Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- may/21/2019 23:10:23 by RouterOS 6.44.2
- # software id = NUYP-R9S0
- #
- # model = CCR1036-8G-2S+
- # serial number = 4466016FC941
- /ip firewall layer7-protocol
- add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
- /ip firewall address-list
- add address=0.0.0.0/8 list=BOGONS
- add address=10.0.0.0/8 list=BOGONS
- add address=100.64.0.0/10 list=BOGONS
- add address=127.0.0.0/8 list=BOGONS
- add address=169.254.0.0/16 list=BOGONS
- add address=172.16.0.0/12 list=BOGONS
- add address=192.0.0.0/24 list=BOGONS
- add address=192.0.2.0/24 list=BOGONS
- add address=198.18.0.0/15 list=BOGONS
- add address=198.51.100.0/24 list=BOGONS
- add address=203.0.113.0/24 list=BOGONS
- add address=169.254.0.0/24 list=BOGONS
- add address=192.168.10.1-192.168.10.29 comment="BRAM Servers" list="10 Servers"
- add address=192.168.10.50-192.168.10.255 comment="BRAM Network" list="10 LAN"
- add address=192.168.50.0/24 list="50 LAN"
- add address=192.168.100.0/24 list="100 LAN"
- add address=192.168.60.0/24 list="60 LAN"
- add address=192.168.150.0/24 list="150 Oskol"
- add address=192.168.137.0/24 list="137 Home"
- add address=192.168.10.100 comment="BRAM Servers" disabled=yes list="10 Servers 1"
- add address=192.168.10.6-192.168.10.8 comment="BRAM Servers" list="10 Servers White List"
- add address=192.168.10.20 comment="BRAM Servers" disabled=yes list="10 Servers White List"
- add address=192.168.10.0/24 list=LAN
- add address=192.168.150.0/24 list=LAN
- add address=192.168.50.0/24 list=LAN
- add address=192.168.60.0/24 list=LAN
- add address=192.168.10.30-192.168.10.33 list=allow-bit
- add address=192.168.50.205 list=allow-bit
- add address=192.168.50.99 list=allow-bit
- /ip firewall filter
- add action=accept chain=forward disabled=yes
- add action=accept chain=input disabled=yes
- add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment="Allow IKEv2 and L2TP" dst-port=1701,500,4500 port="" protocol=udp
- add action=accept chain=input comment="Allow PPTP" dst-port=1723,500,4500 protocol=tcp
- add action=accept chain=input comment="Allow IPSec" protocol=ipsec-esp
- add action=accept chain=input comment="Allow IPSec" protocol=ipencap
- add action=accept chain=input comment="Allow GRE PPTP" protocol=gre
- add action=accept chain=input comment="Allow Input web from home" dst-port=80 protocol=tcp src-address=217.107.---.---
- add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
- add action=add-src-to-address-list address-list="dns spoofing" address-list-timeout=1h chain=input comment="DNS soofing add list" dst-port=53 in-interface-list=WAN protocol=udp
- add action=drop chain=input comment="DNS dpoofing drop" dst-port=53 in-interface-list=WAN protocol=udp src-address-list="dns spoofing"
- add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Create torrents peer list from 10 LAN" layer7-protocol=layer7-bittorrent-exp src-address=192.168.10.0/24 src-address-list=!allow-bit
- add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Create torrents peer list from 50 LAN" layer7-protocol=layer7-bittorrent-exp src-address=192.168.50.0/24 src-address-list=!allow-bit
- add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Create torrents peer list from 60 LAN" layer7-protocol=layer7-bittorrent-exp src-address=192.168.60.0/24 src-address-list=!allow-bit
- add action=drop chain=forward comment="Drop from torrent list tcp" dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905,11000,2999 out-interface-list=WAN protocol=tcp src-address-list=Torrent-Conn
- add action=drop chain=forward comment="Drop from torrent list udp" dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905,11000,2999 out-interface-list=WAN protocol=udp src-address-list=Torrent-Conn
- add action=accept chain=forward comment="Allow inet for White list servers" in-interface-list=LAN out-interface-list=WAN src-address-list="10 Servers White List"
- add action=drop chain=forward comment="Drop inet for BRAM_Servers" in-interface-list=LAN out-interface-list=WAN src-address-list="10 Servers"
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
- add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid forward" connection-nat-state=! connection-state=invalid
- add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix=DR
- add action=accept chain=forward comment="Inet from LAN" disabled=yes in-interface=!NERSI out-interface=NERSI
- add action=accept chain=forward comment="LAN from Ethernet" disabled=yes in-interface=!NERSI out-interface=!NERSI
- /ip firewall mangle
- add action=change-mss chain=forward comment="Change MSS for IPIP tunnel" new-mss=1300 out-interface=alx_home passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
- add action=change-mss chain=forward comment="Change MSS for VPN Clients" new-mss=1300 passthrough=no protocol=tcp src-address=192.168.20.0/24 tcp-flags=syn tcp-mss=1301-65535
- add action=change-mss chain=forward comment="Change MSS for VPN Clients" disabled=yes new-mss=1300 passthrough=no protocol=tcp src-address=192.168.10.0/24 tcp-flags=syn tcp-mss=1301-65535
- add action=mark-packet chain=prerouting in-interface=NERSI new-packet-mark=inet passthrough=no
- add action=mark-packet chain=prerouting layer7-protocol=layer7-bittorrent-exp new-packet-mark=torrent passthrough=yes
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
- add action=dst-nat chain=dstnat comment="dst-nat RocketChat(chat.tvbelgorod.ru)" dst-address=178.213.---.--- dst-port=443 in-interface=NERSI protocol=tcp to-addresses=192.168.50.2 to-ports=443
- add action=dst-nat chain=dstnat comment="dst-nat RocketChat(chat.tvbelgorod.ru)" dst-address=178.213.---.--- dst-port=80 in-interface=NERSI protocol=tcp to-addresses=192.168.50.2 to-ports=80
- add action=accept chain=dstnat comment=pptp dst-port=1723 protocol=tcp
- add action=accept chain=dstnat comment=pptp protocol=gre
- add action=accept chain=dstnat comment=pptp disabled=yes
- add action=accept chain=dstnat comment=LM disabled=yes dst-port=5650-5651 protocol=tcp
- add action=accept chain=dstnat comment=ntp disabled=yes dst-port=123 protocol=udp
- add action=dst-nat chain=dstnat disabled=yes dst-address=178.213.---.--- dst-port=5650 in-interface=NERSI protocol=tcp to-addresses=192.168.50.1 to-ports=5650
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes ports=1723
- set dccp disabled=yes
- set sctp disabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement