Differences

This shows you the differences between two versions of the page.

--- networking:router:mikrotik_fw [2014/06/03 11:33]
gcooper
+++ networking:router:mikrotik_fw [2022/07/22 10:06] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== Mikrotik RouterOS Firewall ======
-http://wiki.mikrotik.com/wiki/Protecting_your_customers
 ===== Denial of Service =====
@@ Line 27: / Line 25: @@
 ===== Destination NAT (Port Forwarding) Examples =====
-:!: "Destination NAT" is often called "Port Forwarding".
+:!: ''Destination NAT'' is often called ''Port Forwarding''.
-:!: With Mikrotik RouterOS, you don't have to add a separate firewall rule for forwarded ports.
+:!: With Mikrotik RouterOS, you do not add an explicit ''accept'' firewall rule for forwarded ports as ''accept'' is implied.
 <file>
@@ Line 48: / Line 46: @@
 http://forum.mikrotik.com/viewtopic.php?f=2&t=11368
-Normal 'masquerade' source NAT uses the address of the outbound interface as the external IP:
+Normal ''masquerade'' source NAT uses the address of the outbound interface as the external IP:
 <file>
 /ip firewall nat
+add action=masquerade chain=srcnat comment="Masquerade (NAT) - Last NAT Rule" out-interface=ether1
-add action=masquerade chain=srcnat comment="Masquerade (NAT)" out-interface=ether1
 </file>
@@ Line 77: / Line 74: @@
 ===== Basic Firewall =====
+FIXME This basic firewall script needs modernization, probably based on the newer default Mikrotik firewall.
 Firewall/Router: http://gregsowell.com/?p=4013
@@ Line 144: / Line 143: @@
 http://wiki.mikrotik.com/wiki/Port_Knocking
+==== Country Code ====
+:!: This is probably **for more powerful routers with lots of RAM** as it could add many rules.
+:!: You probably want to put the rules **near the top** of the list.
+**Country Code List**: https://mikrotikconfig.com/firewall/
+  - **Create the script/list** of countries to be blocked using the above web site
+  - **Copy the ''IP-Firewall-Address-List.rsc'' file** to the Mikrotik
+  - **Import the script**
+  - **Create a firewall rule** referencing the new address list
+<file>
+/import IP-Firewall-Address-List.rsc
+/ip firewall filter
+add action=drop chain=input comment="Drop traffic by CC - Input chain" in-interface=ether1 log=yes \
+    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
+add action=drop chain=forward comment="Drop traffic by CC - Forward chain" in-interface=ether1 log=yes \
+    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
+</file>
 ==== FTP ====
-:!: The block rule must be before rules allowing established connections or it will not function.
+:!: The block rule must be **before rules allowing established connections** or it will not function.
 :!: This FTP configuration actually looks into the FTP data to see the 530 code.
-:!: This appears to be specific to the Mikrotik FTP service (content) and requires the FTP service be enabled to function.  If forwarding FTP inward, you might have to change the ''content='' specification.
+:!: This appears to be specific to the response of the Mikrotik FTP service (''content='') to a failed login attempt and requires the FTP service be enabled to function.  If forwarding FTP inward, you might have to change the ''content='' specification.
-:!: To have the attacker blocked completely, you can probably just remove the ''dst-port=21'' and the ''protocol=tcp'' in the drop rules.
+:!: **To have the attacker blocked completely**, you can probably just **remove** the ''dst-port=21'' and the ''protocol=tcp'' in the **drop rules**.
 This example allows only 10 FTP login incorrect answers per minute, then bans the attacker (from FTP) for 10 days:
@@ Line 169: / Line 190: @@
 </file>
-If you want to block downstream access as well, you need to block the with the forward chain:
+If you want to block downstream access as well, you need to also block in the forward chain:
 <file>
 add chain=forward protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
-comment="Drop FTP Brute Force Attackers from Downstream Too" disabled=no
+comment="Drop FTP Brute Force Attackers from Downstream Too"
 </file>
-Then accept FTP traffic not previously blocked:
+Then accept new FTP connections not previously blocked:
 <file>
@@ Line 371: / Line 392: @@
 connection-state=new dst-port=8291 protocol=tcp src-address-list=!local
 </file>
+===== IPSec =====
+http://forum.mikrotik.com/viewtopic.php?f=2&t=79151
+http://superuser.com/questions/679236/mikrotik-firewall-rule-block-all-connection-except-to-vpn-server
+:!: IPSec traffic is not identifiable in FW rules.  All traffic will appear to come from the WAN (interface the IPSec tunnel is terminated on) and thus, you can't filter specifically on the IPSec traffic.
+**L2TP/IPSec** uses:
+  * TCP port 1701
+    * L2TP
+  * UDP port 500
+    * Internet Security Association and Key Management Protocol (ISAKMP)
+    * To negotiate security method (password, certificate, kerberos)
+  * AH (Protocol ID 50)
+    * Authentication Header
+  * ESP (Protocol ID 51)
+    * Encapsulated Secure Payload
+  * UDP Port 4500
+    * NAT Traversal (NAT-T)
+Accept L2TP/IPSec connection traffic:
+:!: These rules could be further limited by interface and/or source address.
+<file>
+/ip firewall filter
+  add chain=input action=accept in-interface=ether1 protocol=tcp dst-port=1701 \
+    place-before=0 comment="Accept L2TP"
+  add chain=input action=accept in-interface=ether1 protocol=udp dst-port=500 \
+    place-before=0 comment="Accept IPSec (ISAKMP)"
+  add chain=input action=accept in-interface=ether1 protocol=ipsec-esp \
+    place-before=0 comment="Accept IPSec (ESP)"
+  add chain=input action=accept in-interface=ether1 protocol=ipsec-ah \
+    place-before=0 comment="Accept IPSec (AH)"
+</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools