Beranda > Mikrotik > Loading A Firewall

Loading A Firewall

Next up is loading up a firewall, right now you router is secure from access by passwords, but passwords are one layer of security – not the only layer. This script is based on the firewall used on the MT demo router but has a few changes to it, it only protects the router and contains no ‘forward’ firewall rules

/ ip firewall filter 
add chain=input protocol=tcp dst-port=1337 
action=add-src-to-address-list  address-list=knock \
address-list-timeout=15s comment="" disabled=no add chain=input 
protocol=tcp dst-port=7331 
src-address-list=knock action= add-src-to-address-list \
address-list=safe  address-list-timeout=15m comment="" disabled=no

These rules setup port knocking, it set’s up the example we used above and will add the IP address to the ‘safe’ address-list, this is the address-list used in this firewall to permit full unrestricted access to the router

add chain=input connection-state=established action=accept 
comment="accept established connection packets" disabled=no 
add chain=input connection-state=related action=accept 
comment="accept related connection packets" disabled=no 
add chain=input connection-state=invalid action=drop 
comment="drop invalid packets" disabled=no

These rules make sure only valid connections are going to the router and will drop any that are invalid.

add chain=input src-address-list=safe action=accept 
comment="Allow access to router from known network" disabled=no

This rule is the rule that allows full access to the router for certain IP addresses, This list contains static entries for IP’s you want to always have access and also contains the dynamic IP’s of those added by port knocking if used

add chain=input protocol=tcp psd=21,3s,3,1 action=drop 
comment="detect and drop port scan connections" disabled=no 
add chain=input protocol=tcp connection-limit=3,32 
src-address-list=black_list action=tarpit \
comment="suppress DoS attack" disabled=no 
add chain=input protocol=tcp connection-limit=10,32 
action= add-src-to-address-list \
address-list=black_list  address-list-timeout=1d 
comment="detect DoS attack" disabled=no

These rule’s are a little reactive to DoS and port scanning attempts, port scanning is dropped but a DoS attack is ‘tarpitted’ in that all connection’s are slowed down to increase the resource usage on the attackers device

add chain=input protocol=icmp action=jump jump-target=ICMP 
comment="jump to chain ICMP" disabled=no 
add chain=input action=jump jump-target=services 
comment="jump to chain services" disabled=no

These 2 rules jump to chains we are about to create, jumping is handy because it allows you to reuse the same rule in different chains (I.e. Input and Forward can jump to the same chain and run the same rules)

add chain=input dst-address-type=broadcast action=accept 
comment="Allow Broadcast Traffic" disabled=no

Allow Broadcast traffic to the router, this is needed sometimes by things like NTP

add chain=input action=log log-prefix="Filter:" comment="" disabled=no 
add chain=input action=drop comment="drop everything else" disabled=no

And this is the rule that deny’s all access to the router, if traffic hasn’t been accepted by once of the rules above then it will be dropped

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept 
comment="0:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept 
comment="3:3 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept 
comment="3:4 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept 
comment="8:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept 
comment="11:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp action=drop 
comment="Drop everything else" disabled=no

These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you

add chain=services src-address= dst-address= 
action=accept comment="accept localhost" disabled=no 
add chain=services protocol=udp dst-port=20561 action=accept 
comment="allow MACwinbox " disabled=no 
add chain=services protocol=tcp dst-port=2000 action=accept 
comment="Bandwidth server" disabled=no 
add chain=services protocol=udp dst-port=5678 action=accept 
comment=" MT Discovery Protocol" disabled=no 
add chain=services protocol=tcp dst-port=161 action=accept 
comment="allow SNMP" disabled=yes
add chain=services protocol=tcp dst-port=179 action=accept 
comment="Allow BGP" disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept 
comment="allow BGP" disabled=yes
add chain=services protocol=udp dst-port=123 action=accept 
comment="Allow NTP" disabled=yes
add chain=services protocol=tcp dst-port=1723 action=accept 
comment="Allow PPTP" disabled=yes 
add chain=services protocol=gre action=accept 
comment="allow PPTP and EoIP" disabled=yes 
add chain=services protocol=tcp dst-port=53 action=accept 
comment="allow DNS request" disabled=yes 
add chain=services protocol=udp dst-port=53 action=accept 
comment="Allow DNS request" disabled=yes 
add chain=services protocol=udp dst-port=1900 action=accept 
comment="UPnP" disabled=yes 
add chain=services protocol=tcp dst-port=2828 action=accept 
comment="UPnP" disabled=yes 
add chain=services protocol=udp dst-port=67-68 action=accept 
comment="allow DHCP" disabled=yes 
add chain=services protocol=tcp dst-port=8080 action=accept 
comment="allow Web Proxy" disabled=yes 
add chain=services protocol=ipencap action=accept 
comment="allow IPIP" disabled=yes 
add chain=services protocol=tcp dst-port=443 action=accept 
comment="allow https for Hotspot" disabled=yes 
add chain=services protocol=tcp dst-port=1080 action=accept 
comment="allow Socks for Hotspot" disabled=yes 
add chain=services protocol=udp dst-port=500 action=accept 
comment="allow IPSec connections" disabled=yes 
add chain=services protocol=ipsec-esp action=accept 
comment="allow IPSec" disabled=yes 
add chain=services protocol=ipsec-ah action=accept 
comment="allow IPSec" disabled=yes 
add chain=services protocol=udp dst-port=520-521 action=accept 
comment="allow RIP" disabled=yes 
add chain=services protocol=ospf action=accept 
comment="allow OSPF" disabled=yes 
add chain=services action=return 
comment="" disabled=no

These are the services that we allow ANYone to access, as you can see I’ve disabled most of them by default. The only ones enabled are services I personally feel should always be accessible

  • Mac-Telnet
  • Bandwidth Test Server
  • MT Discovery

All other services should only be enabled if they need to be, running this script on a production router already configured will cause it to drop IPSec, BGP, EOIP and a bunch of other services so I must repeat myself again
Don’t apply this firewall on a production router unmodified – it will break some services

Logging & Syslog

So you’ve got long passwords and a firewall that limit’s access to your router. Everything’s great, you see the “Drop Everything Else” counter rising and you check the logs on the router to make sure nobody’s got in. Trouble is you’re now assuming that the data on your router is accurate and hasn’t been fiddled with, someone could have gotten in somehow, is altering your network and you don’t have a clue because they altered the logs or their access has gone beyond the 100 line storage default of RouterOs logging.
Got you worried yet? I should have, when someone compromises any device on your network you can no longer assume the data it holds is clean. You must assume that everything on that device has been altered or removed. On RouterOs it’s actually very difficult to remove entries in the log without erasing the entire log by default but its not impossible, nothing ever is. We are about to go through RouterOs and change what’s logged and where its logged to, in order to be able to accurately tell what’s going on in your router you need to log some information about changes and login attempts to an outside device
By default RouterOs has the following logging setup

/system logging print
Flags: X - disabled, I - invalid 
#   TOPICS                                   ACTION PREFIX    
0   info          memory           
1   error                                    memory           
2   warning          memory           
3   critical          echo

Which is really bad because if your router suffers a power outage or random reboot you lose all log’s. So the first thing we are going to do is log some things to disk.
Erase all the current logging rules

/system logging print
/system logging remove 0
/system logging remove 1
/system logging remove 2
/system logging remove 3

Setup logging to log some things to disk

/system logging add topics=critical action=disk
/system logging add topics=critical action=echo
/system logging add topics=error action=disk
/system logging add topics=warning action=disk
/system logging add topics=info action=memory

Now the next trouble is that by default RouterOs will only store that last 100 lines in memory or on disk. Depending on the amount of ram and free disk space you should up this, personally I set this to 300 lines in memory and disk for RouterBoards and 1000 for PC routers. You can do this by the following command

/system logging action print
/system logging action set 0 disk-lines=XXX
/system logging action set 1 disk-lines=XXX

Now the router will log something’s to disk, others to memory and you will be able to look back further in the logs on the router
If you look back to the firewall script we put in place you will notice that we set it up to log all the dropped input packets, right now you will see them in memory as they are logged under ‘info’ what we will do now is create another file on the disk to store the firewall hits and alter the logging rules so they get logged to disk but don’t clog up the memory
First we setup the new target

/system logging action add target=disk disk-lines=XXX name=FirewallHits

Then we alter the logging actions to stop the firewall clogging up the log

/system logging print
/system logging set 0 topics=info,!firewall

And now we set it so all the firewall hits get sent to the new target

/system logging add topics=firewall action=FirewallHits

And done, now all the hits your firewall get will be logged to the disk and will no longer clog up your main log files, the last thing left to do with logging is log everything to a remote source, for this you will need a remote server running either windows or *NIX with a Syslog daemon running. I wont go through setting up a Syslog daemon as this is extremely platform specific however it is simple to setup a catchall Syslog daemon.
RouterOs has a built in logging action called ‘remote’ all that you need to do is specify the destination IP address where Syslog is running, we can do this by issuing the following commands

/system logging action print
/system logging action set 3 remote=

Remember to add ‘:514’ to the end of the IP address as this specifies which port to use. Once we have set the IP we can go ahead and add a rule to log everything to the daemon

/system logging add action=remote topics=info,warning,critical,firewall,error 

Change the prefix to something that identifies your router and your all done.
With this logging setup in place you are in a better position to know what’s going on in your network and to know that the information you are reading is correct, remember when in doubt check the remote Syslog.

  1. 26 Desember 2012 pukul 9:38 PM

    Way cool! Some very valid points! I appreciate you writing
    this write-up and also the rest of the website is
    very good.

  2. 22 April 2013 pukul 7:22 AM

    Wonderful blog! I found it while searching on Yahoo News.

    Do you have any suggestions on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem to get there! Many thanks

  3. 6 Juli 2013 pukul 11:43 PM

    Hey there fantastic blog! Does running a blog such as this require a massive amount work?
    I’ve very little expertise in programming but I had been hoping to start my own blog soon. Anyhow, should you have any recommendations or techniques for new blog owners please share. I understand this is off topic nevertheless I just wanted to ask. Thanks a lot!

  4. 21 Agustus 2013 pukul 3:41 PM

    I believe that is one of the most important
    info for me. And i am satisfied reading your article. But should statement on
    few common issues, The web site style is wonderful, the articles is
    in reality excellent : D. Excellent task, cheers

  1. No trackbacks yet.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: