User Tools

Site Tools


mikrotik_firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
mikrotik_firewall [2019/07/15 09:04]
admin
mikrotik_firewall [2019/07/15 09:43] (current)
admin
Line 7: Line 7:
 === /ip firewall filter === === /ip firewall filter ===
 <​code>​ <​code>​
-add action=passthrough chain=forward comment="​dresist-kgs out count" ​+add action=passthrough chain=forward comment="​dresist-kgs out count" in-interface=br1-100 src-address=192.168.142.252 
-    ​in-interface=br1-100 src-address=192.168.142.252 +add action=passthrough chain=forward comment="​dresist-kgs in count" dst-address=192.168.142.252 out-interface=br1-100 
-add action=passthrough chain=forward comment="​dresist-kgs in count" ​+add action=passthrough chain=forward comment="​count WAN <= Home SSH traffic"​ in-interface=br1 out-interface=ether1 protocol=tcp src-address=192.168.42.164 src-port=22 
-    ​dst-address=192.168.142.252 out-interface=br1-100 +add action=passthrough chain=forward comment="​count WAN => Home SSH traffic"​ dst-address=192.168.42.164 dst-port=22 in-interface=ether1 protocol=tcp 
-add action=passthrough chain=forward comment="​count WAN <= Home SSH traffic" ​+add action=accept chain=forward comment="​allow all DNAT'​ed"​ connection-nat-state=dstnat in-interface-list=WAN 
-    ​in-interface=br1 out-interface=ether1 protocol=tcp src-address=+add action=accept chain=forward comment="​allow RDP to server_2019"​ dst-address=192.168.142.242 dst-port=3389 protocol=tcp 
-    ​192.168.42.164 src-port=22 +add action=drop chain=input comment="​drop invalid connections"​ connection-state=invalid in-interface=ether1 
-add action=passthrough chain=forward comment="​count WAN => Home SSH traffic" ​+add action=drop chain=forward comment="​drop invalid connections forward"​ connection-state=invalid in-interface=ether1 
-    ​dst-address=192.168.42.164 dst-port=22 in-interface=ether1 protocol=tcp +add action=accept chain=input comment="​mktk <- hosts.allow accept"​ in-interface=ether1 src-address-list=hosts.allow 
-add action=accept chain=forward comment="​allow all DNAT'​ed" ​+add action=reject chain=forward comment="​block addr-list_block"​ disabled=yes dst-address-list=addr-list_block reject-with=icmp-network-unreachable 
-    ​connection-nat-state=dstnat in-interface-list=WAN +add action=accept chain=forward comment="​VLANs <= WAN est;​rel"​ connection-state=established,​related in-interface-list=WAN out-interface-list=VLAN 
-add action=accept chain=forward comment="​allow RDP to server_2019" ​+add action=fasttrack-connection chain=forward comment="​FastTrack LAN <=> WAN traffic"​ connection-state=established,​related 
-    ​dst-address=192.168.142.242 dst-port=3389 protocol=tcp +add action=accept chain=forward comment="​LAN <= WAN est;​rel"​ connection-state=established,​related in-interface-list=WAN out-interface-list=LAN 
-add action=drop chain=input comment="​drop invalid connections" ​+add action=accept chain=input comment="​mktk <- WAN est;​rel"​ connection-state=established,​related in-interface=ether1 
-    ​connection-state=invalid in-interface=ether1 +add action=accept chain=forward comment="​LAN => WAN" in-interface-list=LAN out-interface-list=WAN
-add action=drop chain=forward comment="​drop invalid connections forward" ​+
-    ​connection-state=invalid in-interface=ether1 +
-add action=accept chain=input comment="​mktk <- hosts.allow accept" ​+
-    ​in-interface=ether1 src-address-list=hosts.allow +
-add action=reject chain=forward comment="​block addr-list_block"​ disabled=yes ​+
-    ​dst-address-list=addr-list_block reject-with=icmp-network-unreachable +
-add action=accept chain=forward comment="​VLANs <= WAN est;​rel" ​+
-    ​connection-state=established,​related in-interface-list=WAN ​+
-    ​out-interface-list=VLAN +
-add action=fasttrack-connection chain=forward comment=+
-    ​"​FastTrack LAN <=> WAN traffic"​ connection-state=established,​related +
-add action=accept chain=forward comment="​LAN <= WAN est;​rel" ​+
-    ​connection-state=established,​related in-interface-list=WAN ​+
-    ​out-interface-list=LAN +
-add action=accept chain=input comment="​mktk <- WAN est;​rel"​ connection-state=+
-    ​established,​related in-interface=ether1 +
-add action=accept chain=forward comment="​LAN => WAN" in-interface-list=LAN ​+
-    ​out-interface-list=WAN+
 add action=accept chain=input comment="​mktk <- LAN" in-interface=br1 add action=accept chain=input comment="​mktk <- LAN" in-interface=br1
