Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_fw
Trace:
networking:router:mikrotik_fw

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_fw [2021/03/10 07:58]
gcooper 		networking:router:mikrotik_fw [2022/07/22 10:06] (current)
gcooper
Line 1: Line 1:
 ====== Mikrotik RouterOS Firewall ====== ====== Mikrotik RouterOS Firewall ======
- 
-FIXME Need evaluate these scripts: 
- 
-**Free**: https://rickfreyconsulting.com/rfc-mikrotik-firewall-6-1-for-ipv4-free-version/ 
- 
-**Lite Free**: https://rickfreyconsulting.com/rick-freys-basic-mikrotik-firewall-rev-6-1-for-ipv4-lite-edition-3/ 
- 
-http://wiki.mikrotik.com/wiki/Protecting_your_customers 
  
 ===== Denial of Service ===== ===== Denial of Service =====
Line 33: Line 25:
 ===== Destination NAT (Port Forwarding) Examples ===== ===== Destination NAT (Port Forwarding) Examples =====
  
-:!: "Destination NATis often called "Port Forwarding".+:!: ''Destination NAT'' is often called ''Port Forwarding''.
  
-:!: With Mikrotik RouterOS, you don't have to add a separate firewall rule for forwarded ports.+:!: With Mikrotik RouterOS, you do not add an explicit ''accept'' firewall rule for forwarded ports as ''accept'' is implied.
  
 <file> <file>
Line 54: Line 46:
 http://forum.mikrotik.com/viewtopic.php?f=2&t=11368 http://forum.mikrotik.com/viewtopic.php?f=2&t=11368
  
-Normal 'masquerade' source NAT uses the address of the outbound interface as the external IP:+Normal ''masquerade'' source NAT uses the address of the outbound interface as the external IP:
  
 <file> <file>
 /ip firewall nat /ip firewall nat
- +add action=masquerade chain=srcnat comment="Masquerade (NAT) - Last NAT Rule" out-interface=ether1
-add action=masquerade chain=srcnat comment="Masquerade (NAT)" out-interface=ether1+
 </file> </file>
  
Line 83: Line 74:
  
 ===== Basic Firewall ===== ===== Basic Firewall =====
 +
 +FIXME This basic firewall script needs modernization, probably based on the newer default Mikrotik firewall.
  
 Firewall/Router: http://gregsowell.com/?p=4013 Firewall/Router: http://gregsowell.com/?p=4013
Line 150: Line 143:
  
 http://wiki.mikrotik.com/wiki/Port_Knocking http://wiki.mikrotik.com/wiki/Port_Knocking
 +
 +==== Country Code ====
 +
 +:!: This is probably **for more powerful routers with lots of RAM** as it could add many rules.
 +
 +:!: You probably want to put the rules **near the top** of the list.
 +
 +**Country Code List**: https://mikrotikconfig.com/firewall/
 +
 +  - **Create the script/list** of countries to be blocked using the above web site
 +  - **Copy the ''IP-Firewall-Address-List.rsc'' file** to the Mikrotik
 +  - **Import the script**
 +  - **Create a firewall rule** referencing the new address list
 +
 +<file>
 +/import IP-Firewall-Address-List.rsc
 +/ip firewall filter
 +add action=drop chain=input comment="Drop traffic by CC - Input chain" in-interface=ether1 log=yes \
 +    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
 +add action=drop chain=forward comment="Drop traffic by CC - Forward chain" in-interface=ether1 log=yes \
 +    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
 +</file>
  
 ==== FTP ==== ==== FTP ====
networking/router/mikrotik_fw.1615388281.txt.gz · Last modified: 2021/03/10 07:58 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki