Home Firewall

From MikroTik Wiki
Jump to: navigation, search


/ip firewall connection tracking 
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s 
/ip firewall filter 
add action=accept chain=accept_list comment="Forward HTTP to webserver" dst-address=192.168.11.10 dst-port=80 protocol=tcp 
add action=accept chain=accept_list comment="Forward HTTPS to webserver" dst-address=192.168.11.10 dst-port=443 \
    protocol=tcp 
add action=accept chain=accept_list comment="Forward FTP to Server" dst-address=192.168.11.10 dst-port=21 protocol=tcp 
add action=accept chain=accept_list comment="Forward RDP to Server" dst-address=192.168.11.10 dst-port=3389 protocol=tcp \
    src-port=3389 
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139 protocol=tcp 
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139 protocol=udp 
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445 protocol=udp 
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445 protocol=tcp 
add action=drop chain=known_viruses comment="msblast worm" dst-port=593 protocol=tcp 
add action=drop chain=known_viruses comment="msblast worm" dst-port=4444 protocol=tcp 
add action=drop chain=known_viruses comment="WITTY worm" dst-port=4000 protocol=tcp 
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=995-999 protocol=tcp 
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=8998 protocol=tcp 
add action=drop chain=known_viruses comment="beagle worm" dst-port=2745 protocol=tcp 
add action=drop chain=known_viruses comment="beagle worm" dst-port=4751 protocol=tcp 
add action=drop chain=known_viruses comment="SQL Slammer" dst-port=1434 protocol=tcp 
add action=drop chain=bad_people comment="Known Spammer" src-address=81.180.98.3 
add action=drop chain=bad_people comment="Known Spammer" src-address=24.73.97.226 
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" src-address=67.75.20.112 
add action=drop chain=bad_people src-address=218.104.138.166 
add action=drop chain=bad_people src-address=212.3.250.194 
add action=drop chain=bad_people src-address=203.94.243.191 
add action=drop chain=bad_people src-address=202.101.235.100 
add action=drop chain=bad_people src-address=58.16.228.42 
add action=drop chain=bad_people src-address=58.248.8.2 
add action=drop chain=bad_people src-address=202.99.11.99 
add action=drop chain=bad_people src-address=218.52.237.219 
add action=drop chain=bad_people src-address=222.173.101.157 
add action=drop chain=bad_people src-address=58.242.34.235 
add action=drop chain=bad_people src-address=222.80.184.23 
add action=accept chain=forward comment="Allow WIFI access to ALL" src-address=192.168.22.0/24 
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist 
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3 
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2 
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1 
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp 
add action=drop chain=input comment="allows only 10 FTP login incorrect answers per minute" dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist 
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp 
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login \
    incorrect" protocol=tcp 
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid 
add action=drop chain=forward comment="Blocks SSH" dst-port=22 protocol=tcp 
add action=jump chain=forward comment="Known virus ports DELETE" jump-target=known_viruses 
add action=jump chain=forward comment="kill known bad source addresses DELETE" jump-target=bad_people 
add action=jump chain=forward comment="Jump to Accepted List" jump-target=accept_list 
add action=accept chain=forward comment="allow established connections DELETE" connection-state=established 
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related 
add action=accept chain=forward comment="Allow All" 
/ip firewall nat 
add action=masquerade chain=srcnat src-address=192.168.11.0/24 
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=3389 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=80 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=21 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=443 protocol=tcp to-addresses=192.168.11.10

--Fox15rider 19:48, 21 May 2008 (EEST)