Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # mar/31/2018 12:58:21 by RouterOS 6.42rc52
- #
- # model = RouterBOARD D52G-5HacD2HnD-TC
- /interface wireless
- set [ find default-name=wlan1 ] rx-chains=0 ssid=MikroTik tx-chains=0
- set [ find default-name=wlan2 ] rx-chains=0 ssid=MikroTik tx-chains=0
- /interface bridge
- add name=bridge
- /interface ethernet
- set [ find default-name=ether1 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full rx-flow-control=on tx-flow-control=\
- on
- set [ find default-name=ether2 ] rx-flow-control=on tx-flow-control=on
- set [ find default-name=ether3 ] rx-flow-control=on tx-flow-control=on
- set [ find default-name=ether4 ] rx-flow-control=on tx-flow-control=on
- set [ find default-name=ether5 ] rx-flow-control=on tx-flow-control=on
- /interface pppoe-client
- add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=\
- 1492 name=pppoe-out1 password=password user=user
- /interface list
- add name=WAN
- add name=LAN
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip pool
- add name=default-dhcp ranges=192.168.1.10-192.168.1.254
- /ip dhcp-server
- add address-pool=default-dhcp interface=bridge name=defconf
- /interface bridge port
- add bridge=bridge interface=ether2
- add bridge=bridge interface=ether3
- add bridge=bridge interface=ether4
- add bridge=bridge interface=ether5
- /ip neighbor discovery-settings
- set discover-interface-list=none
- /ip settings
- set accept-source-route=yes rp-filter=strict tcp-syncookies=yes
- /interface list member
- add interface=bridge list=LAN
- add interface=ether1 list=WAN
- add interface=pppoe-out1 list=WAN
- /ip address
- add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
- /ip cloud
- set update-time=no
- /ip dhcp-client
- add dhcp-options=hostname,clientid interface=ether1
- /ip dhcp-server network
- add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
- /ip dns
- set allow-remote-requests=yes cache-size=131072KiB servers=\
- 77.88.8.8,77.88.8.1
- /ip firewall address-list
- add address=192.168.1.aaa list=blocked
- add address=192.168.1.bbb list=blocked
- add address=192.168.1.1aa list=blocked
- add address=192.168.1.2aa list=blocked
- add address=192.168.1.2bb list=blocked
- add address=0.0.0.0/8 comment=not_it_the_internet list=blacklist
- add address=172.16.0.0/12 comment=not_it_the_internet list=blacklist
- add address=192.168.0.0/16 comment=not_it_the_internet list=blacklist
- add address=10.0.0.0/8 comment=not_it_the_internet list=blacklist
- add address=169.254.0.0/16 comment=not_it_the_internet list=blacklist
- add address=127.0.0.0/8 comment=not_it_the_internet list=blacklist
- add address=224.0.0.0/4 comment=not_it_the_internet list=blacklist
- add address=198.18.0.0/15 comment=not_it_the_internet list=blacklist
- add address=192.0.0.0/24 comment=not_it_the_internet list=blacklist
- add address=192.0.2.0/24 comment=not_it_the_internet list=blacklist
- add address=198.51.100.0/24 comment=not_it_the_internet list=blacklist
- add address=203.0.113.0/24 comment=not_it_the_internet list=blacklist
- add address=100.64.0.0/10 comment=not_it_the_internet list=blacklist
- add address=240.0.0.0/4 comment=not_it_the_internet list=blacklist
- add address=192.88.99.0/24 comment=not_it_the_internet list=blacklist
- add address=a-0002.a-msedge.net list=MSBLOCK
- add address=a-0003.a-msedge.net list=MSBLOCK
- add address=a-0004.a-msedge.net list=MSBLOCK
- add address=a-0005.a-msedge.net list=MSBLOCK
- add address=a-0006.a-msedge.net list=MSBLOCK
- add address=a-0007.a-msedge.net list=MSBLOCK
- add address=a-0008.a-msedge.net list=MSBLOCK
- add address=a-0009.a-msedge.net list=MSBLOCK
- add address=a-msedge.net list=MSBLOCK
- add address=a.ads1.msn.com list=MSBLOCK
- add address=a.ads2.msads.net list=MSBLOCK
- add address=a.ads2.msn.com list=MSBLOCK
- add address=a.rad.msn.com list=MSBLOCK
- add address=ac3.msn.com list=MSBLOCK
- add address=ad.doubleclick.net list=MSBLOCK
- add address=adnexus.net list=MSBLOCK
- add address=adnxs.com list=MSBLOCK
- add address=ads.msn.com list=MSBLOCK
- add address=ads1.msads.net list=MSBLOCK
- add address=ads1.msn.com list=MSBLOCK
- add address=aidps.atdmt.com list=MSBLOCK
- add address=aka-cdn-ns.adtech.de list=MSBLOCK
- add address=az361816.vo.msecnd.net list=MSBLOCK
- add address=az512334.vo.msecnd.net list=MSBLOCK
- add address=b.ads1.msn.com list=MSBLOCK
- add address=b.ads2.msads.net list=MSBLOCK
- add address=b.rad.msn.com list=MSBLOCK
- add address=bing.com list=MSBLOCK
- add address=bs.serving-sys.com list=MSBLOCK
- add address=c.atdmt.com list=MSBLOCK
- add address=c.msn.com list=MSBLOCK
- add address=cdn.atdmt.com list=MSBLOCK
- add address=cds26.ams9.msecn.net list=MSBLOCK
- add address=choice.microsoft.com list=MSBLOCK
- add address=choice.microsoft.com.nsatc.net list=MSBLOCK
- add address=compatexchange.cloudapp.net list=MSBLOCK
- add address=corp.sts.microsoft.com list=MSBLOCK
- add address=corpext.msitadfs.glbdns2.microsoft.com list=MSBLOCK
- add address=cs1.wpc.v0cdn.net list=MSBLOCK
- add address=db3aqu.atdmt.com list=MSBLOCK
- add address=df.telemetry.microsoft.com list=MSBLOCK
- add address=ec.atdmt.com list=MSBLOCK
- add address=feedback.microsoft-hohm.com list=MSBLOCK
- add address=feedback.search.microsoft.com list=MSBLOCK
- add address=feedback.windows.com list=MSBLOCK
- add address=flex.msn.com list=MSBLOCK
- add address=g.msn.com list=MSBLOCK
- add address=h1.msn.com list=MSBLOCK
- add address=i1.services.social.microsoft.com list=MSBLOCK
- add address=i1.services.social.microsoft.com.nsatc.net list=MSBLOCK
- add address=lb1.www.ms.akadns.net list=MSBLOCK
- add address=live.rads.msn.com list=MSBLOCK
- add address=m.adnxs.com list=MSBLOCK
- add address=msedge.net list=MSBLOCK
- add address=msnbot-65-55-108-23.search.msn.com list=MSBLOCK
- add address=msntest.serving-sys.com list=MSBLOCK
- add address=oca.telemetry.microsoft.com list=MSBLOCK
- add address=oca.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=pre.footprintpredict.com list=MSBLOCK
- add address=preview.msn.com list=MSBLOCK
- add address=pricelist.skype.com list=MSBLOCK
- add address=public-family.api.account.microsoft.com list=MSBLOCK
- add address=rad.live.com list=MSBLOCK
- add address=rad.msn.com list=MSBLOCK
- add address=redir.metaservices.microsoft.com list=MSBLOCK
- add address=reports.wes.df.telemetry.microsoft.com list=MSBLOCK
- add address=s0.2mdn.net list=MSBLOCK
- add address=sO.2mdn.net list=MSBLOCK
- add address=schemas.microsoft.akadns.net list=MSBLOCK
- add address=secure.adnxs.com list=MSBLOCK
- add address=secure.flashtalking.com list=MSBLOCK
- add address=services.wes.df.telemetry.microsoft.com list=MSBLOCK
- add address=settings-sandbox.data.microsoft.com list=MSBLOCK
- add address=settings-win.data.microsoft.com list=MSBLOCK
- add address=sqm.df.telemetry.microsoft.com list=MSBLOCK
- add address=sqm.telemetry.microsoft.com list=MSBLOCK
- add address=sqm.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=static.2mdn.net list=MSBLOCK
- add address=statsfe1.ws.microsoft.com list=MSBLOCK
- add address=statsfe2.ws.microsoft.com list=MSBLOCK
- add address=survey.watson.microsoft.com list=MSBLOCK
- add address=telecommand.telemetry.microsoft.com list=MSBLOCK
- add address=telecommand.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=telemetry.appex.bing.net list=MSBLOCK
- add address=telemetry.microsoft.com list=MSBLOCK
- add address=telemetry.urs.microsoft.com list=MSBLOCK
- add address=urs.microsoft.com list=MSBLOCK
- add address=view.atdmt.com list=MSBLOCK
- add address=vortex-bn2.metron.live.com.nsatc.net list=MSBLOCK
- add address=vortex-cy2.metron.live.com.nsatc.net list=MSBLOCK
- add address=vortex-sandbox.data.microsoft.com list=MSBLOCK
- add address=vortex-win.data.microsoft.com list=MSBLOCK
- add address=vortex.data.microsoft.com list=MSBLOCK
- add address=watson.live.com list=MSBLOCK
- add address=watson.microsoft.com list=MSBLOCK
- add address=watson.ppe.telemetry.microsoft.com list=MSBLOCK
- add address=watson.telemetry.microsoft.com list=MSBLOCK
- add address=watson.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=wes.df.telemetry.microsoft.com list=MSBLOCK
- add address=www.a-0001.a-msedge.net list=MSBLOCK
- add address=www.a-0002.a-msedge.net list=MSBLOCK
- add address=www.a-0003.a-msedge.net list=MSBLOCK
- add address=www.a-0004.a-msedge.net list=MSBLOCK
- add address=www.a-0005.a-msedge.net list=MSBLOCK
- add address=www.a-0006.a-msedge.net list=MSBLOCK
- add address=www.a-0007.a-msedge.net list=MSBLOCK
- add address=www.a-0008.a-msedge.net list=MSBLOCK
- add address=www.a-0009.a-msedge.net list=MSBLOCK
- add address=www.a-msedge.net list=MSBLOCK
- add address=www.a.ads1.msn.com list=MSBLOCK
- add address=www.a.ads2.msads.net list=MSBLOCK
- add address=www.a.ads2.msn.com list=MSBLOCK
- add address=www.a.rad.msn.com list=MSBLOCK
- add address=www.ac3.msn.com list=MSBLOCK
- add address=www.ad.doubleclick.net list=MSBLOCK
- add address=www.adnexus.net list=MSBLOCK
- add address=www.adnxs.com list=MSBLOCK
- add address=www.ads.msn.com list=MSBLOCK
- add address=www.ads1.msads.net list=MSBLOCK
- add address=www.ads1.msn.com list=MSBLOCK
- add address=www.aidps.atdmt.com list=MSBLOCK
- add address=www.aka-cdn-ns.adtech.de list=MSBLOCK
- add address=www.az361816.vo.msecnd.net list=MSBLOCK
- add address=www.az512334.vo.msecnd.net list=MSBLOCK
- add address=www.b.ads1.msn.com list=MSBLOCK
- add address=www.b.ads2.msads.net list=MSBLOCK
- add address=www.b.rad.msn.com list=MSBLOCK
- add address=www.bing.com list=MSBLOCK
- add address=www.bs.serving-sys.com list=MSBLOCK
- add address=www.c.atdmt.com list=MSBLOCK
- add address=www.c.msn.com list=MSBLOCK
- add address=www.cdn.atdmt.com list=MSBLOCK
- add address=www.cds26.ams9.msecn.net list=MSBLOCK
- add address=www.choice.microsoft.com list=MSBLOCK
- add address=www.choice.microsoft.com.nsatc.net list=MSBLOCK
- add address=www.compatexchange.cloudapp.net list=MSBLOCK
- add address=www.corp.sts.microsoft.com list=MSBLOCK
- add address=www.corpext.msitadfs.glbdns2.microsoft.com list=MSBLOCK
- add address=www.cs1.wpc.v0cdn.net list=MSBLOCK
- add address=www.db3aqu.atdmt.com list=MSBLOCK
- add address=www.df.telemetry.microsoft.com list=MSBLOCK
- add address=www.ec.atdmt.com list=MSBLOCK
- add address=www.feedback.microsoft-hohm.com list=MSBLOCK
- add address=www.feedback.search.microsoft.com list=MSBLOCK
- add address=www.feedback.windows.com list=MSBLOCK
- add address=www.flex.msn.com list=MSBLOCK
- add address=www.g.msn.com list=MSBLOCK
- add address=www.h1.msn.com list=MSBLOCK
- add address=www.i1.services.social.microsoft.com list=MSBLOCK
- add address=www.i1.services.social.microsoft.com.nsatc.net list=MSBLOCK
- add address=www.lb1.www.ms.akadns.net list=MSBLOCK
- add address=www.live.rads.msn.com list=MSBLOCK
- add address=www.m.adnxs.com list=MSBLOCK
- add address=www.m.hotmail.com list=MSBLOCK
- add address=www.msedge.net list=MSBLOCK
- add address=www.msnbot-65-55-108-23.search.msn.com list=MSBLOCK
- add address=www.msntest.serving-sys.com list=MSBLOCK
- add address=www.oca.telemetry.microsoft.com list=MSBLOCK
- add address=www.oca.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=www.pre.footprintpredict.com list=MSBLOCK
- add address=www.preview.msn.com list=MSBLOCK
- add address=www.pricelist.skype.com list=MSBLOCK
- add address=www.public-family.api.account.microsoft.com list=MSBLOCK
- add address=www.rad.live.com list=MSBLOCK
- add address=www.rad.msn.com list=MSBLOCK
- add address=www.redir.metaservices.microsoft.com list=MSBLOCK
- add address=www.reports.wes.df.telemetry.microsoft.com list=MSBLOCK
- add address=www.s.gateway.messenger.live.com list=MSBLOCK
- add address=www.sO.2mdn.net list=MSBLOCK
- add address=www.schemas.microsoft.akadns.net list=MSBLOCK
- add address=www.secure.adnxs.com list=MSBLOCK
- add address=www.secure.flashtalking.com list=MSBLOCK
- add address=www.services.wes.df.telemetry.microsoft.com list=MSBLOCK
- add address=www.settings-sandbox.data.microsoft.com list=MSBLOCK
- add address=www.settings-win.data.microsoft.com list=MSBLOCK
- add address=www.sqm.df.telemetry.microsoft.com list=MSBLOCK
- add address=www.sqm.telemetry.microsoft.com list=MSBLOCK
- add address=www.sqm.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=www.static.2mdn.net list=MSBLOCK
- add address=www.statsfe1.ws.microsoft.com list=MSBLOCK
- add address=www.statsfe2.ws.microsoft.com list=MSBLOCK
- add address=www.survey.watson.microsoft.com list=MSBLOCK
- add address=www.telecommand.telemetry.microsoft.com list=MSBLOCK
- add address=www.telecommand.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=www.telemetry.appex.bing.net list=MSBLOCK
- add address=www.telemetry.microsoft.com list=MSBLOCK
- add address=www.telemetry.urs.microsoft.com list=MSBLOCK
- add address=www.urs.microsoft.com list=MSBLOCK
- add address=www.view.atdmt.com list=MSBLOCK
- add address=www.vortex-bn2.metron.live.com.nsatc.net list=MSBLOCK
- add address=www.vortex-cy2.metron.live.com.nsatc.net list=MSBLOCK
- add address=www.vortex-sandbox.data.microsoft.com list=MSBLOCK
- add address=www.vortex-win.data.microsoft.com list=MSBLOCK
- add address=www.vortex.data.microsoft.com list=MSBLOCK
- add address=www.watson.live.com list=MSBLOCK
- add address=www.watson.microsoft.com list=MSBLOCK
- add address=www.watson.ppe.telemetry.microsoft.com list=MSBLOCK
- add address=www.watson.telemetry.microsoft.com list=MSBLOCK
- add address=www.watson.telemetry.microsoft.com.nsatc.net list=MSBLOCK
- add address=www.wes.df.telemetry.microsoft.com list=MSBLOCK
- add address=api.cc.skype.com list=SKYPE
- add address=api.mcr.skype.com list=SKYPE
- add address=api.skype.com list=SKYPE
- add address=apps.skype.com list=SKYPE
- add address=avatar.skype.com list=SKYPE
- add address=b.config.skype.com list=SKYPE
