четверг, 11 октября 2018 г.

mikrotik_firewall_filter [homewiki]

mikrotik_firewall_filter [homewiki]



mikrotik_firewall_filter

/ip firewall filter
add action=reject chain=forward comment="block addr-list_block" disabled=yes \
    dst-address-list=addr-list_block reject-with=icmp-network-unreachable

add action=jump chain=input comment="catch new UDP connections" \
    connection-state=new dst-port=500,4500,1701,53 in-interface-list=WAN \
    jump-target=anti-bruteforce protocol=udp src-address-list=!hosts.allow





/ip firewall filter
add action=reject chain=forward comment="block addr-list_block" disabled=yes \
    dst-address-list=addr-list_block reject-with=icmp-network-unreachable

add action=jump chain=input comment="catch new UDP connections" \
    connection-state=new dst-port=500,4500,1701,53 in-interface-list=WAN \
    jump-target=anti-bruteforce protocol=udp src-address-list=!hosts.allow

add action=jump chain=input comment="catch new TCP1723 connections" \
    connection-state=new dst-port=1723,22,3389,8291,53 in-interface-list=WAN \
    jump-target=anti-bruteforce protocol=tcp

add action=jump chain=input comment="all input jump to anti-bruteforce chain" \
    connection-nat-state=!srcnat,dstnat connection-state=!established,related \
    in-interface-list=WAN jump-target=anti-bruteforce src-address-list=\
    !hosts.allow

add action=return chain=anti-bruteforce comment=\
    "return (allow) some catched connections back to main firewall flow" \
    dst-limit=4/1m,1,src-address/1m40s

add action=add-src-to-address-list address-list=block-bruteforce \
    address-list-timeout=1d chain=anti-bruteforce

add action=passthrough chain=forward dst-address=192.168.42.164 dst-port=22 \
    in-interface=ether1 out-interface=br0_lan_wlan protocol=tcp

add action=passthrough chain=forward in-interface=br0_lan_wlan out-interface=\
    ether1 protocol=tcp src-address=192.168.42.164 src-port=22

add action=accept chain=forward comment=torrent@desktop dst-address=\
    192.168.42.250 dst-port=14241 protocol=tcp

add action=accept chain=forward comment="LAN => WAN" in-interface-list=LAN \
    out-interface-list=WAN

add action=accept chain=forward comment="LAN <= WAN est;rel" \
    connection-state=established,related in-interface-list=WAN \
    out-interface-list=LAN

add action=accept chain=input comment="mktk <- WAN est;rel" connection-state=\
    established,related in-interface-list=WAN

add action=accept chain=input comment="mktk <- LAN" in-interface-list=LAN

add action=accept chain=forward comment="LAN <= VPN" in-interface-list=VPN \
    out-interface-list=LAN

add action=accept chain=input comment="mktk <- VPN" in-interface-list=VPN

add action=accept chain=forward comment="LAN => VPN" in-interface-list=LAN \
    out-interface-list=VPN

add action=accept chain=forward comment="VPN <=> VPN" in-interface-list=VPN \
    out-interface-list=VPN

add action=accept chain=forward comment=nextcloud dst-address=192.168.42.164 \
    dst-port=80,443,20,21,22 in-interface=ether1 protocol=tcp

add action=accept chain=forward comment="nextcloud passive FTP" dst-address=\
    192.168.42.164 dst-port=31000-31100 in-interface=ether1 protocol=tcp

add action=accept chain=forward comment="LAN <=> LAN (for hairpin)" \
    in-interface-list=LAN out-interface-list=LAN

add action=accept chain=forward comment="freeWiFi => WAN" disabled=yes \
    in-interface=br1_free-wifi out-interface-list=WAN

add action=accept chain=forward comment="free WiFi <= WAN" disabled=yes \
    in-interface-list=WAN out-interface=br1_free-wifi

add action=accept chain=forward comment="i2p <= WAN (tcp)" dst-address=\
    192.168.142.253 dst-port=15084 protocol=tcp

add action=accept chain=forward comment="i2p <= WAN (udp)" dst-address=\
    192.168.142.253 dst-port=15084 protocol=udp

add action=accept chain=forward comment="LAN <= vlan100 est;rel" \
    connection-state=established,related in-interface=br0_vlan100 \
    out-interface=br0_lan_wlan

add action=accept chain=forward comment="LAN => vlan100" in-interface=\
    br0_lan_wlan out-interface=br0_vlan100

add action=accept chain=forward comment="vlan100 => ether1" in-interface=\
    br0_vlan100 out-interface=ether1

add action=accept chain=forward comment="vlan100 <= ether1 est;rel" \
    connection-state=established,related in-interface=ether1 out-interface=\
    br0_vlan100

add action=accept chain=input comment="mktk <- PPTP (server)" dst-port=1723 \
    in-interface=ether1 protocol=tcp

add action=accept chain=input comment="mktk <- pptp (server@gre)" \
    in-interface=ether1 protocol=gre

add action=accept chain=input comment="allow L2TP/ipsec input (from mobile)" \
    dst-port=1701,500,4500 in-interface=ether1 protocol=udp

add action=accept chain=input comment=\
    "input ICMP from HE.NET for 6-to-4 tunnel" protocol=icmp src-address=\
    66.220.2.74

add action=accept chain=input comment="mktk <- ether1   BTest-server TCP" \
    disabled=yes dst-port=2000 in-interface=ether1 protocol=tcp

add action=accept chain=input comment="mktk <- BTest-server UDP2000" \
    disabled=yes dst-port=2000 in-interface=ether1 protocol=udp

add action=drop chain=forward

add action=drop chain=input

Комментариев нет:

Отправить комментарий

Примечание. Отправлять комментарии могут только участники этого блога.