API tools faq
paste
Advertisement
Ubeavis

my mikrotik config - public version

Ubeavis
May 2nd, 2018
430
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.60 KB | None | 0 0
raw download clone embed print report
  1. # mar/31/2018 12:58:21 by RouterOS 6.42rc52
  2. #
  3. # model = RouterBOARD D52G-5HacD2HnD-TC
  4. /interface wireless
  5. set [ find default-name=wlan1 ] rx-chains=0 ssid=MikroTik tx-chains=0
  6. set [ find default-name=wlan2 ] rx-chains=0 ssid=MikroTik tx-chains=0
  7. /interface bridge
  8. add name=bridge
  9. /interface ethernet
  10. set [ find default-name=ether1 ] advertise=\
  11. 10M-half,10M-full,100M-half,100M-full rx-flow-control=on tx-flow-control=\
  12. on
  13. set [ find default-name=ether2 ] rx-flow-control=on tx-flow-control=on
  14. set [ find default-name=ether3 ] rx-flow-control=on tx-flow-control=on
  15. set [ find default-name=ether4 ] rx-flow-control=on tx-flow-control=on
  16. set [ find default-name=ether5 ] rx-flow-control=on tx-flow-control=on
  17. /interface pppoe-client
  18. add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=\
  19. 1492 name=pppoe-out1 password=password user=user
  20. /interface list
  21. add name=WAN
  22. add name=LAN
  23. /interface wireless security-profiles
  24. set [ find default=yes ] supplicant-identity=MikroTik
  25. /ip pool
  26. add name=default-dhcp ranges=192.168.1.10-192.168.1.254
  27. /ip dhcp-server
  28. add address-pool=default-dhcp interface=bridge name=defconf
  29. /interface bridge port
  30. add bridge=bridge interface=ether2
  31. add bridge=bridge interface=ether3
  32. add bridge=bridge interface=ether4
  33. add bridge=bridge interface=ether5
  34. /ip neighbor discovery-settings
  35. set discover-interface-list=none
  36. /ip settings
  37. set accept-source-route=yes rp-filter=strict tcp-syncookies=yes
  38. /interface list member
  39. add interface=bridge list=LAN
  40. add interface=ether1 list=WAN
  41. add interface=pppoe-out1 list=WAN
  42. /ip address
  43. add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
  44. /ip cloud
  45. set update-time=no
  46. /ip dhcp-client
  47. add dhcp-options=hostname,clientid interface=ether1
  48. /ip dhcp-server network
  49. add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
  50. /ip dns
  51. set allow-remote-requests=yes cache-size=131072KiB servers=\
  52. 77.88.8.8,77.88.8.1
  53. /ip firewall address-list
  54. add address=192.168.1.aaa list=blocked
  55. add address=192.168.1.bbb list=blocked
  56. add address=192.168.1.1aa list=blocked
  57. add address=192.168.1.2aa list=blocked
  58. add address=192.168.1.2bb list=blocked
  59. add address=0.0.0.0/8 comment=not_it_the_internet list=blacklist
  60. add address=172.16.0.0/12 comment=not_it_the_internet list=blacklist
  61. add address=192.168.0.0/16 comment=not_it_the_internet list=blacklist
  62. add address=10.0.0.0/8 comment=not_it_the_internet list=blacklist
  63. add address=169.254.0.0/16 comment=not_it_the_internet list=blacklist
  64. add address=127.0.0.0/8 comment=not_it_the_internet list=blacklist
  65. add address=224.0.0.0/4 comment=not_it_the_internet list=blacklist
  66. add address=198.18.0.0/15 comment=not_it_the_internet list=blacklist
  67. add address=192.0.0.0/24 comment=not_it_the_internet list=blacklist
  68. add address=192.0.2.0/24 comment=not_it_the_internet list=blacklist