- add address=contacts.skype.com list=SKYPE
- add address=dev.microsofttranslator.com list=SKYPE
- add address=diagnostics.support.microsoft.akadns.net list=SKYPE
- add address=diagnostics.support.microsoft.com list=SKYPE
- add address=edge.skype.com list=SKYPE
- add address=m.hotmail.com list=SKYPE
- add address=mobile.pipe.aria.microsoft.com list=SKYPE
- add address=msftncsi.com list=SKYPE
- add address=msg.skype.com list=SKYPE
- add address=profile.skype.com list=SKYPE
- add address=s.gateway.messenger.live.com list=SKYPE
- add address=skype.net list=SKYPE
- add address=ui.skype.com list=SKYPE
- add address=www.msftncsi.com list=SKYPE
- add address=192.168.1.1xx list=windows
- add address=192.168.1.2xx list=windows
- add address=192.168.1.2yy list=windows
- /ip firewall filter
- add action=fasttrack-connection chain=forward comment=\
- "FastTrack established,related TCP from WAN ex. from 80 port" \
- connection-state=established,related in-interface=pppoe-out1 protocol=tcp \
- src-port=!80
- add action=fasttrack-connection chain=forward comment=\
- "FastTrack established,related TCP from LAN ex. to 80 port" \
- connection-state=established,related dst-port=!80 in-interface=bridge \
- protocol=tcp
- add action=fasttrack-connection chain=forward comment=\
- "FastTrack established,related except TCP" connection-state=\
- established,related protocol=!tcp
- add action=accept chain=forward comment=\
- "Accept established, related, untracked from (WAN LAN)" connection-state=\
- established,related,untracked
- add action=accept chain=input comment=\
- "Accept established,related Input (WAN LAN)" connection-state=\
- established,related
- add action=drop chain=input comment="Drop ALL invalid Input" \
- connection-state=invalid
- add action=drop chain=forward comment="Drop ALL invalid Forward" \
- connection-state=invalid
- add action=passthrough chain=comment comment=\
- "ALL below this is only NEW state" disabled=yes
- add action=drop chain=input comment=\
- "Drop (new) input from LAN - blocked list" in-interface=bridge \
- src-address-list=blocked
- add action=accept chain=input comment="Accept (new) INPUT from LAN" \
- in-interface=bridge
- add action=passthrough chain=comment comment=\
- "ALL INPUT below this is only NEW WAN" disabled=yes
- add action=drop chain=forward comment=\
- "Drop (new) forward from LAN - blocked list" in-interface=bridge \
- src-address-list=blocked
- add action=reject chain=forward comment=\
- "Drop (new) forward from LAN - to blacklist" dst-address-list=blacklist \
- in-interface=bridge reject-with=icmp-host-unreachable
- add action=jump chain=forward comment=\
- "Jump (new) forward from LAN to MSBLOCK list to check telemetry" \
- dst-address-list=MSBLOCK in-interface=bridge jump-target=\
- MSTelemetry_check src-address-list=windows
- add action=accept chain=forward comment="Accept (new) forward from LAN" \
- in-interface=bridge
- add action=passthrough chain=comment comment=\
- "ALL FORWARD below this is only NEW WAN" disabled=yes
- add action=drop chain=forward comment=\
- "Drop (new) forward (from WAN) not DSTNATed ===== should be zero =====" \
- connection-nat-state=!dstnat log=yes log-prefix="NEW FORWARD NOT DNATed"
- add action=jump chain=forward comment=\
- "Jump (new WAN) forward connections to DOSLIMIT check" jump-target=\
- doslimit protocol=tcp
- add action=accept chain=forward comment=\
- "Accept (new) forward DSTNATed (from WAN)"
- add action=jump chain=input comment=\
- "Jump (new WAN) to antibrut 3 stage check - TCP" dst-port=\
- 21-25,53,110,123,135-139,143,443,445,992,3389,5323,8291,8728 jump-target=\
- antibrut protocol=tcp
- add action=jump chain=input comment=\
- "Jump (new WAN) to antibrut 3 stage check - UDP" dst-port=\
- 53,69,111,135,137-139,2049,3133,5060 jump-target=antibrut protocol=udp
- add action=add-src-to-address-list address-list=blacklist \
- address-list-timeout=1w2d chain=input comment="Port scanner to list" \
- protocol=tcp psd=21,3s,3,1
- add action=accept chain=input comment=\
- "Accept (new) ICMP input (from WAN) - filtering ICMP is in RAW table" \
- protocol=icmp
- add action=drop chain=input comment="Drop all input (only new WAN)" \
- log-prefix="DROP INPUT"
- add action=drop chain=forward comment=\
- "Drop ALL Forward ===== should be zero =====" log=yes log-prefix=\
- "DROP ALL FORWARD"
- add action=return chain=doslimit comment="check 30 SYN packets sec" limit=\
- 30,40:packet protocol=tcp tcp-flags=syn,!fin,!rst,!ack
- add action=drop chain=doslimit comment="drop over 30 SYN packets sec" \
- protocol=tcp tcp-flags=syn,!fin,!rst,!ack
- add action=return chain=doslimit comment="check 1 RST packets sec" limit=\
- 1,0:packet protocol=tcp tcp-flags=rst,!fin,!syn,!ack
- add action=drop chain=doslimit comment="drop over 1 RST packets sec" \
- protocol=tcp tcp-flags=rst,!fin,!syn,!ack
- add action=add-src-to-address-list address-list=blacklist \
- address-list-timeout=1w3d chain=antibrut comment=\
- "antibrut3 stage check - stage final" src-address-list=fuckup3
- add action=add-src-to-address-list address-list=fuckup3 address-list-timeout=\
- 5m chain=antibrut comment="antibrut3 stage check - stage 3" \
- src-address-list=fuckup2
- add action=add-src-to-address-list address-list=fuckup2 address-list-timeout=\
- 3m chain=antibrut comment="antibrut3 stage check - stage 2" \
- src-address-list=fuckup1
- add action=add-src-to-address-list address-list=fuckup1 address-list-timeout=\
- 2m chain=antibrut comment="antibrut3 stage check - stage 1"
- add action=drop chain=MSTelemetry_check comment="Drop that not in Skype list" \
- dst-address-list=!SKYPE
- /ip firewall nat
- add action=src-nat chain=srcnat comment=\
- "my version of masquerade for static IP" out-interface=pppoe-out1 \
- src-address=192.168.1.0/24 to-addresses=80.rrr.ttt.eee
- add action=dst-nat chain=dstnat comment="DownloadStation TCP" dst-address=\
- 80.rrr.ttt.eee dst-port=xxxxx in-interface=pppoe-out1 protocol=tcp \
- to-addresses=192.168.1.gg to-ports=xxxxx
- add action=dst-nat chain=dstnat comment="DownloadStation DHT" dst-address=\
- 80.rrr.ttt.eee dst-port=xxxxx in-interface=pppoe-out1 protocol=udp \
- to-addresses=192.168.1.gg to-ports=xxxxx
- add action=dst-nat chain=dstnat comment="redirect DNS to router UDP" \
- dst-address=!192.168.1.1 dst-port=53 in-interface=bridge protocol=udp \
- to-addresses=192.168.1.1 to-ports=53
- add action=dst-nat chain=dstnat comment="FTP passive" dst-address=\
- 80.rrr.ttt.eee dst-port=aaaaa-bbbbb in-interface=pppoe-out1 protocol=tcp \
- to-addresses=192.168.1.gg to-ports=aaaaa-bbbbb
- add action=dst-nat chain=dstnat comment="FTP" dst-address=\
- 80.rrr.ttt.eee dst-port=kkkkk in-interface=pppoe-out1 protocol=tcp \
- to-addresses=192.168.1.gg to-ports=kkkkk
- add action=dst-nat chain=dstnat comment=SkypePC dst-address=80.rrr.ttt.eee \
- dst-port=38bbb in-interface=pppoe-out1 protocol=tcp to-addresses=\
- 192.168.1.1xx to-ports=bbbbb
- add action=dst-nat chain=dstnat comment="SkypePC UDP" dst-address=\
- 80.rrr.ttt.eee dst-port=38bbb in-interface=pppoe-out1 protocol=udp \
- to-addresses=192.168.1.1xx to-ports=bbbbb
- /ip firewall raw
- add action=drop chain=prerouting comment="Drop from blacklist address list" \
- in-interface=pppoe-out1 src-address-list=blacklist
- add action=jump chain=prerouting comment=\
- "RT Jump to check_http for packets 180-250 size " in-interface=pppoe-out1 \
- jump-target=tcp_check_http packet-size=180-250
- add action=jump chain=prerouting comment=\
- "RT Jump to check_https for packets 40 size" in-interface=pppoe-out1 \
- jump-target=tcp_check_https packet-size=40
- add action=jump chain=prerouting comment="jump ICMP from WAN to check" \
- in-interface=pppoe-out1 jump-target=icmp_check protocol=icmp
- add action=jump chain=tcp_check_http comment=\
- "RT Jump TCP from 80 port to tcp_check_warning" jump-target=\
- tcp_check_warning protocol=tcp src-port=80
- add action=jump chain=tcp_check_https comment=\
- "RT Jump TCP from 443 port and RST to tcp_check_ttl" jump-target=\
- tcp_check_ttl protocol=tcp src-port=443 tcp-flags=rst
- add action=drop chain=tcp_check_ttl comment="RT drop TTL 57 - nnm, rt" ttl=\
- equal:57
- add action=drop chain=tcp_check_ttl comment="RT drop TTL 58 - nnm, rt" ttl=\
- equal:58
- add action=drop chain=tcp_check_ttl comment="RT drop TTL 120" ttl=equal:120
- add action=drop chain=tcp_check_warning comment="RT drop =========" \
- content="Location: ==========" log-prefix=\
- "RT HTTP DROP warning"
- add action=return chain=icmp_check comment="ICMP 3:1" icmp-options=3:1 \
- protocol=icmp
- add action=return chain=icmp_check comment="ICMP 3:0" icmp-options=3:0 \
- protocol=icmp
- add action=return chain=icmp_check comment="ICMP 11:0" icmp-options=11:0 \
- protocol=icmp
- add action=return chain=icmp_check comment="ICMP 0:0-255 - echo reply" \
- icmp-options=0:0-255 protocol=icmp
- add action=return chain=icmp_check comment="ICMP 3:4" icmp-options=3:4 \
- protocol=icmp
- add action=return chain=icmp_check comment=\
- "ICMP 4:0 - source quench (ask to send packets slowly)" icmp-options=4:0 \
- protocol=icmp
- add action=return chain=icmp_check comment="ICMP 8:0 - echo request (PING)" \
- disabled=yes icmp-options=8:0 protocol=icmp
- add action=return chain=icmp_check comment="ICMP 12:0" icmp-options=12:0 \
- protocol=icmp
- add action=drop chain=icmp_check comment="DROP ALL other ICMP" protocol=icmp
- /ip firewall service-port
- set ftp ports=2121
- set tftp disabled=yes
- set irc disabled=yes
- set pptp disabled=yes
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www address=192.168.1.0/24
- set ssh disabled=yes
- set www-ssl address=192.168.1.0/24
- set api disabled=yes
- set winbox address=192.168.1.0/24
- set api-ssl disabled=yes
- /system clock
- set time-zone-autodetect=no time-zone-name=Europe/Samara
- /system clock manual
- set dst-delta=+04:00 time-zone=+04:00
- /system ntp client
- set enabled=yes server-dns-names=\
- ntp5.stratum2.ru,ntp2.stratum2.ru,ntp21.vniiftri.ru,ntp.ix.ru
- /system package update
- set channel=release-candidate
- /system routerboard settings
- set cpu-frequency=632MHz silent-boot=no
- /tool bandwidth-server
- set enabled=no
- /tool mac-server
- set allowed-interface-list=none
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN
- /tool mac-server ping
- set enabled=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement