Ip Firewall Filter
6
add chain=input action=accept comment="CHEQUEAR LINEA A LINEA FALLA WEB-PROXY" \ disabled=yes add chain=forward action=accept comment="" disabled=yes add chain=forward protocol=tcp tcp-flags=syn,rst tcp-mss=1400-1536 \ action=accept comment="Disminuye MMS MTU menos cabeceras IP y TCP" \ disabled=yes add chain=forward action=jump jump-target=drop-p2p comment="Drop P2P " \ disabled=no add chain=input action=jump jump-target=drop comment="Dropping IP no \ permitidas " disabled=no add chain=forward action=jump jump-target=drop comment="Dropping NetBios" \ disabled=no add chain=forward action=jump jump-target=virus comment="jump y drop to VIRUS \ chain" disabled=no add chain=forward in-interface=Local out-interface=Local action=accept \ comment="Allow traffic between wired and wireless networks" disabled=no add chain=forward action=jump jump-target=drop comment="Dropping IP no \ permitidas por DML" disabled=no add chain=forward action=jump jump-target=Limit-Conn comment="Limito \ conexiones TCP" disabled=no add chain=forward action=jump jump-target=sanity-check comment="Sanity Check" \ disabled=no add chain=forward protocol=tcp action=jump jump-target=restrict-tcp \ comment="-------- Restric TCP" disabled=no add chain=forward protocol=udp action=jump jump-target=restrict-udp \ comment="-------- Restric UDP" disabled=no add chain=forward action=jump jump-target=restrict-ip comment="" disabled=no add chain=restrict-tcp connection-mark=auth action=reject \ reject-with=icmp-network-unreachable comment="" disabled=no add chain=restrict-tcp connection-mark=smtp action=jump \ jump-target=smtp-first-reject comment="anti-spam policy" disabled=no add chain=smtp-first-drop src-address-list=first-smtp \ action=add-src-to-address-list address-list=approved-smtp \ address-list-timeout=0s comment="" disabled=no add chain=smtp-first-drop src-address-list=approved-smtp action=return \ comment="" disabled=no add chain=smtp-first-drop action=add-src-to-address-list \ address-list=first-smtp address-list-timeout=0s comment="" disabled=no add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable \ comment="" disabled=no add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop \ comment="" disabled=no add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop \ comment="" disabled=no add chain=restrict-ip connection-mark=other action=jump jump-target=drop \ comment="" disabled=no add chain=input action=jump jump-target=drop comment="Dropping NetBios" \ disabled=no add chain=input action=jump jump-target=Limit-Conn comment="Limito conexiones \ TCP" disabled=no add chain=input action=jump jump-target=drop-p2p comment="Drop P2P " \ disabled=no add chain=input src-address-type=local dst-address-type=local action=accept \ comment="Allow local traffic \(between router applications\)" disabled=no add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 \ action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity \
-
Upload
cesaraugustovega -
Category
Documents
-
view
214 -
download
1
Transcript of Ip Firewall Filter
add chain=input action=accept comment="CHEQUEAR LINEA A LINEA FALLA WEB-PROXY" \ disabled=yes add chain=forward action=accept comment="" disabled=yes add chain=forward protocol=tcp tcp-flags=syn,rst tcp-mss=1400-1536 \ action=accept comment="Disminuye MMS MTU menos cabeceras IP y TCP" \ disabled=yes add chain=forward action=jump jump-target=drop-p2p comment="Drop P2P " \ disabled=no add chain=input action=jump jump-target=drop comment="Dropping IP no \ permitidas " disabled=no add chain=forward action=jump jump-target=drop comment="Dropping NetBios" \ disabled=no add chain=forward action=jump jump-target=virus comment="jump y drop to VIRUS \ chain" disabled=no add chain=forward in-interface=Local out-interface=Local action=accept \ comment="Allow traffic between wired and wireless networks" disabled=no add chain=forward action=jump jump-target=drop comment="Dropping IP no \ permitidas por DML" disabled=no add chain=forward action=jump jump-target=Limit-Conn comment="Limito \ conexiones TCP" disabled=no add chain=forward action=jump jump-target=sanity-check comment="Sanity Check" \ disabled=no add chain=forward protocol=tcp action=jump jump-target=restrict-tcp \ comment="-------- Restric TCP" disabled=no add chain=forward protocol=udp action=jump jump-target=restrict-udp \ comment="-------- Restric UDP" disabled=no add chain=forward action=jump jump-target=restrict-ip comment="" disabled=no add chain=restrict-tcp connection-mark=auth action=reject \ reject-with=icmp-network-unreachable comment="" disabled=no add chain=restrict-tcp connection-mark=smtp action=jump \ jump-target=smtp-first-reject comment="anti-spam policy" disabled=no add chain=smtp-first-drop src-address-list=first-smtp \ action=add-src-to-address-list address-list=approved-smtp \ address-list-timeout=0s