Differences

This shows you the differences between two versions of the page.

--- networking:router:mikrotik_fw [2014/07/06 14:26]
gcooper
+++ networking:router:mikrotik_fw [2022/07/22 10:06] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== Mikrotik RouterOS Firewall ======
-http://wiki.mikrotik.com/wiki/Protecting_your_customers
 ===== Denial of Service =====
@@ Line 27: / Line 25: @@
 ===== Destination NAT (Port Forwarding) Examples =====
-:!: "Destination NAT" is often called "Port Forwarding".
+:!: ''Destination NAT'' is often called ''Port Forwarding''.
-:!: With Mikrotik RouterOS, you don't have to add a separate firewall rule for forwarded ports.
+:!: With Mikrotik RouterOS, you do not add an explicit ''accept'' firewall rule for forwarded ports as ''accept'' is implied.
 <file>
@@ Line 48: / Line 46: @@
 http://forum.mikrotik.com/viewtopic.php?f=2&t=11368
-Normal 'masquerade' source NAT uses the address of the outbound interface as the external IP:
+Normal ''masquerade'' source NAT uses the address of the outbound interface as the external IP:
 <file>
 /ip firewall nat
+add action=masquerade chain=srcnat comment="Masquerade (NAT) - Last NAT Rule" out-interface=ether1
-add action=masquerade chain=srcnat comment="Masquerade (NAT)" out-interface=ether1
 </file>
@@ Line 77: / Line 74: @@
 ===== Basic Firewall =====
+FIXME This basic firewall script needs modernization, probably based on the newer default Mikrotik firewall.
 Firewall/Router: http://gregsowell.com/?p=4013
@@ Line 144: / Line 143: @@
 http://wiki.mikrotik.com/wiki/Port_Knocking
+==== Country Code ====
+:!: This is probably **for more powerful routers with lots of RAM** as it could add many rules.
+:!: You probably want to put the rules **near the top** of the list.
+**Country Code List**: https://mikrotikconfig.com/firewall/
+  - **Create the script/list** of countries to be blocked using the above web site
+  - **Copy the ''IP-Firewall-Address-List.rsc'' file** to the Mikrotik
+  - **Import the script**
+  - **Create a firewall rule** referencing the new address list
+<file>
+/import IP-Firewall-Address-List.rsc
+/ip firewall filter
+add action=drop chain=input comment="Drop traffic by CC - Input chain" in-interface=ether1 log=yes \
+    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
+add action=drop chain=forward comment="Drop traffic by CC - Forward chain" in-interface=ether1 log=yes \
+    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
+</file>
 ==== FTP ====
@@ Line 153: / Line 174: @@
 :!: This appears to be specific to the response of the Mikrotik FTP service (''content='') to a failed login attempt and requires the FTP service be enabled to function.  If forwarding FTP inward, you might have to change the ''content='' specification.
-:!: To have the attacker blocked completely, you can probably just remove the ''dst-port=21'' and the ''protocol=tcp'' in the drop rules.
+:!: **To have the attacker blocked completely**, you can probably just **remove** the ''dst-port=21'' and the ''protocol=tcp'' in the **drop rules**.
 This example allows only 10 FTP login incorrect answers per minute, then bans the attacker (from FTP) for 10 days:
@@ Line 394: / Line 415: @@
     * NAT Traversal (NAT-T)
-Accept L2TP/IPSec:
+Accept L2TP/IPSec connection traffic:
 :!: These rules could be further limited by interface and/or source address.

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools