/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward comment="Allow all new outbound LAN connections" connection-state=new out-interface=ether1-WAN
#Block "bogon" IP Addresses:
add chain=forward src-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
#ping port scanner
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="ping port scanners" src-address-list=\
"port scanners"
#Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp comment="make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp comment="make jumps to new chains"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="make jumps to new chains"
#Create TCP chain and deny some TCP ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
#Deny UDP ports in UDP chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
#Allow only needed ICMP codes in ICMP chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
#add your public ip route for users to address-lists LOCAL
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=LOCAL src-address-list=\
LOCAL
#Worm Infected IP
add action=drop chain=forward comment="INFECTED IP" dst-port=445 protocol=tcp \
src-address-list=Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=\
Worm-Infected-p445
#FTP brute Force attack
add action=drop chain=input comment="ftp brute forcers" dst-port=21 protocol=\
tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
#Block Non-IP B/w Usage LAN
add action=drop chain=forward comment="UNTRACK LAN DROP" connection-state=\
invalid in-interface=LAN out-interface=LAN
No comments:
Post a Comment