  69. add address=198.51.100.0/24 comment=not_it_the_internet list=blacklist
  70. add address=203.0.113.0/24 comment=not_it_the_internet list=blacklist
  71. add address=100.64.0.0/10 comment=not_it_the_internet list=blacklist
  72. add address=240.0.0.0/4 comment=not_it_the_internet list=blacklist
  73. add address=192.88.99.0/24 comment=not_it_the_internet list=blacklist
  74. add address=a-0002.a-msedge.net list=MSBLOCK
  75. add address=a-0003.a-msedge.net list=MSBLOCK
  76. add address=a-0004.a-msedge.net list=MSBLOCK
  77. add address=a-0005.a-msedge.net list=MSBLOCK
  78. add address=a-0006.a-msedge.net list=MSBLOCK
  79. add address=a-0007.a-msedge.net list=MSBLOCK
  80. add address=a-0008.a-msedge.net list=MSBLOCK
  81. add address=a-0009.a-msedge.net list=MSBLOCK
  82. add address=a-msedge.net list=MSBLOCK
  83. add address=a.ads1.msn.com list=MSBLOCK
  84. add address=a.ads2.msads.net list=MSBLOCK
  85. add address=a.ads2.msn.com list=MSBLOCK
  86. add address=a.rad.msn.com list=MSBLOCK
  87. add address=ac3.msn.com list=MSBLOCK
  88. add address=ad.doubleclick.net list=MSBLOCK
  89. add address=adnexus.net list=MSBLOCK
  90. add address=adnxs.com list=MSBLOCK
  91. add address=ads.msn.com list=MSBLOCK
  92. add address=ads1.msads.net list=MSBLOCK
  93. add address=ads1.msn.com list=MSBLOCK
  94. add address=aidps.atdmt.com list=MSBLOCK
  95. add address=aka-cdn-ns.adtech.de list=MSBLOCK
  96. add address=az361816.vo.msecnd.net list=MSBLOCK
  97. add address=az512334.vo.msecnd.net list=MSBLOCK
  98. add address=b.ads1.msn.com list=MSBLOCK
  99. add address=b.ads2.msads.net list=MSBLOCK
  100. add address=b.rad.msn.com list=MSBLOCK
  101. add address=bing.com list=MSBLOCK
  102. add address=bs.serving-sys.com list=MSBLOCK
  103. add address=c.atdmt.com list=MSBLOCK
  104. add address=c.msn.com list=MSBLOCK
  105. add address=cdn.atdmt.com list=MSBLOCK
  106. add address=cds26.ams9.msecn.net list=MSBLOCK
  107. add address=choice.microsoft.com list=MSBLOCK
  108. add address=choice.microsoft.com.nsatc.net list=MSBLOCK
  109. add address=compatexchange.cloudapp.net list=MSBLOCK
  110. add address=corp.sts.microsoft.com list=MSBLOCK
  111. add address=corpext.msitadfs.glbdns2.microsoft.com list=MSBLOCK
  112. add address=cs1.wpc.v0cdn.net list=MSBLOCK
  113. add address=db3aqu.atdmt.com list=MSBLOCK
  114. add address=df.telemetry.microsoft.com list=MSBLOCK
  115. add address=ec.atdmt.com list=MSBLOCK
  116. add address=feedback.microsoft-hohm.com list=MSBLOCK
  117. add address=feedback.search.microsoft.com list=MSBLOCK
  118. add address=feedback.windows.com list=MSBLOCK
  119. add address=flex.msn.com list=MSBLOCK
  120. add address=g.msn.com list=MSBLOCK
  121. add address=h1.msn.com list=MSBLOCK
  122. add address=i1.services.social.microsoft.com list=MSBLOCK
  123. add address=i1.services.social.microsoft.com.nsatc.net list=MSBLOCK
  124. add address=lb1.www.ms.akadns.net list=MSBLOCK
  125. add address=live.rads.msn.com list=MSBLOCK
  126. add address=m.adnxs.com list=MSBLOCK
  127. add address=msedge.net list=MSBLOCK
  128. add address=msnbot-65-55-108-23.search.msn.com list=MSBLOCK
  129. add address=msntest.serving-sys.com list=MSBLOCK
  130. add address=oca.telemetry.microsoft.com list=MSBLOCK
  131. add address=oca.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  132. add address=pre.footprintpredict.com list=MSBLOCK
  133. add address=preview.msn.com list=MSBLOCK
  134. add address=pricelist.skype.com list=MSBLOCK
  135. add address=public-family.api.account.microsoft.com list=MSBLOCK
  136. add address=rad.live.com list=MSBLOCK
  137. add address=rad.msn.com list=MSBLOCK
  138. add address=redir.metaservices.microsoft.com list=MSBLOCK
  139. add address=reports.wes.df.telemetry.microsoft.com list=MSBLOCK
  140. add address=s0.2mdn.net list=MSBLOCK
  141. add address=sO.2mdn.net list=MSBLOCK
  142. add address=schemas.microsoft.akadns.net list=MSBLOCK
  143. add address=secure.adnxs.com list=MSBLOCK
  144. add address=secure.flashtalking.com list=MSBLOCK
  145. add address=services.wes.df.telemetry.microsoft.com list=MSBLOCK
  146. add address=settings-sandbox.data.microsoft.com list=MSBLOCK
  147. add address=settings-win.data.microsoft.com list=MSBLOCK
  148. add address=sqm.df.telemetry.microsoft.com list=MSBLOCK
  149. add address=sqm.telemetry.microsoft.com list=MSBLOCK
  150. add address=sqm.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  151. add address=static.2mdn.net list=MSBLOCK
  152. add address=statsfe1.ws.microsoft.com list=MSBLOCK
  153. add address=statsfe2.ws.microsoft.com list=MSBLOCK
  154. add address=survey.watson.microsoft.com list=MSBLOCK
  155. add address=telecommand.telemetry.microsoft.com list=MSBLOCK
  156. add address=telecommand.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  157. add address=telemetry.appex.bing.net list=MSBLOCK
  158. add address=telemetry.microsoft.com list=MSBLOCK
  159. add address=telemetry.urs.microsoft.com list=MSBLOCK
  160. add address=urs.microsoft.com list=MSBLOCK
  161. add address=view.atdmt.com list=MSBLOCK
  162. add address=vortex-bn2.metron.live.com.nsatc.net list=MSBLOCK
  163. add address=vortex-cy2.metron.live.com.nsatc.net list=MSBLOCK
  164. add address=vortex-sandbox.data.microsoft.com list=MSBLOCK
  165. add address=vortex-win.data.microsoft.com list=MSBLOCK
  166. add address=vortex.data.microsoft.com list=MSBLOCK
  167. add address=watson.live.com list=MSBLOCK
  168. add address=watson.microsoft.com list=MSBLOCK
  169. add address=watson.ppe.telemetry.microsoft.com list=MSBLOCK
  170. add address=watson.telemetry.microsoft.com list=MSBLOCK
  171. add address=watson.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  172. add address=wes.df.telemetry.microsoft.com list=MSBLOCK
  173. add address=www.a-0001.a-msedge.net list=MSBLOCK
  174. add address=www.a-0002.a-msedge.net list=MSBLOCK
  175. add address=www.a-0003.a-msedge.net list=MSBLOCK
  176. add address=www.a-0004.a-msedge.net list=MSBLOCK
  177. add address=www.a-0005.a-msedge.net list=MSBLOCK
  178. add address=www.a-0006.a-msedge.net list=MSBLOCK
  179. add address=www.a-0007.a-msedge.net list=MSBLOCK
  180. add address=www.a-0008.a-msedge.net list=MSBLOCK
  181. add address=www.a-0009.a-msedge.net list=MSBLOCK
  182. add address=www.a-msedge.net list=MSBLOCK
  183. add address=www.a.ads1.msn.com list=MSBLOCK
  184. add address=www.a.ads2.msads.net list=MSBLOCK
  185. add address=www.a.ads2.msn.com list=MSBLOCK
  186. add address=www.a.rad.msn.com list=MSBLOCK
  187. add address=www.ac3.msn.com list=MSBLOCK
  188. add address=www.ad.doubleclick.net list=MSBLOCK
  189. add address=www.adnexus.net list=MSBLOCK
  190. add address=www.adnxs.com list=MSBLOCK
  191. add address=www.ads.msn.com list=MSBLOCK
  192. add address=www.ads1.msads.net list=MSBLOCK
  193. add address=www.ads1.msn.com list=MSBLOCK
  194. add address=www.aidps.atdmt.com list=MSBLOCK
  195. add address=www.aka-cdn-ns.adtech.de list=MSBLOCK
  196. add address=www.az361816.vo.msecnd.net list=MSBLOCK
  197. add address=www.az512334.vo.msecnd.net list=MSBLOCK
  198. add address=www.b.ads1.msn.com list=MSBLOCK
  199. add address=www.b.ads2.msads.net list=MSBLOCK
  200. add address=www.b.rad.msn.com list=MSBLOCK
  201. add address=www.bing.com list=MSBLOCK
  202. add address=www.bs.serving-sys.com list=MSBLOCK
  203. add address=www.c.atdmt.com list=MSBLOCK
  204. add address=www.c.msn.com list=MSBLOCK
  205. add address=www.cdn.atdmt.com list=MSBLOCK
  206. add address=www.cds26.ams9.msecn.net list=MSBLOCK
  207. add address=www.choice.microsoft.com list=MSBLOCK
  208. add address=www.choice.microsoft.com.nsatc.net list=MSBLOCK
  209. add address=www.compatexchange.cloudapp.net list=MSBLOCK
  210. add address=www.corp.sts.microsoft.com list=MSBLOCK
  211. add address=www.corpext.msitadfs.glbdns2.microsoft.com list=MSBLOCK
  212. add address=www.cs1.wpc.v0cdn.net list=MSBLOCK
  213. add address=www.db3aqu.atdmt.com list=MSBLOCK
  214. add address=www.df.telemetry.microsoft.com list=MSBLOCK
  215. add address=www.ec.atdmt.com list=MSBLOCK
  216. add address=www.feedback.microsoft-hohm.com list=MSBLOCK
  217. add address=www.feedback.search.microsoft.com list=MSBLOCK
  218. add address=www.feedback.windows.com list=MSBLOCK
  219. add address=www.flex.msn.com list=MSBLOCK
  220. add address=www.g.msn.com list=MSBLOCK
  221. add address=www.h1.msn.com list=MSBLOCK
  222. add address=www.i1.services.social.microsoft.com list=MSBLOCK
  223. add address=www.i1.services.social.microsoft.com.nsatc.net list=MSBLOCK
  224. add address=www.lb1.www.ms.akadns.net list=MSBLOCK
  225. add address=www.live.rads.msn.com list=MSBLOCK
  226. add address=www.m.adnxs.com list=MSBLOCK
  227. add address=www.m.hotmail.com list=MSBLOCK
  228. add address=www.msedge.net list=MSBLOCK
  229. add address=www.msnbot-65-55-108-23.search.msn.com list=MSBLOCK
  230. add address=www.msntest.serving-sys.com list=MSBLOCK
  231. add address=www.oca.telemetry.microsoft.com list=MSBLOCK
  232. add address=www.oca.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  233. add address=www.pre.footprintpredict.com list=MSBLOCK
  234. add address=www.preview.msn.com list=MSBLOCK
  235. add address=www.pricelist.skype.com list=MSBLOCK
  236. add address=www.public-family.api.account.microsoft.com list=MSBLOCK
  237. add address=www.rad.live.com list=MSBLOCK
  238. add address=www.rad.msn.com list=MSBLOCK
  239. add address=www.redir.metaservices.microsoft.com list=MSBLOCK
  240. add address=www.reports.wes.df.telemetry.microsoft.com list=MSBLOCK
  241. add address=www.s.gateway.messenger.live.com list=MSBLOCK
  242. add address=www.sO.2mdn.net list=MSBLOCK
  243. add address=www.schemas.microsoft.akadns.net list=MSBLOCK
  244. add address=www.secure.adnxs.com list=MSBLOCK
  245. add address=www.secure.flashtalking.com list=MSBLOCK
  246. add address=www.services.wes.df.telemetry.microsoft.com list=MSBLOCK
  247. add address=www.settings-sandbox.data.microsoft.com list=MSBLOCK
