Thursday, January 14, 2010

Mikrotik Firewall configuration to make the Internet safe

Creating a simple proxy firewalls but powerful.
Here for firewall management

1. Brute forces of the filter

/ Ip firewall filter
add chain = input protocol = tcp dst-port = 22 src-address-list = ssh_blacklist action = drop comment = "drop ssh brute forcers" disabled = no
add chain = input protocol = tcp dst-port = 22 connection-state = new src-address-list = ssh_stage3 action = add-src-to-address-list address-list = ssh_blacklist \
address-list-timeout = 1w3d comment = "" disabled = no
add chain = input protocol = tcp dst-port = 22 connection-state = new src-address-list = ssh_stage2 action = add-src-to-address-list address-list = ssh_stage3 \
address-list-timeout = 1m comment = "" disabled = no
add chain = input protocol = tcp dst-port = 22 connection-state = new src-address-list = ssh_stage1 action = add-src-to-address-list address-list = ssh_stage2 \
address-list-timeout = 1m comment = "" disabled = no
add chain = input protocol = tcp dst-port = 22 connection-state = new action = add-src-to-address-list address-list = ssh_stage1 address-list-timeout = 1m comment = "" \
disabled = no

2. To filter port scaning
/ Ip firewall filter

add chain = input protocol = tcp psd = 21.3 s, 3.1 action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "Port scanners to list \
"Disabled = no
add chain = input protocol = tcp tcp-flags = fin,! syn,! RST,! psh,! ack,! urg action = add-src-to-address-list address-list = "port scanners" address-list - timeout = 2w \
comment = "" disabled = no
add chain = input protocol = tcp tcp-flags = fin, syn action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "" disabled = no
add chain = input protocol = tcp tcp-flags = syn, RST action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "" disabled = no
add chain = input protocol = tcp tcp-flags = fin, psh, urg,! syn,! RST,! ack action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w \
comment = "" disabled = no
add chain = input protocol = tcp tcp-flags = fin, syn, RST, psh, ack, urg action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "" \
disabled = no
add chain = input protocol = tcp tcp-flags =! fin,! syn,! RST,! psh,! ack,! urg action = add-src-to-address-list address-list = "port scanners" address-list -timeout = 2w \
comment = "" disabled = no
add chain = input src-address-list = "port scanners" action = drop comment = "" disabled = no

3. To filter FTP port

/ Ip firewall filter

add chain = input protocol = tcp dst-port = 21 src-address-list = ftp_blacklist action = drop comment = "Filter FTP to Box" disabled = no
add chain = output protocol = tcp content = "530 Login incorrect" dst-limit = 1/1m, 9, dst-address/1m action = accept comment = "" disabled = no
add chain = output protocol = tcp content = "530 Login incorrect" action = add-dst-to-address-list address-list = ftp_blacklist address-list-timeout = 3h comment = "" \
disabled = no

4. To separate packet flag

/ Ip firewall filter

add chain = forward protocol = tcp action = jump jump-target = tcp comment = "Separated into Chains Protocol" disabled = no
add chain = forward protocol = udp action = jump jump-target = udp comment = "" disabled = no
add chain = forward protocol = icmp action = jump jump-target = icmp comment = "" disabled = no

5. Blocking UDP traffic for the devil

/ Ip firewall filter
add chain = udp protocol = udp dst-port = 69 action = drop comment = "Blocking UDP Packet" disabled = no
add chain = udp protocol = udp dst-port = 111 action = drop comment = "" disabled = no
add chain = udp protocol = udp dst-port = 135 action = drop comment = "" disabled = no
add chain = udp protocol = udp dst-port = 137-139 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "" disabled = no
add chain = udp protocol = udp dst-port = 3133 action = drop comment = "" disabled = no

6. Tcp blocking traffic for the devil

/ Ip firewall filter

add chain = tcp protocol = tcp dst-port = 69 action = drop comment = "Bloking TCP Packet" disabled = no
add chain = tcp protocol = tcp dst-port = 111 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 119 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 135 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 137-139 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 445 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 12345-12346 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 20034 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 3133 action = drop comment = "" disabled = no
add chain = tcp protocol = tcp dst-port = 67-68 action = drop comment = "" disabled = no

7. To bukis mail traffic bloking

/ Ip firewall filter

add chain = forward protocol = tcp dst-port = 25 action = drop comment = "Allow SMTP" disabled = no

8. To create a filter DOS

/ Ip firewall filter

add chain = icmp protocol = icmp icmp-options = 0:0-255 limit = 5.5 action = accept comment = "Ping Flood Limited" disabled = no
add chain = icmp protocol = icmp icmp-options = 3:3 limit = 5.5 action = accept comment = "" disabled = no
add chain = icmp protocol = icmp icmp-options = 3:4 limit = 5.5 action = accept comment = "" disabled = no
add chain = icmp protocol = icmp icmp-options = 8:0-255 limit = 5.5 action = accept comment = "" disabled = no
add chain = icmp protocol = icmp icmp-options = 11:0-255 limit = 5.5 action = accept comment = "" disabled = no
add chain = icmp protocol = icmp action = drop comment = "" disabled = no

9. To create a P2P connection fileter

/ Ip firewall filter

add chain = forward p2p = all-p2p action = accept comment = "P2P traffic" disabled = no

10. To create a filter mapping network access point

/ Ip firewall filter
add chain = input dst-address-type = broadcast, multicast action = accept comment = "Allow Broadcast Traffic" disabled = no
add chain = input src-address = 192.168.0.0/28 action = accept comment = "Allow access to router from known network" disabled = no
add chain = input src-address = 192.168.1.0/24 action = accept comment = "" disabled = no
add chain = input src-address = 192.168.2.0/30 action = accept comment = "" disabled = no
add chain = input src-address = 125.162.0.0/16 action = accept comment = "" disabled = no

11. To create a connection filter junk and the correct connection path

/ Ip firewall filter

add chain = input connection-state = established action = accept comment = "Connection State" disabled = no
add chain = input connection-state = related action = accept comment = "" disabled = no
add chain = input connection-state = invalid action = drop comment = "" disabled = no

5 comments:

  1. I am not capable of view this web site properly on saffari I
    feel there is a downside

    my homepage :: having Trouble getting pregnant

    ReplyDelete
  2. We tend to ignore this sort of thing, do we really care what happened in 'their day'.
    The most famous ones being the solitaires in prong
    settings. Like color, we can settle for impure diamonds because our normal, human eyes won't be able to see them.

    My site ... vintage style engagement rings

    ReplyDelete
  3. So as opposed to going through every one of the trouble of utilizing home tips it
    is usually best to use plastic flatware to nibble
    on such issues that are not best for other types of flatware.
    This will prevent scratching and also other damage whilst not in use.

    Red wine glasses tend to get shorter and rounder,
    white wine a bit taller and thinner.

    ReplyDelete
  4. This scaled-down, inexpensive unit is perfect for your home brewer as well.
    The people who review or assess the coffeemakers are all very knowledgeable concerning the coffee machines or are normally referred to as gurus
    inside field of coffee. A minute later you have a cup of freshly brewed coffee, with just a pod to throw away.


    My site: coffee maker *scuttlebutt360.com*

    ReplyDelete
  5. why authorizing all p2p and blocking all SMTP???

    ReplyDelete

semarang jawa tengah indonesia service keyboard service computer komputer kendal bali setting hotspot hacking password mysql protected username jasa setting jual beli
bobol password phpmyadmin debian 5 lenny ubuntu server surabaya sumatera american inggris access point microtic MikroTik jawa barat yamaha roland casio korg technic floppy disk emulator usb www universal cara ganti broadcast editing wireless Wi-Fi handphone novel health facebook Sepeda Fixie Jual Beli Sepeda Fixie Rose Network Sepeda Fixie Murah Wimax Wimax Indonesia, Long time waktu lorong waktu facebook twitter

Followers