-add action=jump chain=input comment="​catch new UDP connections" ​+add action=jump chain=input comment="​catch new UDP connections"​ connection-state=new dst-port=500,​4500,​1701,​53 in-interface-list=WAN jump-target=anti-bruteforce protocol=udp src-address-list=!hosts.allow 
-    ​connection-state=new dst-port=500,​4500,​1701,​53 in-interface-list=WAN ​+add action=jump chain=input comment="​catch new TCP connections"​ connection-state=new dst-port=1723,​22,​3389,​8291,​53 in-interface-list=WAN jump-target=anti-bruteforce protocol=tcp 
-    ​jump-target=anti-bruteforce protocol=udp src-address-list=!hosts.allow +add action=jump chain=input comment="​all input jump to anti-bruteforce chain" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1 jump-target=anti-bruteforce src-address-list=!hosts.allow 
-add action=jump chain=input comment="​catch new TCP connections" ​+add action=return chain=anti-bruteforce comment="​return (allow) some catched connections back to main firewall flow" dst-limit=3/​1m,​3,​src-address/​2m 
-    ​connection-state=new dst-port=1723,​22,​3389,​8291,​53 in-interface-list=WAN ​+add action=add-src-to-address-list address-list=block-bruteforce address-list-timeout=1w chain=anti-bruteforce comment="​add bruteforce IP to block-list"​ 
-    ​jump-target=anti-bruteforce protocol=tcp +add action=accept chain=forward comment="​torrent@odroid (UDP)" dst-address=192.168.42.252 dst-port=51413 protocol=udp 
-add action=jump chain=input comment="​all input jump to anti-bruteforce chain" ​+add action=accept chain=forward comment="​torrent@odroid (TCP)" dst-address=192.168.42.252 dst-port=51413 protocol=tcp 
-    ​connection-nat-state=!dstnat connection-state=new disabled=yes ​+add action=accept chain=forward comment="​web-share @odroid"​ dst-address=192.168.42.252 dst-port=8082 protocol=tcp 
-    ​in-interface=ether1 jump-target=anti-bruteforce src-address-list=+add action=accept chain=forward comment="​torrent@desktop (UDP)" dst-address=192.168.42.250 dst-port=14241 protocol=udp 
-    ​!hosts.allow +add action=accept chain=forward comment="​torrent@desktop (TCP)" dst-address=192.168.42.250 dst-port=14241 protocol=tcp 
-add action=return chain=anti-bruteforce comment=+add action=accept chain=forward comment="​VPN => WAN" in-interface-list=VPN out-interface-list=WAN 
-    ​"​return (allow) some catched connections back to main firewall flow" ​+add action=accept chain=forward comment="​VPN <= WAN est;​rel"​ connection-state=established,​related in-interface-list=WAN out-interface-list=VPN 
-    ​dst-limit=3/​1m,​3,​src-address/​2m +add action=accept chain=forward comment="​i2p <= WAN (tcp)" dst-address=192.168.142.253 dst-port=15084 protocol=tcp 
-add action=add-src-to-address-list address-list=block-bruteforce ​+add action=accept chain=forward comment="​i2p <= WAN (udp)" dst-address=192.168.142.253 dst-port=15084 protocol=udp
-    ​address-list-timeout=1w chain=anti-bruteforce comment=+
-    ​"add bruteforce IP to block-list"​ +
-add action=accept chain=forward comment="​torrent@odroid (UDP)" dst-address=+
-    ​192.168.42.252 dst-port=51413 protocol=udp +
-add action=accept chain=forward comment="​torrent@odroid (TCP)" dst-address=+
-    ​192.168.42.252 dst-port=51413 protocol=tcp +
-add action=accept chain=forward comment="​web-share @odroid"​ dst-address=+
-    ​192.168.42.252 dst-port=8082 protocol=tcp +
-add action=accept chain=forward comment="​torrent@desktop (UDP)" dst-address=+
-    ​192.168.42.250 dst-port=14241 protocol=udp +
-add action=accept chain=forward comment="​torrent@desktop (TCP)" dst-address=+
-    ​192.168.42.250 dst-port=14241 protocol=tcp +
-add action=accept chain=forward comment="​VPN => WAN" in-interface-list=VPN ​+
-    ​out-interface-list=WAN +
-add action=accept chain=forward comment="​VPN <= WAN est;​rel" ​+
-    ​connection-state=established,​related in-interface-list=WAN ​+
-    ​out-interface-list=VPN +
-add action=accept chain=forward comment="​i2p <= WAN (tcp)" dst-address=+
-    ​192.168.142.253 dst-port=15084 protocol=tcp +
-add action=accept chain=forward comment="​i2p <= WAN (udp)" dst-address=+
-    ​192.168.142.253 dst-port=15084 protocol=udp+
 add action=accept chain=input comment="​mktk <- VPN" in-interface-list=VPN add action=accept chain=input comment="​mktk <- VPN" in-interface-list=VPN
-add action=accept chain=forward comment="​LAN <= VPN" in-interface-list=VPN ​+add action=accept chain=forward comment="​LAN <= VPN" in-interface-list=VPN out-interface-list=LAN 
-    ​out-interface-list=LAN +add action=accept chain=forward comment="​LAN => VPN" in-interface-list=LAN out-interface-list=VPN 
-add action=accept chain=forward comment="​LAN => VPN" in-interface-list=LAN ​+add action=accept chain=forward comment="​VPN <=> VPN" in-interface-list=VPN out-interface-list=VPN 
-    ​out-interface-list=VPN +add action=accept chain=forward comment="​SSH odroid <= WAN" dst-address=192.168.42.252 dst-port=22 in-interface=ether1 protocol=tcp 
-add action=accept chain=forward comment="​VPN <=> VPN" in-interface-list=VPN ​+add action=accept chain=forward comment=Nextcloud dst-address=192.168.42.103 dst-port=443,​80 in-interface=ether1 protocol=tcp 
-    ​out-interface-list=VPN +add action=accept chain=forward comment="​SSH ubuntu <= WAN" dst-address=192.168.42.164 dst-port=22 in-interface=ether1 protocol=tcp 
-add action=accept chain=forward comment="​SSH odroid <= WAN" dst-address=+add action=accept chain=forward comment="​LAN <=> LAN (for hairpin)"​ in-interface-list=LAN out-interface-list=LAN 
-    ​192.168.42.252 dst-port=22 in-interface=ether1 protocol=tcp +add action=accept chain=forward comment="​VLANs => WAN" in-interface-list=VLAN out-interface-list=WAN 
-add action=accept chain=forward comment=Nextcloud dst-address=192.168.42.103 ​+add action=accept chain=forward comment="​LAN => VLAN" in-interface-list=LAN out-interface-list=VLAN 
-    ​dst-port=443,​80 in-interface=ether1 protocol=tcp +add action=accept chain=forward comment="​LAN <= VLAN est;​rel"​ connection-state=established,​related in-interface-list=VLAN out-interface-list=LAN 
-add action=accept chain=forward comment="​SSH ubuntu <= WAN" dst-address=+add action=accept chain=input comment="​mktk <- PPTP (server)"​ dst-port=1723 in-interface=ether1 protocol=tcp 
-    ​192.168.42.164 dst-port=22 in-interface=ether1 protocol=tcp +add action=accept chain=input comment="​mktk <- pptp (server@gre)"​ in-interface=ether1 protocol=gre 
-add action=accept chain=forward comment="​LAN <=> LAN (for hairpin)" ​+add action=accept chain=input comment="​allow L2TP/ipsec input (from mobile)"​ dst-port=1701,​500,​4500 in-interface=ether1 protocol=udp 
-    ​in-interface-list=LAN out-interface-list=LAN +add action=accept chain=input comment="​input ICMP from ip4market for 6-to-4 tunnel"​ protocol=icmp src-address=193.0.203.203 
-add action=accept chain=forward comment="​VLANs => WAN" in-interface-list=VLAN ​+add action=accept chain=input comment="​input ICMP from HE.NET for 6-to-4 tunnel"​ protocol=icmp src-address=66.220.2.74 
-    ​out-interface-list=WAN +add action=accept chain=input comment="​mktk <- ether1 ​  ​BTest-server TCP" disabled=yes dst-port=2000 in-interface=ether1 protocol=tcp 
-add action=accept chain=forward comment="​LAN => VLAN" in-interface-list=LAN ​+add action=accept chain=input comment="​mktk <- BTest-server UDP2000"​ disabled=yes dst-port=2000 in-interface=ether1 protocol=udp
-    ​out-interface-list=VLAN +
-add action=accept chain=forward comment="​LAN <= VLAN est;​rel" ​+
-    ​connection-state=established,​related in-interface-list=VLAN ​+
-    ​out-interface-list=LAN +
-add action=accept chain=input comment="​mktk <- PPTP (server)"​ dst-port=1723 ​+
-    ​in-interface=ether1 protocol=tcp +
-add action=accept chain=input comment="​mktk <- pptp (server@gre)" ​+
-    ​in-interface=ether1 protocol=gre +
-add action=accept chain=input comment="​allow L2TP/ipsec input (from mobile)" ​+
-    ​dst-port=1701,​500,​4500 in-interface=ether1 protocol=udp +
-add action=accept chain=input comment=+
-    ​"input ICMP from ip4market for 6-to-4 tunnel"​ protocol=icmp src-address=+
-    ​193.0.203.203 +
-add action=accept chain=input comment=+
-    ​"input ICMP from HE.NET for 6-to-4 tunnel"​ protocol=icmp src-address=+
-    ​66.220.2.74 +
-add action=accept chain=input comment="​mktk <- ether1 ​  ​BTest-server TCP" ​+
-    ​disabled=yes dst-port=2000 in-interface=ether1 protocol=tcp +
-add action=accept chain=input comment="​mktk <- BTest-server UDP2000" ​+
-    ​disabled=yes dst-port=2000 in-interface=ether1 protocol=udp+
 add action=drop chain=forward add action=drop chain=forward
 add action=drop chain=input add action=drop chain=input
mikrotik_firewall.txt · Last modified: 2019/07/15 09:43 by admin