# apr/26/2018 22:04:59 by RouterOS 6.42.1# software id = DWAX-NGE6## model

1. # apr/26/2018 22:04:59 by RouterOS 6.42.1
2. # software id = DWAX-NGE6
3. #
4. # model = 951Ui-2HnD
5. # serial number = 7175066182B6
6. /ip firewall address-list
7. add address=192.168.1.96 list=no_unet_users
8. /ip firewall filter
9. add action=accept chain=input comment="Permit ICMP" protocol=icmp
10. add action=accept chain=forward protocol=icmp
11. add action=accept chain=input comment="Permit established" connection-state=\
12. established protocol=tcp
13. add action=accept chain=forward connection-state=established protocol=tcp
14. add action=accept chain=input comment="Permit related" connection-state=\
15. related
16. add action=accept chain=forward connection-state=related
17. add action=drop chain=input comment="Drop invalid" connection-state=invalid
18. add action=drop chain=forward connection-state=invalid
19. add action=accept chain=input comment="Permit UDP" protocol=udp
20. add action=accept chain=forward protocol=udp
21. add action=accept chain=input comment="Permit to WinBox" dst-port=8291 \
22. protocol=tcp src-address-list=192.168.1.0/24
23. add action=accept chain=forward comment="Allow local traffic" in-interface=\
24. bridge-lan1 src-address=192.168.1.0/24
25. add action=accept chain=forward dst-address=109.167.153.217 in-interface=\
26. bridge-lan1
27. add action=accept chain=input in-interface=bridge-lan1 src-address=\
28. 192.168.1.0/24
29. add action=reject chain=forward comment="Deny to inet for bad_users" \
30. disabled=yes out-interface=ether1-wan protocol=tcp reject-with=tcp-reset \
31. src-address-list=no_unet_users
32. add action=drop chain=forward disabled=yes out-interface=ether1-wan \
33. src-address-list=no_unet_users
34. add action=drop chain=input comment="Drop all input" in-interface=ether1-wan
35. add action=drop chain=forward in-interface=ether1-wan
36. add action=drop chain=forward comment="Drop other"
37. /ip firewall nat
38. add action=masquerade chain=srcnat out-interface=ether1-wan