  248. add address=www.settings-win.data.microsoft.com list=MSBLOCK
  249. add address=www.sqm.df.telemetry.microsoft.com list=MSBLOCK
  250. add address=www.sqm.telemetry.microsoft.com list=MSBLOCK
  251. add address=www.sqm.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  252. add address=www.static.2mdn.net list=MSBLOCK
  253. add address=www.statsfe1.ws.microsoft.com list=MSBLOCK
  254. add address=www.statsfe2.ws.microsoft.com list=MSBLOCK
  255. add address=www.survey.watson.microsoft.com list=MSBLOCK
  256. add address=www.telecommand.telemetry.microsoft.com list=MSBLOCK
  257. add address=www.telecommand.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  258. add address=www.telemetry.appex.bing.net list=MSBLOCK
  259. add address=www.telemetry.microsoft.com list=MSBLOCK
  260. add address=www.telemetry.urs.microsoft.com list=MSBLOCK
  261. add address=www.urs.microsoft.com list=MSBLOCK
  262. add address=www.view.atdmt.com list=MSBLOCK
  263. add address=www.vortex-bn2.metron.live.com.nsatc.net list=MSBLOCK
  264. add address=www.vortex-cy2.metron.live.com.nsatc.net list=MSBLOCK
  265. add address=www.vortex-sandbox.data.microsoft.com list=MSBLOCK
  266. add address=www.vortex-win.data.microsoft.com list=MSBLOCK
  267. add address=www.vortex.data.microsoft.com list=MSBLOCK
  268. add address=www.watson.live.com list=MSBLOCK
  269. add address=www.watson.microsoft.com list=MSBLOCK
  270. add address=www.watson.ppe.telemetry.microsoft.com list=MSBLOCK
  271. add address=www.watson.telemetry.microsoft.com list=MSBLOCK
  272. add address=www.watson.telemetry.microsoft.com.nsatc.net list=MSBLOCK
  273. add address=www.wes.df.telemetry.microsoft.com list=MSBLOCK
  274. add address=api.cc.skype.com list=SKYPE
  275. add address=api.mcr.skype.com list=SKYPE
  276. add address=api.skype.com list=SKYPE
  277. add address=apps.skype.com list=SKYPE
  278. add address=avatar.skype.com list=SKYPE
  279. add address=b.config.skype.com list=SKYPE
  280. add address=contacts.skype.com list=SKYPE
  281. add address=dev.microsofttranslator.com list=SKYPE
  282. add address=diagnostics.support.microsoft.akadns.net list=SKYPE
  283. add address=diagnostics.support.microsoft.com list=SKYPE
  284. add address=edge.skype.com list=SKYPE
  285. add address=m.hotmail.com list=SKYPE
  286. add address=mobile.pipe.aria.microsoft.com list=SKYPE
  287. add address=msftncsi.com list=SKYPE
  288. add address=msg.skype.com list=SKYPE
  289. add address=profile.skype.com list=SKYPE
  290. add address=s.gateway.messenger.live.com list=SKYPE
  291. add address=skype.net list=SKYPE
  292. add address=ui.skype.com list=SKYPE
  293. add address=www.msftncsi.com list=SKYPE
  294. add address=192.168.1.1xx list=windows
  295. add address=192.168.1.2xx list=windows
  296. add address=192.168.1.2yy list=windows
  297. /ip firewall filter
  298. add action=fasttrack-connection chain=forward comment=\
  299. "FastTrack established,related TCP from WAN ex. from 80 port" \
  300. connection-state=established,related in-interface=pppoe-out1 protocol=tcp \
  301. src-port=!80
  302. add action=fasttrack-connection chain=forward comment=\
  303. "FastTrack established,related TCP from LAN ex. to 80 port" \
  304. connection-state=established,related dst-port=!80 in-interface=bridge \
  305. protocol=tcp
