list=Proxy-Address
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!