Loading A Firewall
Next up is loading up a firewall, right now you router is secure from access by passwords, but passwords are one layer of security – not the only layer. This script is based on the firewall used on the MT demo router but has a few changes to it, it only protects the router and contains no ‘forward’ firewall rules
/ ip firewall filter add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock \ address-list-timeout=15s comment="" disabled=no add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list \ address-list=safe address-list-timeout=15m comment="" disabled=no
These rules setup port knocking, it set’s up the example we used above and will add the IP address to the ‘safe’ address-list, this is the address-list used in this firewall to permit full unrestricted access to the router
add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=no add chain=input connection-state=related action=accept comment="accept related connection packets" disabled=no add chain=input connection-state=invalid action=drop comment="drop invalid packets" disabled=no
These rules make sure only valid connections are going to the router and will drop any that are invalid.
add chain=input src-address-list=safe action=accept comment="Allow access to router from known network" disabled=no
This rule is the rule that allows full access to the router for certain IP addresses, This list contains static entries for IP’s you want to always have access and also contains the dynamic IP’s of those added by port knocking if used
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit \ comment="suppress DoS attack" disabled=no add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list \ address-list=black_list address-list-timeout=1d comment="detect DoS attack" disabled=no
These rule’s are a little reactive to DoS and port scanning attempts, port scanning is dropped but a DoS attack is ‘tarpitted’ in that all connection’s are slowed down to increase the resource usage on the attackers device
add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no
These 2 rules jump to chains we are about to create, jumping is handy because it allows you to reuse the same rule in different chains (I.e. Input and Forward can jump to the same chain and run the same rules)
add chain=input dst-address-type=broadcast action=accept comment="Allow Broadcast Traffic" disabled=no
Allow Broadcast traffic to the router, this is needed sometimes by things like NTP
add chain=input action=log log-prefix="Filter:" comment="" disabled=no add chain=input action=drop comment="drop everything else" disabled=no
And this is the rule that deny’s all access to the router, if traffic hasn’t been accepted by once of the rules above then it will be dropped
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no
These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you
add chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept comment="accept localhost" disabled=no add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " disabled=no add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=no add chain=services protocol=udp dst-port=5678 action=accept comment=" MT Discovery Protocol" disabled=no add chain=services protocol=tcp dst-port=161 action=accept comment="allow SNMP" disabled=yes add chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" disabled=yes add chain=services protocol=udp dst-port=5000-5100 action=accept comment="allow BGP" disabled=yes add chain=services protocol=udp dst-port=123 action=accept comment="Allow NTP" disabled=yes add chain=services protocol=tcp dst-port=1723 action=accept comment="Allow PPTP" disabled=yes add chain=services protocol=gre action=accept comment="allow PPTP and EoIP" disabled=yes add chain=services protocol=tcp dst-port=53 action=accept comment="allow DNS request" disabled=yes add chain=services protocol=udp dst-port=53 action=accept comment="Allow DNS request" disabled=yes add chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" disabled=yes add chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" disabled=yes add chain=services protocol=udp dst-port=67-68 action=accept comment="allow DHCP" disabled=yes add chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web Proxy" disabled=yes add chain=services protocol=ipencap action=accept comment="allow IPIP" disabled=yes add chain=services protocol=tcp dst-port=443 action=accept comment="allow https for Hotspot" disabled=yes add chain=services protocol=tcp dst-port=1080 action=accept comment="allow Socks for Hotspot" disabled=yes add chain=services protocol=udp dst-port=500 action=accept comment="allow IPSec connections" disabled=yes add chain=services protocol=ipsec-esp action=accept comment="allow IPSec" disabled=yes add chain=services protocol=ipsec-ah action=accept comment="allow IPSec" disabled=yes add chain=services protocol=udp dst-port=520-521 action=accept comment="allow RIP" disabled=yes add chain=services protocol=ospf action=accept comment="allow OSPF" disabled=yes add chain=services action=return comment="" disabled=no
These are the services that we allow ANYone to access, as you can see I’ve disabled most of them by default. The only ones enabled are services I personally feel should always be accessible
- Bandwidth Test Server
- MT Discovery
All other services should only be enabled if they need to be, running this script on a production router already configured will cause it to drop IPSec, BGP, EOIP and a bunch of other services so I must repeat myself again
Don’t apply this firewall on a production router unmodified – it will break some services
Logging & Syslog
So you’ve got long passwords and a firewall that limit’s access to your router. Everything’s great, you see the “Drop Everything Else” counter rising and you check the logs on the router to make sure nobody’s got in. Trouble is you’re now assuming that the data on your router is accurate and hasn’t been fiddled with, someone could have gotten in somehow, is altering your network and you don’t have a clue because they altered the logs or their access has gone beyond the 100 line storage default of RouterOs logging.
Got you worried yet? I should have, when someone compromises any device on your network you can no longer assume the data it holds is clean. You must assume that everything on that device has been altered or removed. On RouterOs it’s actually very difficult to remove entries in the log without erasing the entire log by default but its not impossible, nothing ever is. We are about to go through RouterOs and change what’s logged and where its logged to, in order to be able to accurately tell what’s going on in your router you need to log some information about changes and login attempts to an outside device
By default RouterOs has the following logging setup
/system logging print Flags: X - disabled, I - invalid # TOPICS ACTION PREFIX 0 info memory 1 error memory 2 warning memory 3 critical echo
Which is really bad because if your router suffers a power outage or random reboot you lose all log’s. So the first thing we are going to do is log some things to disk.
Erase all the current logging rules
/system logging print /system logging remove 0 /system logging remove 1 /system logging remove 2 /system logging remove 3
Setup logging to log some things to disk
/system logging add topics=critical action=disk /system logging add topics=critical action=echo /system logging add topics=error action=disk /system logging add topics=warning action=disk /system logging add topics=info action=memory
Now the next trouble is that by default RouterOs will only store that last 100 lines in memory or on disk. Depending on the amount of ram and free disk space you should up this, personally I set this to 300 lines in memory and disk for RouterBoards and 1000 for PC routers. You can do this by the following command
/system logging action print /system logging action set 0 disk-lines=XXX /system logging action set 1 disk-lines=XXX
Now the router will log something’s to disk, others to memory and you will be able to look back further in the logs on the router
If you look back to the firewall script we put in place you will notice that we set it up to log all the dropped input packets, right now you will see them in memory as they are logged under ‘info’ what we will do now is create another file on the disk to store the firewall hits and alter the logging rules so they get logged to disk but don’t clog up the memory
First we setup the new target
/system logging action add target=disk disk-lines=XXX name=FirewallHits
Then we alter the logging actions to stop the firewall clogging up the log
/system logging print /system logging set 0 topics=info,!firewall
And now we set it so all the firewall hits get sent to the new target
/system logging add topics=firewall action=FirewallHits
And done, now all the hits your firewall get will be logged to the disk and will no longer clog up your main log files, the last thing left to do with logging is log everything to a remote source, for this you will need a remote server running either windows or *NIX with a Syslog daemon running. I wont go through setting up a Syslog daemon as this is extremely platform specific however it is simple to setup a catchall Syslog daemon.
RouterOs has a built in logging action called ‘remote’ all that you need to do is specify the destination IP address where Syslog is running, we can do this by issuing the following commands
/system logging action print /system logging action set 3 remote=192.168.0.3:514
Remember to add ‘:514’ to the end of the IP address as this specifies which port to use. Once we have set the IP we can go ahead and add a rule to log everything to the daemon
/system logging add action=remote topics=info,warning,critical,firewall,error prefix="RouterId"
Change the prefix to something that identifies your router and your all done.
With this logging setup in place you are in a better position to know what’s going on in your network and to know that the information you are reading is correct, remember when in doubt check the remote Syslog.