Basic universal firewall script: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
(17 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
== This is a basic firewall that can be applied to any Router. == | == This is a basic firewall that can be applied to any Router. == | ||
This script has basic rules to protect your router and avoid some unnecessary forwarding traffic. Pay attention for all comments before apply each DROP rules. | |||
HANDS ON! | |||
First we need to create our ADDRESS LIST with all IPs we will use most times | First we need to create our ADDRESS LIST with all IPs we will use most times | ||
'''Below you need to change x.x.x.x/x for your technical subnet. This subnet will have full access to the router.''' | '''Below you need to change x.x.x.x/x for your technical subnet. This subnet will have full access to the router.''' | ||
/ip firewall address-list | /ip firewall address-list add address=x.x.x.x/x disabled=no list=support | ||
add address=x.x.x./x disabled=no list=support | |||
'''Below we have the bogon list.''' | '''Below we have the bogon list.''' | ||
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons | /ip firewall address-list | ||
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A " disabled=yes list=bogons | add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons | ||
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"\ | |||
add address=127.0.0.0/ | disabled=yes list=bogons | ||
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons | |||
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons | add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons | ||
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it"\ | |||
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons | disabled=yes list=bogons | ||
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it"\ | |||
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons | disabled=yes list=bogons | ||
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons | |||
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons | add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons | ||
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons | |||
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons | add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons | ||
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons | |||
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons | add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\ | ||
disabled=yes list=bogons | |||
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons | |||
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons | |||
add address=224.0.0.0/4 comment="MC, Class D, IANA" disabled=yes list=bogons | |||
'''Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and much more. For more information read the comments.''' | '''Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and much more. For more information read the comments.''' | ||
/ip firewall filter | /ip firewall filter | ||
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \ | |||
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn | |||
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder | |||
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\ | |||
disabled=no protocol=tcp psd=21,3s,3,1 | |||
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner | |||
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp | |||
add action=drop chain=input\ | |||
comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\ | |||
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support | |||
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp | |||
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons | |||
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\ | |||
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp | |||
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers | |||
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp | |||
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp | |||
add action=accept chain=input comment="Accept to established connections" connection-state=established\ | |||
disabled=no | |||
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no | |||
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support | |||
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\ | |||
disabled=yes | |||
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" disabled=no icmp-options=8:0 limit=2,5 protocol=icmp | |||
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp | |||
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp | |||
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp | |||
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp | |||
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp | |||
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp | |||
add | '''I think this is basic. You can add or remove anything else according to your needs. I hope it helps!''' | ||
By Guilherme Ramires | |||
Latest revision as of 08:56, 27 February 2020
This is a basic firewall that can be applied to any Router.
This script has basic rules to protect your router and avoid some unnecessary forwarding traffic. Pay attention for all comments before apply each DROP rules.
HANDS ON! First we need to create our ADDRESS LIST with all IPs we will use most times
Below you need to change x.x.x.x/x for your technical subnet. This subnet will have full access to the router.
/ip firewall address-list add address=x.x.x.x/x disabled=no list=support
Below we have the bogon list.
/ip firewall address-list add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"\ disabled=yes list=bogons add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it"\ disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it"\ disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\ disabled=yes list=bogons
Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and much more. For more information read the comments.
/ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \ comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\ disabled=no protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp add action=drop chain=input\ comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\ disabled=yes dst-port=8291 protocol=tcp src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\ connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp add action=accept chain=input comment="Accept to established connections" connection-state=established\ disabled=no add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\ disabled=yes add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" disabled=no icmp-options=8:0 limit=2,5 protocol=icmp add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
I think this is basic. You can add or remove anything else according to your needs. I hope it helps!
By Guilherme Ramires