API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 16th, 2018
228
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.74 KB | None | 0 0
raw download clone embed print report
  1. add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \
  2. jump-target=ICMP protocol=icmp
  3. add action=accept chain=forward ipsec-policy=in,ipsec
  4. add action=accept chain=forward ipsec-policy=out,ipsec
  5. add action=accept chain=forward comment="XL Solution - Rafael Orioli" \
  6. src-mac-address=8C:85:90:56:45:58
  7. add action=accept chain=forward comment="XL Solution - Rafael Peroco" \
  8. src-mac-address=8C:85:90:24:2C:05
  9. add action=accept chain=forward comment="XL Solution - Roger Lovato MacBook" \
  10. src-mac-address=78:4F:43:8B:F6:81
  11. add action=accept chain=forward comment="XL Solution - Roger Lovato iPhone" \
  12. src-mac-address=D4:DC:CD:AB:1F:78
  13. add action=drop chain=forward disabled=yes src-address=172.26.74.0/24
  14. add action=accept chain=forward comment="Servers Network" src-address=\
  15. 172.20.0.0/24 src-address-list=""
  16. add action=accept chain=forward comment="Servers Network" src-address=\
  17. 172.25.0.0/24 src-address-list=""
  18. add action=accept chain=forward src-address=172.26.74.201
  19. add action=accept chain=forward dst-address=172.20.0.0/24 src-address=\
  20. 172.26.74.0/24
  21. add action=accept chain=forward dst-address=172.20.0.75 src-address=\
  22. 192.168.43.0/24
  23. add action=accept chain=forward protocol=icmp src-address=192.168.43.0/24
  24. add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
  25. yes jump-target=ICMP protocol=icmp
  26. add action=fasttrack-connection chain=forward connection-state=\
  27. established,related
  28. add action=accept chain=forward connection-state=\
  29. established,related,untracked
  30. add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
  31. bogons
  32. add action=add-src-to-address-list address-list=spammers \
  33. address-list-timeout=3h chain=forward comment=\
  34. "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
  35. 25,587 limit=30/1m,0:packet protocol=tcp
  36. add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
  37. protocol=tcp src-address-list=spammers
  38. add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
  39. protocol=tcp src-address-list=ssh_blacklist
  40. add action=accept chain=input comment="Network GCP" src-address=172.19.0.0/24
  41. add action=accept chain=input comment="Network Office" src-address=\
  42. 172.25.0.0/23
  43. add action=accept chain=input comment="Network CL" src-address=172.20.0.0/24
  44. add action=accept chain=input comment="Network AWS" src-address=172.22.0.0/16
  45. add action=accept chain=input comment="Acesso liberado por SSH" dst-port=22 \
  46. protocol=tcp src-address=172.26.74.0/24
  47. add action=accept chain=input comment="Acesso liberado por DNS" dst-port=53 \
  48. protocol=udp src-address=172.26.74.0/24
  49. add action=accept chain=input comment="Acesso liberado por DNS" dst-port=53 \
  50. protocol=tcp src-address=172.26.74.0/24
  51. add action=accept chain=input comment="Acesso liberado por DNS" dst-port=53 \
  52. protocol=udp src-address=192.168.43.0/24
  53. add action=accept chain=input comment="Acesso liberado por DNS" src-address=\
  54. 192.168.43.0/24
  55. add action=accept chain=input comment="Acesso liberado por DHCP" dst-port=\
  56. 67-68 protocol=udp src-address=172.26.74.0/24
  57. add action=accept chain=input comment="Acesso liberado por DHCP" dst-port=\
  58. 67-68 in-interface=vlan-guests protocol=udp src-address=192.168.43.0/24
  59. add action=accept chain=input comment="Accept DNS - UDP" in-interface=bridge1 \
  60. port=53 protocol=udp
  61. add action=accept chain=input comment="Accept DNS - TCP" in-interface=bridge1 \
  62. port=53 protocol=tcp
  63. add action=accept chain=input comment="Accept to established connections" \
  64. connection-state=established,related
  65. add action=accept chain=input comment="Accept to related connections" \
  66. connection-state=related
  67. add action=accept chain=input comment="Acesso liberado por PING" protocol=\
  68. icmp src-address=172.26.74.0/24
  69. add action=accept chain=input comment="Full access to SUPPORT address list" \
  70. src-address-list=support
  71. add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
  72. RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
  73. add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
  74. icmp-options=8:0 limit=1,5:packet protocol=icmp
  75. add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
  76. icmp
  77. add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
  78. protocol=icmp
  79. add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
  80. 3:0-1 protocol=icmp
  81. add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
  82. add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
  83. add action=jump chain=output comment="Jump for icmp output" disabled=yes \
  84. jump-target=ICMP protocol=icmp
  85. add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
  86. protocol=tcp src-address-list=ftp_blacklist
  87. add action=accept chain=output content="530 Login incorrect" dst-limit=\
  88. 1/1m,9,dst-address/1m
  89. add action=add-dst-to-address-list address-list=ftp_blacklist \
  90. address-list-timeout=3h chain=output content="530 Login incorrect" \
  91. protocol=tcp
  92. add action=add-src-to-address-list address-list=Syn_Flooder \
  93. address-list-timeout=30m chain=input comment=\
  94. "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
  95. tcp-flags=syn
  96. add action=drop chain=input comment="Drop to syn flood list" \
  97. src-address-list=Syn_Flooder
  98. add action=add-src-to-address-list address-list=Port_Scanner \
  99. address-list-timeout=1w chain=input comment="Port Scanner Detect" \
  100. protocol=tcp psd=21,3s,3,1
  101. add action=drop chain=input comment="Drop to port scan list" \
  102. src-address-list=Port_Scanner
  103. add action=drop chain=input comment="Block all access to the winbox - except t\
  104. o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
  105. PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
  106. add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
  107. protocol=tcp src-address-list=ssh_blacklist
  108. add action=add-src-to-address-list address-list=ssh_blacklist \
  109. address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
  110. protocol=tcp src-address-list=ssh_stage3
  111. add action=add-src-to-address-list address-list=ssh_stage3 \
  112. address-list-timeout=1m chain=input connection-state=new dst-port=22 \
  113. protocol=tcp src-address-list=ssh_stage2
  114. add action=add-src-to-address-list address-list=ssh_stage2 \
  115. address-list-timeout=1m chain=input connection-state=new dst-port=22 \
  116. protocol=tcp src-address-list=ssh_stage1
  117. add action=add-src-to-address-list address-list=ssh_stage1 \
  118. address-list-timeout=1m chain=input connection-state=new dst-port=22 \
  119. protocol=tcp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!