NetworkPro on firewalling

From MikroTik Wiki

Contents 1 MUM 2006 presentation on firewalling 2 Introduction 3 Sanity-check 4 Protecting the router 5 Proxying everything 6 Enable Proxy servers

MUM 2006 presentation on firewalling

Dmitry's presentation in PDF format

Introduction

This is a modification of Dmitry on firewalling without protocol classification and for two Public interfaces.

There are two Public interfaces on our router: ISP1_100M_Optic and ISP2_20M_2wireEth both connected to the Internet, and one Local interface where our clients are connected. All our clients are NATed. In this example we assume we already have configured and working well ECMP load-balancing/fail-over or BGP.

Sanity-check

Most generic invalid packet and port-scan detection techniques

Place this before all other rules in mangle:

/ip firewall mangle
add chain=prerouting in-interface=ISP1_100M_Optic dst-address-list=local-addr action=mark-packet new-packet-mark=nat-traversal \
    passthrough=no comment="Detect NAT Traversal"
add chain=prerouting in-interface=ISP2_20M_2wireEth dst-address-list=local-addr action=mark-packet new-packet-mark=nat-traversal

Note that some rules rely on address lists. Here the illegal-addr list is based on this BOGON Address List:

/ip firewall address-list
add address=192.168.0.0/16 list=illegal-addr
add address=10.0.0.0/8 list=illegal-addr
add address=172.16.0.0/12 list=illegal-addr disabled=yes
add address=169.254.0.0/16 list=illegal-addr
add address=127.0.0.0/8 list=illegal-addr
add address=224.0.0.0/3 comment="multicas" list=illegal-addr
add address=223.0.0.0/8 list=illegal-addr
add address=198.18.0.0/15 list=illegal-addr
add address=192.0.2.0/24 list=illegal-addr
add address=185.0.0.0/8 list=illegal-addr
add address=180.0.0.0/6 list=illegal-addr
add address=179.0.0.0/8 list=illegal-addr
add address=176.0.0.0/7 list=illegal-addr
add address=175.0.0.0/8 list=illegal-addr
add address=104.0.0.0/6 list=illegal-addr
add address=100.0.0.0/6 list=illegal-addr
add address=49.0.0.0/8 list=illegal-addr
add address=46.0.0.0/8 list=illegal-addr
add address=42.0.0.0/8 list=illegal-addr
add address=39.0.0.0/8 list=illegal-addr
add address=36.0.0.0/7 list=illegal-addr
add address=31.0.0.0/8 list=illegal-addr
add address=27.0.0.0/8 list=illegal-addr
add address=23.0.0.0/8 list=illegal-addr
add address=14.0.0.0/8 list=illegal-addr
add address=5.0.0.0/8 list=illegal-addr
add address=2.0.0.0/8 list=illegal-addr
add address=0.0.0.0/7 list=illegal-addr
add address=128.0.0.0/16 list=illegal-addr
add list=local-addr address=172.16.255.0/29 comment="my local network, all NATed"

We use three address lists:

• illegal-addr - an example list - could be extended to some few tens of addresses at least to include the bogon IPs, which are not registered with IANA, and more;
• local-addr - includes all addresses located in your network, behind this firewall;

and later on:

• blocked-addr - will be created via firewall rules to block port scanners for 1 day.

We must allow traffic between the local clients. The rule should also work when clients are connected to different ports of the Local interface if it is a bridge, for example between Ethernet and wireless:

/ ip firewall filter
add chain=forward in-interface=Local out-interface=Local action=accept comment="Allow traffic between clients"

Then we are filtering everything else to the drop chain of the firewall. The separate chain is created to keep all logging and accounting in one place.

/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check Forward"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=input action=accept in-interface=Local dst-address=255.255.255.255 dst-port=5678 protocol=udp \
    comment="Allow The Router to be visible via Neighbor Discovery to WinBox"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d \
    comment="Block port scans" disabled=yes
#check to see if this is too agressive and blocks legit hosts
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop \
    comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop \
    comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop \
    comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=ISP1_100M_Optic src-address-list=illegal-addr action=jump jump-target=drop \
    comment="Drop illegal source addresses"
add chain=sanity-check in-interface=ISP2_20M_2wireEth src-address-list=illegal-addr action=jump jump-target=drop \
    comment="Drop illegal source addresses"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop \
    comment="Drop all traffic that comes from multicast or broadcast addresses"

Protecting the router

/ ip firewall filter
add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic (between router applications)"
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp \
    comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
add chain=input dst-address-type=!local action=jump jump-target=drop \
    comment="Dropping packets not destined to the router itself, including all broadcast traffic"
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
    comment="Allow pings, but at a very limited rate (5 packets per sec)"
add chain=input in-interface=Local action=jump jump-target=local-services \
    comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=ISP1_100M_Optic action=jump jump-target=public-services \
    comment="Allowing some services to be accessible from the Internet"
add chain=input in-interface=ISP2_20M_2wireEth action=jump jump-target=public-services \
    comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
add chain=local-services protocol=tcp dst-port=22 action=accept comment="SSH (22/TCP)"
add chain=local-services protocol=udp dst-port=53 action=accept comment="DNS"
add chain=local-services protocol=tcp dst-port=53 action=accept
add chain=local-services protocol=tcp dst-port=3128 action=accept comment="HTTP Proxy (3128/TCP)"
add chain=local-services protocol=tcp dst-port=8291 action=accept comment="Winbox (8291/TCP)" disabled=no
add action=accept chain=local-services comment=SNMP disabled=no dst-port=161 protocol=udp
add action=accept chain=local-services comment=FTP disabled=no dst-port=21 protocol=tcp
add action=accept chain=local-services comment=NTP disabled=no dst-port=123 protocol=udp
add action=accept chain=local-services comment="Neighbor discovery" disabled=no dst-port=5678 protocol=udp
add chain=local-services action=log comment="Temporary Logging to check for things we should not drop"
add chain=local-services action=drop disabled=yes
#check the log twice before enabling this
add chain=public-services dst-port=22 protocol=tcp action=accept comment="SSH (22/TCP)" disabled=yes
add chain=public-services protocol=tcp dst-port=1723 action=accept comment="PPTP (1723/TCP)"
add chain=public-services protocol=tcp dst-port=8291 comment="Winbox (8291/TCP)"
add chain=public-services protocol=gre action=accept comment="GRE for PPTP"
add chain=public-services action=log comment="Temporary Logging to check for things we should not drop"
add chain=public-services action=drop disabled=yes
#check the log twice before enabling this

• The "accept ping" rule needs to come before the "public" and "local" jump rules otherwise it will never be matched/hit and ICMP will continue to be dropped.
• To make rules to enable router services you can check the ports here: RouterOSv3 Documentation - Services

add chain=drop action=log disabled=yes "Temporary logging if we need to see what is actually dropped"
add chain=drop action=drop disabled=yes
#check twice before enabling this

Proxying everything

/ ip firewall nat
add chain=dstnat in-interface=Local connection-mark=dns action=redirect comment="Transparent DNS Cache"
add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect to-ports=3128 comment="Transparent Web Cache"
add chain=dstnat in-interface=Local connection-mark=ntp action=redirect comment="Transparent proxy for NTP requests"

Enable Proxy servers

/system ntp server
set enabled=yes broadcast=no multicast=no manycast=no

/system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0

/ip proxy
set enabled=yes port=3128 maximal-client-connections=5000 maximal-server-connections=5000

/ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes cache-size=4096KiB cache-max-ttl=1w

Please change:

• xxx.xxx.xxx.xxx to the IP of the NTP server you choose: Google search for NTP servers
• yyy.yyy.yyy.yyy to the IP of your ISP's DNS server

Thanks to Dmitry. Thanks to MikroTik Latvia. Modified by NetworkPro