  306. add action=fasttrack-connection chain=forward comment=\
  307. "FastTrack established,related except TCP" connection-state=\
  308. established,related protocol=!tcp
  309. add action=accept chain=forward comment=\
  310. "Accept established, related, untracked from (WAN LAN)" connection-state=\
  311. established,related,untracked
  312. add action=accept chain=input comment=\
  313. "Accept established,related Input (WAN LAN)" connection-state=\
  314. established,related
  315. add action=drop chain=input comment="Drop ALL invalid Input" \
  316. connection-state=invalid
  317. add action=drop chain=forward comment="Drop ALL invalid Forward" \
  318. connection-state=invalid
  319. add action=passthrough chain=comment comment=\
  320. "ALL below this is only NEW state" disabled=yes
  321. add action=drop chain=input comment=\
  322. "Drop (new) input from LAN - blocked list" in-interface=bridge \
  323. src-address-list=blocked
  324. add action=accept chain=input comment="Accept (new) INPUT from LAN" \
  325. in-interface=bridge
  326. add action=passthrough chain=comment comment=\
  327. "ALL INPUT below this is only NEW WAN" disabled=yes
  328. add action=drop chain=forward comment=\
  329. "Drop (new) forward from LAN - blocked list" in-interface=bridge \
  330. src-address-list=blocked
  331. add action=reject chain=forward comment=\
  332. "Drop (new) forward from LAN - to blacklist" dst-address-list=blacklist \
  333. in-interface=bridge reject-with=icmp-host-unreachable
  334. add action=jump chain=forward comment=\
  335. "Jump (new) forward from LAN to MSBLOCK list to check telemetry" \
  336. dst-address-list=MSBLOCK in-interface=bridge jump-target=\
  337. MSTelemetry_check src-address-list=windows
  338. add action=accept chain=forward comment="Accept (new) forward from LAN" \
  339. in-interface=bridge
  340. add action=passthrough chain=comment comment=\
  341. "ALL FORWARD below this is only NEW WAN" disabled=yes
  342. add action=drop chain=forward comment=\
  343. "Drop (new) forward (from WAN) not DSTNATed ===== should be zero =====" \
  344. connection-nat-state=!dstnat log=yes log-prefix="NEW FORWARD NOT DNATed"
  345. add action=jump chain=forward comment=\
  346. "Jump (new WAN) forward connections to DOSLIMIT check" jump-target=\
  347. doslimit protocol=tcp
  348. add action=accept chain=forward comment=\
  349. "Accept (new) forward DSTNATed (from WAN)"
  350. add action=jump chain=input comment=\
  351. "Jump (new WAN) to antibrut 3 stage check - TCP" dst-port=\
  352. 21-25,53,110,123,135-139,143,443,445,992,3389,5323,8291,8728 jump-target=\
  353. antibrut protocol=tcp
  354. add action=jump chain=input comment=\
  355. "Jump (new WAN) to antibrut 3 stage check - UDP" dst-port=\
  356. 53,69,111,135,137-139,2049,3133,5060 jump-target=antibrut protocol=udp
  357. add action=add-src-to-address-list address-list=blacklist \
  358. address-list-timeout=1w2d chain=input comment="Port scanner to list" \
  359. protocol=tcp psd=21,3s,3,1
  360. add action=accept chain=input comment=\
  361. "Accept (new) ICMP input (from WAN) - filtering ICMP is in RAW table" \
  362. protocol=icmp
  363. add action=drop chain=input comment="Drop all input (only new WAN)" \
  364. log-prefix="DROP INPUT"
  365. add action=drop chain=forward comment=\
  366. "Drop ALL Forward ===== should be zero =====" log=yes log-prefix=\
  367. "DROP ALL FORWARD"
  368. add action=return chain=doslimit comment="check 30 SYN packets sec" limit=\
  369. 30,40:packet protocol=tcp tcp-flags=syn,!fin,!rst,!ack
  370. add action=drop chain=doslimit comment="drop over 30 SYN packets sec" \
  371. protocol=tcp tcp-flags=syn,!fin,!rst,!ack
  372. add action=return chain=doslimit comment="check 1 RST packets sec" limit=\
  373. 1,0:packet protocol=tcp tcp-flags=rst,!fin,!syn,!ack
  374. add action=drop chain=doslimit comment="drop over 1 RST packets sec" \
  375. protocol=tcp tcp-flags=rst,!fin,!syn,!ack
  376. add action=add-src-to-address-list address-list=blacklist \
  377. address-list-timeout=1w3d chain=antibrut comment=\
  378. "antibrut3 stage check - stage final" src-address-list=fuckup3
  379. add action=add-src-to-address-list address-list=fuckup3 address-list-timeout=\
  380. 5m chain=antibrut comment="antibrut3 stage check - stage 3" \
  381. src-address-list=fuckup2
  382. add action=add-src-to-address-list address-list=fuckup2 address-list-timeout=\
  383. 3m chain=antibrut comment="antibrut3 stage check - stage 2" \
  384. src-address-list=fuckup1
  385. add action=add-src-to-address-list address-list=fuckup1 address-list-timeout=\
  386. 2m chain=antibrut comment="antibrut3 stage check - stage 1"
  387. add action=drop chain=MSTelemetry_check comment="Drop that not in Skype list" \
  388. dst-address-list=!SKYPE
  389. /ip firewall nat
  390. add action=src-nat chain=srcnat comment=\
  391. "my version of masquerade for static IP" out-interface=pppoe-out1 \
  392. src-address=192.168.1.0/24 to-addresses=80.rrr.ttt.eee
  393. add action=dst-nat chain=dstnat comment="DownloadStation TCP" dst-address=\
  394. 80.rrr.ttt.eee dst-port=xxxxx in-interface=pppoe-out1 protocol=tcp \
  395. to-addresses=192.168.1.gg to-ports=xxxxx
  396. add action=dst-nat chain=dstnat comment="DownloadStation DHT" dst-address=\
  397. 80.rrr.ttt.eee dst-port=xxxxx in-interface=pppoe-out1 protocol=udp \
  398. to-addresses=192.168.1.gg to-ports=xxxxx
  399. add action=dst-nat chain=dstnat comment="redirect DNS to router UDP" \
  400. dst-address=!192.168.1.1 dst-port=53 in-interface=bridge protocol=udp \
  401. to-addresses=192.168.1.1 to-ports=53
  402. add action=dst-nat chain=dstnat comment="FTP passive" dst-address=\
  403. 80.rrr.ttt.eee dst-port=aaaaa-bbbbb in-interface=pppoe-out1 protocol=tcp \
  404. to-addresses=192.168.1.gg to-ports=aaaaa-bbbbb
  405. add action=dst-nat chain=dstnat comment="FTP" dst-address=\
  406. 80.rrr.ttt.eee dst-port=kkkkk in-interface=pppoe-out1 protocol=tcp \
  407. to-addresses=192.168.1.gg to-ports=kkkkk
  408. add action=dst-nat chain=dstnat comment=SkypePC dst-address=80.rrr.ttt.eee \
  409. dst-port=38bbb in-interface=pppoe-out1 protocol=tcp to-addresses=\
  410. 192.168.1.1xx to-ports=bbbbb
  411. add action=dst-nat chain=dstnat comment="SkypePC UDP" dst-address=\
  412. 80.rrr.ttt.eee dst-port=38bbb in-interface=pppoe-out1 protocol=udp \
  413. to-addresses=192.168.1.1xx to-ports=bbbbb
  414. /ip firewall raw
  415. add action=drop chain=prerouting comment="Drop from blacklist address list" \
  416. in-interface=pppoe-out1 src-address-list=blacklist
  417. add action=jump chain=prerouting comment=\
  418. "RT Jump to check_http for packets 180-250 size " in-interface=pppoe-out1 \
  419. jump-target=tcp_check_http packet-size=180-250
  420. add action=jump chain=prerouting comment=\
  421. "RT Jump to check_https for packets 40 size" in-interface=pppoe-out1 \
  422. jump-target=tcp_check_https packet-size=40
  423. add action=jump chain=prerouting comment="jump ICMP from WAN to check" \
  424. in-interface=pppoe-out1 jump-target=icmp_check protocol=icmp
  425. add action=jump chain=tcp_check_http comment=\
  426. "RT Jump TCP from 80 port to tcp_check_warning" jump-target=\
  427. tcp_check_warning protocol=tcp src-port=80
  428. add action=jump chain=tcp_check_https comment=\
  429. "RT Jump TCP from 443 port and RST to tcp_check_ttl" jump-target=\
  430. tcp_check_ttl protocol=tcp src-port=443 tcp-flags=rst
  431. add action=drop chain=tcp_check_ttl comment="RT drop TTL 57 - nnm, rt" ttl=\
  432. equal:57
  433. add action=drop chain=tcp_check_ttl comment="RT drop TTL 58 - nnm, rt" ttl=\
  434. equal:58
  435. add action=drop chain=tcp_check_ttl comment="RT drop TTL 120" ttl=equal:120
  436. add action=drop chain=tcp_check_warning comment="RT drop =========" \
  437. content="Location: ==========" log-prefix=\
  438. "RT HTTP DROP warning"
  439. add action=return chain=icmp_check comment="ICMP 3:1" icmp-options=3:1 \
  440. protocol=icmp
  441. add action=return chain=icmp_check comment="ICMP 3:0" icmp-options=3:0 \
  442. protocol=icmp
  443. add action=return chain=icmp_check comment="ICMP 11:0" icmp-options=11:0 \
  444. protocol=icmp
  445. add action=return chain=icmp_check comment="ICMP 0:0-255 - echo reply" \
  446. icmp-options=0:0-255 protocol=icmp
  447. add action=return chain=icmp_check comment="ICMP 3:4" icmp-options=3:4 \
  448. protocol=icmp
  449. add action=return chain=icmp_check comment=\
  450. "ICMP 4:0 - source quench (ask to send packets slowly)" icmp-options=4:0 \
  451. protocol=icmp
  452. add action=return chain=icmp_check comment="ICMP 8:0 - echo request (PING)" \
  453. disabled=yes icmp-options=8:0 protocol=icmp
  454. add action=return chain=icmp_check comment="ICMP 12:0" icmp-options=12:0 \
  455. protocol=icmp
  456. add action=drop chain=icmp_check comment="DROP ALL other ICMP" protocol=icmp
  457. /ip firewall service-port
  458. set ftp ports=2121
  459. set tftp disabled=yes
  460. set irc disabled=yes
  461. set pptp disabled=yes
  462. /ip service
  463. set telnet disabled=yes
  464. set ftp disabled=yes
  465. set www address=192.168.1.0/24
  466. set ssh disabled=yes
  467. set www-ssl address=192.168.1.0/24
  468. set api disabled=yes
  469. set winbox address=192.168.1.0/24
  470. set api-ssl disabled=yes
  471. /system clock
  472. set time-zone-autodetect=no time-zone-name=Europe/Samara
  473. /system clock manual
  474. set dst-delta=+04:00 time-zone=+04:00
  475. /system ntp client
  476. set enabled=yes server-dns-names=\
  477. ntp5.stratum2.ru,ntp2.stratum2.ru,ntp21.vniiftri.ru,ntp.ix.ru
  478. /system package update
  479. set channel=release-candidate
  480. /system routerboard settings
  481. set cpu-frequency=632MHz silent-boot=no
  482. /tool bandwidth-server
  483. set enabled=no
  484. /tool mac-server
  485. set allowed-interface-list=none
  486. /tool mac-server mac-winbox
  487. set allowed-interface-list=LAN
  488. /tool mac-server ping
  489. set enabled=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!