API tools faq
paste
Guest User

Untitled

a guest
Jun 18th, 2018
119
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.57 KB | None | 0 0
raw download clone embed print report
  1. /ip firewall filter
  2.  
  3. # Блокируем всех из чёрного списка
  4. add action=drop chain=input comment="Drop blocklist" dst-address-list=blocklist
  5. add action=drop chain=forward comment="Drop blocklist" dst-address-list=blocklist
  6.  
  7. # Фильтруем полезный ICMP
  8. add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="ICMP echo reply"
  9. add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="ICMP net unreachable"
  10. add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="ICMP host unreachable"
  11. add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="ICMP host unreachable fragmentation required"
  12. add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="ICMP allow source quench"
  13. add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="ICMP allow echo request"
  14. add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="ICMP allow time exceed"
  15. add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="ICMP allow parameter bad"
  16. add chain=icmp action=drop comment="ICMP deny all other types"
  17.  
  18. # Блокируем Bogon
  19. add action=drop chain=forward comment="Block Bogon IP Address" src-address=127.0.0.0/8
  20. add action=drop chain=forward dst-address=127.0.0.0/8
  21. add action=drop chain=forward src-address=224.0.0.0/3
  22. add action=drop chain=forward dst-address=224.0.0.0/3
  23.  
  24. # Блокируем DNS запросы на внешний интерфейс
  25. add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface=WAN protocol=udp
  26. add action=drop chain=input dst-port=53 in-interface=WAN protocol=tcp
  27.  
  28. # Блокируем взлом Windows
  29. # https://support.microsoft.com/ru-ru/kb/826955
  30. add action=drop chain=input comment="Block hole Windows" dst-port=135,137-139,445,593,4444 protocol=tcp
  31. add action=drop chain=forward dst-port=135,137-139,445,593,4444 protocol=tcp
  32. add action=drop chain=input dst-port=135,137-139 protocol=udp
  33. add action=drop chain=forward dst-port=135,137-139 protocol=udp
  34.  
  35. # Защита от брутфорса SSH
  36. add action=drop chain=input comment="drop ssh brute forcers" dst-port=22
  37. protocol=tcp src-address-list=ssh_blacklist
  38. add action=add-src-to-address-list address-list=ssh_blacklist
  39. address-list-timeout=3d chain=input connection-state=new dst-port=22
  40. protocol=tcp src-address-list=ssh_stage3
  41. add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=
  42. 30m chain=input connection-state=new dst-port=22 protocol=tcp
  43. src-address-list=ssh_stage2
  44. add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=
  45. 30m chain=input connection-state=new dst-port=22 protocol=tcp
  46. src-address-list=ssh_stage1
  47. add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=
  48. 30m chain=input connection-state=new dst-port=22 protocol=tcp
  49.  
  50. # Защита от сканера портов
  51. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="Port scanners to list" disabled=no
  52. # Комбинации TCP флагов, указывающих на использование сканера портов
  53. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="NMAP FIN Stealth scan"
  54. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="SYN/FIN scan"
  55. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="SYN/RST scan"
  56. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="FIN/PSH/URG scan"
  57. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="ALL/ALL scan"
  58. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="NMAP NULL scan"
  59. # Запрет подключений сканеров портов
  60. add chain=input src-address-list=port_scanners action=drop comment="dropping port scanners" disabled=no
  61. add chain=forward src-address-list=port_scanners action=drop comment="dropping port scanners" disabled=no
  62.  
  63. # Разрешаем уже установленные подключения и связанные
  64. add chain=input connection-state=established action=accept comment="Allow Established connections"
  65. add chain=input connection-state=related action=accept comment="Allow Related connections"
  66.  
  67. # Разрешаем внешние подключения для собственных нужд
  68. add action=accept chain=input dst-port=22 in-interface=WAN protocol=tcp comment="Allow SSH"
  69. add action=accept chain=input dst-port=80 in-interface=WAN protocol=tcp comment="Allow HTTP"
  70. add action=accept chain=input dst-port=161 in-interface=WAN protocol=udp comment="Allow SNMP"
  71. add action=accept chain=input dst-port=443 in-interface=WAN protocol=tcp comment="Allow HTTPS"
  72. add action=accept chain=input dst-port=1194 in-interface=WAN protocol=tcp comment="Allow OpenVPN"
  73. add action=accept chain=input dst-port=1194 in-interface=WAN protocol=udp
  74. add chain=input comment="Allow L2TP" dst-port=1701 in-interface=WAN protocol=tcp
  75. add chain=input comment="Allow L2TP" dst-port=1701 in-interface=WAN protocol=udp
  76. add chain=input comment="Allow PPTP" dst-port=1723 in-interface=WAN protocol=tcp
  77. add chain=input comment="Allow GRE" in-interface=WAN protocol=gre
  78.  
  79. # Запрет всех входящих на маршрутизатор
  80. add chain=input in-interface=WAN action=drop comment="Drop everything else"
  81.  
  82. # Разрешаем уже установленные подключения и связанные
  83. add chain=forward connection-state=established action=accept comment="Allow Established connections"
  84. add chain=forward connection-state=related action=accept comment="Allow Related connections"
  85.  
  86. # Запрет транзита '''битых''' и '''неправильных''' пакетов
  87. add chain=forward connection-state=invalid action=drop comment="Drop Invalid connections"
  88.  
  89. # Заперт установки новых транзитных входящих соединений на WAN порту
  90. add action=drop chain=forward comment="Drop new forward WAN" connection-state=new in-interface=WAN
  91.  
  92. /ip firewall filter
  93. add action=accept state=related,established chain=input
  94. add action=drop chain=input
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!