Advertisement
Guest User

Untitled

a guest
May 21st, 2019
118
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.41 KB | None | 0 0
  1. may/21/2019 23:10:23 by RouterOS 6.44.2
  2. # software id = NUYP-R9S0
  3. #
  4. # model = CCR1036-8G-2S+
  5. # serial number = 4466016FC941
  6. /ip firewall layer7-protocol
  7. add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
  8. /ip firewall address-list
  9. add address=0.0.0.0/8 list=BOGONS
  10. add address=10.0.0.0/8 list=BOGONS
  11. add address=100.64.0.0/10 list=BOGONS
  12. add address=127.0.0.0/8 list=BOGONS
  13. add address=169.254.0.0/16 list=BOGONS
  14. add address=172.16.0.0/12 list=BOGONS
  15. add address=192.0.0.0/24 list=BOGONS
  16. add address=192.0.2.0/24 list=BOGONS
  17. add address=198.18.0.0/15 list=BOGONS
  18. add address=198.51.100.0/24 list=BOGONS
  19. add address=203.0.113.0/24 list=BOGONS
  20. add address=169.254.0.0/24 list=BOGONS
  21. add address=192.168.10.1-192.168.10.29 comment="BRAM Servers" list="10 Servers"
  22. add address=192.168.10.50-192.168.10.255 comment="BRAM Network" list="10 LAN"
  23. add address=192.168.50.0/24 list="50 LAN"
  24. add address=192.168.100.0/24 list="100 LAN"
  25. add address=192.168.60.0/24 list="60 LAN"
  26. add address=192.168.150.0/24 list="150 Oskol"
  27. add address=192.168.137.0/24 list="137 Home"
  28. add address=192.168.10.100 comment="BRAM Servers" disabled=yes list="10 Servers 1"
  29. add address=192.168.10.6-192.168.10.8 comment="BRAM Servers" list="10 Servers White List"
  30. add address=192.168.10.20 comment="BRAM Servers" disabled=yes list="10 Servers White List"
  31. add address=192.168.10.0/24 list=LAN
  32. add address=192.168.150.0/24 list=LAN
  33. add address=192.168.50.0/24 list=LAN
  34. add address=192.168.60.0/24 list=LAN
  35. add address=192.168.10.30-192.168.10.33 list=allow-bit
  36. add address=192.168.50.205 list=allow-bit
  37. add address=192.168.50.99 list=allow-bit
  38. /ip firewall filter
  39. add action=accept chain=forward disabled=yes
  40. add action=accept chain=input disabled=yes
  41. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  42. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  43. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  44. add action=accept chain=input comment="Allow IKEv2 and L2TP" dst-port=1701,500,4500 port="" protocol=udp
  45. add action=accept chain=input comment="Allow PPTP" dst-port=1723,500,4500 protocol=tcp
  46. add action=accept chain=input comment="Allow IPSec" protocol=ipsec-esp
  47. add action=accept chain=input comment="Allow IPSec" protocol=ipencap
  48. add action=accept chain=input comment="Allow GRE PPTP" protocol=gre
  49. add action=accept chain=input comment="Allow Input web from home" dst-port=80 protocol=tcp src-address=217.107.---.---
  50. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  51. add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
  52. add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
  53. add action=add-src-to-address-list address-list="dns spoofing" address-list-timeout=1h chain=input comment="DNS soofing add list" dst-port=53 in-interface-list=WAN protocol=udp
  54. add action=drop chain=input comment="DNS dpoofing drop" dst-port=53 in-interface-list=WAN protocol=udp src-address-list="dns spoofing"
  55. add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Create torrents peer list from 10 LAN" layer7-protocol=layer7-bittorrent-exp src-address=192.168.10.0/24 src-address-list=!allow-bit
  56. add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Create torrents peer list from 50 LAN" layer7-protocol=layer7-bittorrent-exp src-address=192.168.50.0/24 src-address-list=!allow-bit
  57. add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Create torrents peer list from 60 LAN" layer7-protocol=layer7-bittorrent-exp src-address=192.168.60.0/24 src-address-list=!allow-bit
  58. add action=drop chain=forward comment="Drop from torrent list tcp" dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905,11000,2999 out-interface-list=WAN protocol=tcp src-address-list=Torrent-Conn
  59. add action=drop chain=forward comment="Drop from torrent list udp" dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905,11000,2999 out-interface-list=WAN protocol=udp src-address-list=Torrent-Conn
  60. add action=accept chain=forward comment="Allow inet for White list servers" in-interface-list=LAN out-interface-list=WAN src-address-list="10 Servers White List"
  61. add action=drop chain=forward comment="Drop inet for BRAM_Servers" in-interface-list=LAN out-interface-list=WAN src-address-list="10 Servers"
  62. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  63. add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  64. add action=drop chain=forward comment="defconf:  drop invalid forward" connection-nat-state=! connection-state=invalid
  65. add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix=DR
  66. add action=accept chain=forward comment="Inet from LAN" disabled=yes in-interface=!NERSI out-interface=NERSI
  67. add action=accept chain=forward comment="LAN from Ethernet" disabled=yes in-interface=!NERSI out-interface=!NERSI
  68. /ip firewall mangle
  69. add action=change-mss chain=forward comment="Change MSS for IPIP tunnel" new-mss=1300 out-interface=alx_home passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
  70. add action=change-mss chain=forward comment="Change MSS for VPN Clients" new-mss=1300 passthrough=no protocol=tcp src-address=192.168.20.0/24 tcp-flags=syn tcp-mss=1301-65535
  71. add action=change-mss chain=forward comment="Change MSS for VPN Clients" disabled=yes new-mss=1300 passthrough=no protocol=tcp src-address=192.168.10.0/24 tcp-flags=syn tcp-mss=1301-65535
  72. add action=mark-packet chain=prerouting in-interface=NERSI new-packet-mark=inet passthrough=no
  73. add action=mark-packet chain=prerouting layer7-protocol=layer7-bittorrent-exp new-packet-mark=torrent passthrough=yes
  74. /ip firewall nat
  75. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
  76. add action=dst-nat chain=dstnat comment="dst-nat RocketChat(chat.tvbelgorod.ru)" dst-address=178.213.---.--- dst-port=443 in-interface=NERSI protocol=tcp to-addresses=192.168.50.2 to-ports=443
  77. add action=dst-nat chain=dstnat comment="dst-nat RocketChat(chat.tvbelgorod.ru)" dst-address=178.213.---.--- dst-port=80 in-interface=NERSI protocol=tcp to-addresses=192.168.50.2 to-ports=80
  78. add action=accept chain=dstnat comment=pptp dst-port=1723 protocol=tcp
  79. add action=accept chain=dstnat comment=pptp protocol=gre
  80. add action=accept chain=dstnat comment=pptp disabled=yes
  81. add action=accept chain=dstnat comment=LM disabled=yes dst-port=5650-5651 protocol=tcp
  82. add action=accept chain=dstnat comment=ntp disabled=yes dst-port=123 protocol=udp
  83. add action=dst-nat chain=dstnat disabled=yes dst-address=178.213.---.--- dst-port=5650 in-interface=NERSI protocol=tcp to-addresses=192.168.50.1 to-ports=5650
  84. /ip firewall service-port
  85. set ftp disabled=yes
  86. set tftp disabled=yes
  87. set irc disabled=yes
  88. set h323 disabled=yes
  89. set sip disabled=yes
  90. set pptp disabled=yes ports=1723
  91. set dccp disabled=yes
  92. set sctp disabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement