WIP default mikrotik Firewall

1. /ip firewall filter
2. add action=accept chain=input comment="Allow established & related (Input chain)" \
3. connection-state=established,related
4. add action=drop chain=input comment=\
5. "Drop invalid packets (Input chain)" \
6. connection-state=invalid
7. add action=accept chain=input comment=\
8. "Allow WireGuard VPN" dst-port=13231 \
9. protocol=udp src-address-list=!private_ip_range
10. add action=accept chain=input comment=\
11. "Allow DHCP service from LAN" dst-port=\
12. 67,68 protocol=udp src-address-list=private_ip_range
13. add action=accept chain=input comment=\
14. "Allow DNS queries from LAN" dst-port=53 \
15. protocol=udp src-address-list=private_ip_range
16. add action=accept chain=input comment=\
17. "Allow access from trusted LAN" \
18. src-address-list=Trusted-IPs_LAN
19. add action=accept chain=input comment=\
20. "Allow from trusted Public IPs" \
21. src-address-list=Trusted-IPs
22. add action=accept chain=input comment=\
23. "Allow all loopback (lo) interface traffic" in-interface=lo
24. add action=accept chain=input comment=\
25. "Allow local UDP broadcasts" dst-address-type=\
26. broadcast protocol=udp src-address-list=private_ip_range
27. add action=accept chain=input comment=\
28. "ICMP packets rate limited" limit=\
29. 100,10:packet protocol=icmp
30. add action=drop chain=input comment=\
31. "Drop excessive ICMP packets" protocol=\
32. icmp
33. add action=add-src-to-address-list address-list=port_scanners \
34. address-list-timeout=1w chain=input comment=\
35. "Port-Scanner detection" protocol=tcp \
36. psd=21,3s,3,1
37. add action=add-src-to-address-list address-list=blacklist \
38. address-list-timeout=1w chain=input comment=\
39. "Brute-force detection" connection-state=\
40. new dst-port=21-23,53,80,443,161,8291,3389,8728-8729,54321,6379 protocol=\
41. tcp src-address-list=!Trusted-IPs
42. add action=drop chain=input comment="Silently drop UDP 6537 broadcasts (no log\
43. )" dst-address=255.255.255.255 dst-port=\
44. 6537 in-interface=bridge.30_untrusted protocol=udp
45. add action=drop chain=input comment=\
46. "Silent Input Drop NAT-PMP" dst-port=5351 \
47. protocol=udp
48. add action=drop chain=input comment=\
49. "Silent Input Drop IGMP" protocol=igmp
50. add action=log chain=input comment=\
51. "Log dropped Input packets" log-prefix=\
52. "INPUT DROP: "
53. add action=drop chain=input comment=\
54. "Default Input Drop"
55. add action=accept chain=forward comment="Allow established & related (Forward chain)" \
56. connection-state=established,related
57. add action=drop chain=forward comment=\
58. "Drop invalid forwarded packets" \
59. connection-state=invalid
60. add action=jump chain=forward comment=\
61. "Jump to SYN Flood Protection" \
62. connection-state=new jump-target=SYN-Flood-Protect protocol=tcp
63. add action=return chain=SYN-Flood-Protect comment=\
64. "Allow SYN within limit" limit=\
65. 2k,5:packet protocol=tcp
66. add action=drop chain=SYN-Flood-Protect comment=\
67. "Drop excessive SYN packets"
68. add action=jump chain=forward comment=\
69. "Jump to detect DDoS" connection-state=\
70. new jump-target=Detect-DDoS
71. add action=return chain=Detect-DDoS comment=\
72. "Allow trusted IPs through DDoS check" \
73. src-address-list=Trusted-IPs
74. add action=return chain=Detect-DDoS comment=\
75. "Allow traffic under DDoS threshold" \
76. dst-limit=3000,6000,src-and-dst-addresses/5s
77. add action=add-src-to-address-list address-list=ddos_attackers \
78. address-list-timeout=1d chain=Detect-DDoS comment=\
79. "Track DDoS attackers"
80. add action=add-dst-to-address-list address-list=ddos_targets \
81. address-list-timeout=1d chain=Detect-DDoS comment=\
82. "Track DDoS targets"
83. add action=drop chain=Detect-DDoS comment=\
84. "Drop identified DDoS attack traffic"
85. add action=accept chain=forward comment=\
86. "Allow WireGuard VPN forwarding" \
87. in-interface=wireguard
88. add action=accept chain=forward comment=\
89. "Allow LAN to WAN internet forwarding" \
90. dst-address-list=!private_ip_range src-address-list=private_ip_range
91. add action=jump chain=forward comment=\
92. "Jump to Private-to-Private checks" \
93. dst-address-list=private_ip_range jump-target=Private_to_Private \
94. src-address-list=private_ip_range
95. add action=drop chain=Private_to_Private comment="Drop all unauthorized inter-\
96. VLAN communication"
97. add action=drop chain=forward comment="Default drop all other forwarded traffi\
98. c"
99. /ip firewall mangle
100. add action=mark-connection chain=prerouting comment=\
101. "Hairpin NAT marking" dst-address-list=\
102. WAN_IPs new-connection-mark="Hairpin NAT" passthrough=no \
103. src-address-list=private_ip_range
104. /ip firewall nat
105. add action=masquerade chain=srcnat comment="WAN Masquerade NAT" \
106. out-interface=pppoe1
107. add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
108. "Hairpin NAT"
109. ## if wanted, force dns to router I use https://nextdns.io/?from=c92dff8f so I do use this for dumb IoT devices
110. ## add action=dst-nat chain=dstnat comment="Force DNS to Router UDP" dst-port=53 \
111. protocol=udp src-address-list=private_ip_range to-addresses=PRIVATE_MAIN_IP
112. ## add action=dst-nat chain=dstnat comment="Force DNS to Router TCP" dst-port=53 \
113. protocol=tcp src-address-list=private_ip_range to-addresses=PRIVATE_MAIN_IP
114. /ip firewall raw
115. add action=drop chain=prerouting comment=\
116. "Early drop blacklisted IPs" \
117. src-address-list=blacklist
118. add action=drop chain=prerouting comment=\
119. "Early drop scanners" src-address-list=\
120. port_scanners
121. add action=drop chain=prerouting comment=\
122. "Early drop unwanted geo IPs" \
123. src-address-list=IP2Location