Beranda > Mikrotik > Mikrotik Firewall Filter

Mikrotik Firewall Filter


Lets say our private network is 192.168.0.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.

/ip firewall filter
add chain=input connection-state=invalid action=drop \
 comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept \
 comment="Allow Established connections"  
add chain=input protocol=icmp action=accept \
 comment="Allow ICMP" 
add chain=input src-address=192.168.0.0/24 action=accept \
 in-interface=!ether1 
add chain=input action=drop comment="Drop everything else"

Customer protection

To protect the customer’s network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted packets:

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
  action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept \ 
  comment="allow already established connections"  
add chain=forward connection-state=related action=accept \
  comment="allow related connections"

Block “bogon” IP addresses

add chain=forward src-address=0.0.0.0/8 action=drop  
add chain=forward dst-address=0.0.0.0/8 action=drop  
add chain=forward src-address=127.0.0.0/8 action=drop 
add chain=forward dst-address=127.0.0.0/8 action=drop 
add chain=forward src-address=224.0.0.0/3 action=drop 
add chain=forward dst-address=224.0.0.0/3 action=drop

Make jumps to new chains:

add chain=forward protocol=tcp action=jump jump-target=tcp  
add chain=forward protocol=udp action=jump jump-target=udp  
add chain=forward protocol=icmp action=jump jump-target=icmp

Create tcp chain and deny some tcp ports in it:

add chain=tcp protocol=tcp dst-port=69 action=drop \
  comment="deny TFTP" 
add chain=tcp protocol=tcp dst-port=111 action=drop \
  comment="deny RPC portmapper"  
add chain=tcp protocol=tcp dst-port=135 action=drop \
  comment="deny RPC portmapper"  
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
  comment="deny NBT"  
add chain=tcp protocol=tcp dst-port=445 action=drop \
  comment="deny cifs"  
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"  
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"  
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"  
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"  
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Deny udp ports in udp chain:

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"  
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"  
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"  
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"  
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"  
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

Allow only needed icmp codes in icmp chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
  comment="echo reply"  
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
  comment="net unreachable"  
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
  comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
  comment="host unreachable fragmentation required"  
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
  comment="allow source quench"  
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
  comment="allow echo request"  
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
  comment="allow time exceed"  
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ 
  comment="allow parameter bad"  
add chain=icmp action=drop comment="deny all other types"

other ICMP codes are found here.

source : Wiki Mikrotik

Iklan
Kategori:Mikrotik
  1. Belum ada komentar.
  1. No trackbacks yet.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: