Mikrotik ISP Grade Firewall

From MikroTik Wiki
Jump to: navigation, search

Here i am about to tell you how to set up an ISP grade firewall with mikrotik which will filter all your incoming and outgoing traffic. I am using this since last 1.5 year and it is working superbly fine for me.

General Input Output Rules

Input:

In input chain i am allowing established, related and my internal network ip addresses which is allowed to communicate with my router.

Input --- established --- Accept Input --- Related ---- Accept Input --- MyLan --- Accept

And then blocking all input to my Router from wan

Input --- WAN --- Block

Here is image which will give you clear idea about it.

Input.JPG


Output:

Then again in output chain i am allowing established, related and my internal network ip addresses which is allowed to communicate out my router.

Output --- established --- Accept Output --- Related ---- Accept Output --- icmp --- icmp option --- icmp type --- 8 (echo request)--- icmp code 0 ---Accept

And then blocking all output from my router to WAN.

Here is the image which will give you clear idea about it.

Output.JPG


Detect and Block Port Scanner:

Here is the list of rules which we need to create for detecting and block the Port Scanners.

Port-scanner.JPG

And here is how we will create these.

1

Port-scanner-1.JPG

2

Port-scanner-2.JPG

3

Port-scanner-3.JPG

4

Port-scanner-4.JPG

And then finally block them.

Port-scanner-5.JPG


Block Ping of Death and Allow Small Ping and Traceroute

Here is the list of rules which we need to create for Blocking ping of death and only allowing small ping and trace route.

Pod.JPG

And here is how we will create these

1

Pod-1.JPG

2

Pod-2.JPG

3

Pod-3.JPG

and then finally dropping them

Pod-4.JPG


Detect and Block SMTP Viruses Spammer

Here is the list of rules which we will create to detect smtp spammers and block them.

Smtp-spammer.JPG

And here is how we will create it.

1

Smtp-spammer-1.JPG

And then finally we will block it.

Smtp-spammer-2.JPG


Block Invalid Packets and Virus Ports

Here we are simply blocking invalid packets and virus ports.

Virus.JPG

In the end your firewall will looking something like this.

General.JPG