comment="" disabled=no add chain=smtp-first-drop src-address-list=approved-smtp action=return \ comment="" disabled=no add chain=smtp-first-drop action=add-src-to-address-list \ address-list=first-smtp address-list-timeout=0s comment="" disabled=no add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable \ comment="" disabled=no add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop \ comment="" disabled=no add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop \ comment="" disabled=no add chain=restrict-ip connection-mark=other action=jump jump-target=drop \ comment="" disabled=no add chain=input action=jump jump-target=drop comment="Dropping NetBios" \ disabled=no add chain=input action=jump jump-target=Limit-Conn comment="Limito conexiones \ TCP" disabled=no add chain=input action=jump jump-target=drop-p2p comment="Drop P2P " \ disabled=no add chain=input src-address-type=local dst-address-type=local action=accept \ comment="Allow local traffic \(between router applications\)" disabled=no add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 \ action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity \
checking, so enabling it explicitly before other checks" disabled=no add chain=input action=jump jump-target=sanity-check comment="Sanity Check" \ disabled=no add chain=input dst-address-type=!local action=jump jump-target=drop \ comment="Dropping packets not destined to the router itself, including all \ broadcast traffic" disabled=no add chain=input in-interface=Local action=jump jump-target=local-services \ comment="Allowing some services to be accessible from the local network" \ disabled=no add chain=input in-interface=Public action=jump jump-target=public-services \ comment="Allowing some services to be accessible from the Internet" \ disabled=no add chain=input connection-mark=ping limit=5,5 action=accept comment="Alllow \ pings, but at a very limited rate \(5 per sec\)" disabled=no add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept \ comment="" disabled=no add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept \ comment="" disabled=no add chain=dhcp dst-address-type=local src-address-list=local-addr \ action=accept comment="" disabled=no add chain=local-services connection-mark=ssh action=accept comment="SSH \ \(22/TCP\)" disabled=no add chain=local-services connection-mark=dns action=accept comment="DNS" \ disabled=no add chain=local-services connection-mark=proxy action=accept comment="HTTP \ Proxy \(3128/TCP\)" disabled=no add chain=local-services connection-mark=winbox action=accept comment="Winbox \ \(8291/TCP\)" disabled=no add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \ Blaster Worm" disabled=no add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \ Messenger Worm" disabled=no add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \ Worm" disabled=no add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \ Worm" disabled=no add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \ disabled=no add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \ disabled=no add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \ disabled=no add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \ disabled=no add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \ disabled=no add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \ disabled=no add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \ disabled=no add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \ disabled=no add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \ disabled=no add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \ disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \ disabled=no add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \ disabled=no add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \ disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \ Beagle.C-K" disabled=no add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \ MyDoom" disabled=no add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \ OptixPro" disabled=no add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \ disabled=no add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \ disabled=no add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \ disabled=no add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \ disabled=no add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \ Dabber.A-B" disabled=no add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \ Dumaru.Y" disabled=no add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \ MyDoom.B" disabled=no add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \ disabled=no add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \ disabled=no add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \ SubSeven" disabled=no add chain=Limit-Conn src-address=192.168.0.0/24 protocol=tcp \ connection-limit=80,32 action=drop comment="Limitar a 80 las conexiones \ por clientes GRAL" disabled=no add chain=drop-p2p protocol=tcp tcp-flags=syn p2p=warez connection-limit=10,32 \ action=drop comment="Limito a 20 conexiones TCP el P2P" disabled=no add chain=drop-p2p src-address=192.168.0.0/24 p2p=all-p2p action=drop \ comment="Dropear las 24hs." disabled=no add chain=drop protocol=tcp connection-mark=netbios action=drop comment="Drop \ NetBios" disabled=no add chain=drop protocol=udp connection-mark=netbios action=drop comment="" \ disabled=no add chain=drop action=drop comment="MAC que rompio las bolas" disabled=yes add chain=drop src-address-list=Bloqueo_IPs_no_usados action=drop \ comment="Bloqueo de IPs no usadas" disabled=no add chain=drop src-address-list=blocked-addr action=drop comment="dropping \ port scanners -- Esto viene de Sanity Check" disabled=no add chain=public-services src-address=127.0.0.1 dst-address=127.0.0.1 \ action=accept comment="accept localhost" disabled=no add chain=public-services protocol=tcp dst-port=20-21 action=accept \ comment="FTP \(20-21/TCP\)" disabled=no add chain=public-services connection-mark=ssh action=accept comment="SSH \ \(22/TCP\)" disabled=no add chain=public-services connection-mark=telnet action=accept comment="TELNET \ \(23/TCP\)" disabled=no
add chain=public-services connection-mark=http action=accept \ comment="HTTP,WEBBOX \(80/TCP\)" disabled=no add chain=public-services connection-mark=winbox action=accept comment="Winbox \ \(8291/TCP\)" disabled=no add chain=public-services protocol=udp dst-port=20561 action=accept \ comment="allow MACwinbox " disabled=yes add chain=public-services src-address=159.148.172.205 protocol=tcp \ dst-port=7828 action=accept comment="..." disabled=yes add chain=public-services connection-mark=Radmin action=accept comment="RADMIN \ Bandwidth server \(TCP/4899\)" disabled=no add chain=public-services protocol=udp dst-port=5678 action=accept comment=" \ MT Discovery Protocol" disabled=yes add chain=public-services connection-mark=l2tp action=accept comment="L2TP \ \(1701/TCP\)" disabled=no add chain=public-services connection-mark=pptp action=accept comment="PPTP \ \(1723/TCP\)" disabled=no add chain=public-services connection-mark=gre action=accept comment="GRE for \ PPTP and EoIP" disabled=no add chain=public-services protocol=ipencap action=accept comment="allow IPIP" \ disabled=no add chain=public-services protocol=udp dst-port=1900 action=accept \ comment="UPnP" disabled=yes add chain=public-services protocol=tcp dst-port=2828 action=accept \ comment="UPnP" disabled=yes add chain=public-services protocol=udp dst-port=67-68 action=accept \ comment="allow DHCP" disabled=yes add chain=public-services protocol=tcp dst-port=8080 action=accept \ comment="allow Web Proxy" disabled=yes add chain=public-services protocol=tcp dst-port=123 action=accept \ comment="allow NTP" disabled=yes add chain=public-services protocol=tcp dst-port=161 action=accept \ comment="allow SNMP" disabled=yes add chain=public-services protocol=tcp dst-port=443 action=accept \ comment="allow https for Hotspot" disabled=yes add chain=public-services protocol=tcp dst-port=1080 action=accept \ comment="allow Socks for Hotspot" disabled=yes add chain=public-services protocol=udp dst-port=500 action=accept \ comment="allow IPSec connections" disabled=yes add chain=public-services protocol=ipsec-esp action=accept comment="allow \ IPSec" disabled=no add chain=public-services protocol=ipsec-ah action=accept comment="allow \ IPSec" disabled=no add chain=public-services protocol=tcp dst-port=179 action=accept \ comment="Allow BGP" disabled=yes add chain=public-services protocol=udp dst-port=520-521 action=accept \ comment="allow RIP" disabled=yes add chain=public-services protocol=ospf action=accept comment="allow OSPF" \ disabled=yes add chain=public-services protocol=udp dst-port=5000-5100 action=accept \ comment="allow BGP" disabled=yes add chain=public-services protocol=tcp dst-port=1720 action=accept \ comment="allow Telephony" disabled=yes add chain=public-services protocol=udp dst-port=1719 action=accept \ comment="allow Telephony" disabled=yes add chain=public-services protocol=vrrp action=accept comment="allow VRRP " \ disabled=yes
add chain=drop src-address=10.10.102.200-10.10.102.254 protocol=tcp \ time=0s-23h59m,fri,thu,wed,tue,mon action=drop comment="SABADO Y DOMINGO" \ disabled=yes add chain=drop src-address=10.10.101.100-10.10.101.254 protocol=tcp \ time=7h30m-20h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="NOCHE" \ disabled=yes add chain=drop src-address=10.10.228.100-10.10.228.254 protocol=tcp \ time=6h-23h30m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \ disabled=yes add chain=drop src-address=10.10.100.100-10.10.100.199 protocol=tcp \ time=0s-6h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="MANANA" \ disabled=yes add chain=drop src-address=10.10.100.100-10.10.100.199 protocol=tcp \ time=11h1m-23h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \ disabled=yes add chain=drop src-address=10.10.100.200-10.10.100.254 protocol=tcp \ time=0s-16h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="TARDE" \ disabled=yes add chain=drop src-address=10.10.100.200-10.10.100.254 protocol=tcp \ time=21h-23h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \ disabled=yes add chain=drop connection-state=invalid action=drop comment="Dropear \ conexiones invalidas" disabled=no add chain=drop dst-address-type=broadcast,multicast action=drop \ comment="Bloqueo todo el Multicast y Broadcast" disabled=no add chain=drop dst-address-list=illegal-addr action=drop comment="Bloqueo todo \ lo que este en Ilegal Address" disabled=no add chain=drop protocol=tcp tcp-flags=rst action=drop comment="Drop TCP RST" \ disabled=yes add chain=drop dst-address-type=!local action=drop comment="Dropeo todo los \ paquetes que no van destinados hacia el router inclusive el trafico \ Broadcast " disabled=yes add chain=local-services connection-mark=Radmin action=accept comment="RADMIN \ Bandwidth server \(TCP/4899\)" disabled=no add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop \ comment="Deny illegal NAT traversal" disabled=no add chain=sanity-check protocol=tcp connection-limit=3,32 \ src-address-list=blocked-addr action=tarpit comment="Detectar DoS Service" \ disabled=yes add chain=sanity-check protocol=tcp connection-limit=20,32 \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=5s comment="" disabled=yes add chain=sanity-check protocol=tcp psd=21,3s,3,1 \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=3s comment="Block port scans" disabled=yes add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=10s comment="Block TCP Null scan" disabled=no add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=10s comment="Block TCP Xmas scan" disabled=no add chain=sanity-check protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=10s comment="NMAP FIN Stealth scan" disabled=no add chain=sanity-check protocol=tcp tcp-flags=syn,rst \ action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=10s comment="Drop TCP SYN + RST" disabled=no add chain=sanity-check protocol=tcp tcp-flags=fin,syn \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=10s comment="Drop TCP FIN+SYN" disabled=no add chain=sanity-check protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \ action=add-src-to-address-list address-list=blocked-addr \ address-list-timeout=10s comment="ALL/ALL scan" disabled=no add chain=sanity-check src-address-list=blocked-addr action=jump \ jump-target=drop comment="Drop diferentes metodos de Port Scanners" \ disabled=no add chain=sanity-check connection-state=invalid action=jump jump-target=drop \ comment="Dropping invalid connections at once" disabled=no add chain=sanity-check connection-state=established action=accept \ comment="Accepting already established connections" disabled=no add chain=sanity-check connection-state=related action=accept comment="Also \ accepting related connections" disabled=no add chain=sanity-check dst-address-type=broadcast,multicast action=jump \ jump-target=drop comment="Drop all traffic that goes to multicast or \ broadcast addresses" disabled=no add chain=sanity-check in-interface=Local dst-address-list=illegal-addr \ action=jump jump-target=drop comment="Drop illegal destination addresses" \ disabled=no add chain=sanity-check in-interface=Local src-address-list=!local-addr \ action=jump jump-target=drop comment="Drop everything that goes from local \ interface but not from local address" disabled=no add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump \ jump-target=drop comment="" disabled=no add chain=sanity-check in-interface=Public src-address-list=illegal-addr \ action=jump jump-target=drop comment="Drop illegal source addresses" \ disabled=no add chain=sanity-check in-interface=Public dst-address-list=!local-addr \ action=jump jump-target=drop comment="Drop everything that goes from \ public interface but not to local address" disabled=no add chain=sanity-check src-address-type=broadcast,multicast action=jump \ jump-target=drop comment="Drop all traffic that goes from multicast or \ broadcast addresses" disabled=no add chain=drop src-mac-address=00:11:3B:02:52:19 action=drop comment="" \ disabled=yes add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \ Gaobot" disabled=no
![- dl.20learn.irdl.20learn.ir/mikrotik/mik(4).pdf · [admin@mikrotik] >ip firewall filter add chain=forward action=drop protocol=icmp Src-address = 10.10.10.2 هچ نانچ، دنیآ](https://static.fdocuments.in/doc/165x107/5bc2087209d3f2840b8debcb/-dl-4pdf-adminmikrotik-ip-firewall-filter-add-chainforward-actiondrop.jpg)
