Hi all,
I’m new in the forum and new in Mikrotik.
I’using my Mikrotik in my home and I want to build a firewall as best as possible to protect my network.
I have created address lists and interface lists to help in my firewall. I have added the suggestions by Mikrotik support page to protect at raw level using bogons IPs list.
At raw level I have added Ping flood protection and PortScanning protection.
I have two lans
- IPTV (As you can see requires some special rules like allow multicast traffic
- LAN whitch I have diveded in two /25 subnets to allocate at first range trusted devices and at second range other devices like guest
Here are my multiple questions.
If you use an address list as source in a rule and you add a negated address at address field it means that it’s using address lists excepting specified address?
How can I do better my rules that ar blocking TCP and UDP ports from WAN? I have added multiple ports but RouterOS does not allow me to add more than 15 different ports. Do you have a better port range?
I have added a DoS protection but I’m not sure if it is the best and maybe I can do better using another chain or another rules to detect at Input and Forward
If I have a rule with destination nat specifing source address I supose that the port is only forwarded with that IP address as source and my rule in forward chan is protecting following that.
How can I protect NAT from address detected to be malicious?
Thank you so much for your help.
With regards,
/interface list
add comment="LAN IPTV Interface" name=LAN-IPTV
add comment="WAN Interface IPTV" name=WAN-IPTV
add comment="WAN Interfaces" name=WAN
add comment="LAN Interfaces" name=LAN
add comment="All Internal Interfaces" include=LAN,LAN-IPTV name=INTERNAL-ALL
add comment="IPTV - External and Internal Interfaces" include=WAN-IPTV,LAN-IPTV name=IPTV-ALL
add comment="All External Interfaces" include=WAN,WAN-IPTV name=EXT-ALL
/ip firewall address-list
add address=192.168.0.0/25 comment="LAN 0 (Trusted)" list=LAN0-FIABLE
add address=192.168.10.0/24 comment="Red IPTV" list=LAN-IPTV
add address=192.168.0.128/25 comment="LAN 0 (Guest)" list=LAN0-GUEST
add address=192.168.0.0/24 comment="LAN 0 (complete)" list=LAN0
add address=10.10.0.0/24 list=VPN
add address=127.0.0.0/8 comment=RFC6890 list=bad_ipv4
add address=192.0.0.0/24 comment=RFC6890 list=bad_ipv4
add address=192.0.2.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment=RFC6890 list=not_global_ipv4
add address=10.0.0.0/8 comment=RFC6890 list=not_global_ipv4
add address=100.64.0.0/10 comment=RFC6890 list=not_global_ipv4
add address=169.254.0.0/16 comment=RFC6890 list=not_global_ipv4
add address=172.16.0.0/12 comment=RFC6890 list=not_global_ipv4
add address=192.0.0.0/29 comment=RFC6890 list=not_global_ipv4
add address=192.168.0.0/16 comment=RFC6890 list=not_global_ipv4
add address=198.18.0.0/15 comment="RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment=RFC6890 list=not_global_ipv4
add address=224.0.0.0/4 comment=Multicast list=bad_src_ipv4
add address=255.255.255.255 comment=RFC6890 list=bad_src_ipv4
add address=0.0.0.0/8 comment=RFC6890 list=bad_dst_ipv4
add address=224.0.0.0/4 comment=RFC6890 list=bad_dst_ipv4
add address=192.168.0.0/24 comment="LAN 0" list=LAN-ALL
add address=192.168.10.0/24 comment="Red IPTV" list=LAN-ALL
add address=0.0.0.0/8 comment=RFC6890 list=no_forward_ipv4
add address=169.254.0.0/16 comment=RFC6890 list=no_forward_ipv4
add address=224.0.0.0/4 comment=Multicast list=no_forward_ipv4
add address=255.255.255.255 comment=RFC6890 list=no_forward_ipv4
/ip firewall raw
add action=drop chain=prerouting comment="DROP - From Blacklist_CommonPorts" log-prefix="FWALL - BLACKLIST DROP" src-address-list=Blacklist_CommonPorts
add action=drop chain=prerouting comment="DROP EXT-ALL - From PortScanning" in-interface-list=EXT-ALL src-address-list=PortScanning
add action=drop chain=prerouting comment="DROP EXT-ALL - From PingFlood" in-interface-list=EXT-ALL src-address-list=PingFlood
add action=accept chain=prerouting comment="Accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="Drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="Drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="Drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="Drop bogon IP's" dst-address-list=bad_dst_ipv4 in-interface-list=!IPTV-ALL
add action=drop chain=prerouting comment="Drop bogon IP's - IPTV (Exclude multicast)" dst-address=!224.0.0.0/4 dst-address-list=bad_dst_ipv4 in-interface-list=IPTV-ALL
add action=drop chain=prerouting comment="Drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="Drop non global from WAN-IPTV (Exclude Vodafone IPTV addresses)" in-interface-list=WAN-IPTV src-address=!10.0.0.0/8 src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="Drop forward to local lan from WAN" dst-address-list=LAN-ALL in-interface-list=EXT-ALL
add action=drop chain=prerouting comment="Drop local if not from default IP range" in-interface-list=INTERNAL-ALL src-address-list=!LAN-ALL
add action=jump chain=prerouting comment="Jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="Jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=jump chain=prerouting comment="Jump to UDP chain" jump-target=bad_udp protocol=udp
add action=accept chain=prerouting comment="Accept everything else from LAN" in-interface-list=INTERNAL-ALL
add action=accept chain=prerouting comment="Accept everything else from WAN" in-interface-list=EXT-ALL
add action=drop chain=prerouting comment="Drop the rest"
/*****TCP Chain****/
add action=add-src-to-address-list address-list=PortScanning address-list-timeout=1d chain=bad_tcp comment="TCP Filter - Port Scanning" protocol=tcp psd=21,3s,3,1
add action=drop chain=bad_tcp comment="TCP flag filter -> !fin !syn !rst !ack" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment="TCP flag filter -> fin syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="TCP flag filter -> fin rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment="TCP flag filter -> fin !ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment="TCP flag filter -> fin urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment="TCP flag filter -> syn rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment="TCP flag filter -> rst urg" protocol=tcp tcp-flags=rst,urg
/*****UDP Chain****/
add action=drop chain=bad_tcp comment="TCP port 0 drop" port=0 protocol=tcp
add action=add-src-to-address-list address-list=PortScanning address-list-timeout=1d chain=bad_udp comment="UDP Filter - Port Scanning" protocol=udp psd=21,3s,3,1
add action=drop chain=bad_udp comment="UPD port 0 drop" port=0 protocol=udp
add action=add-src-to-address-list address-list=PingFlood address-list-timeout=1d chain=icmp4 comment="ICMP: echo (Ping Flood)" icmp-options=8:0 limit=5,10:packet protocol=icmp
/*****ICMP Chain****/
add action=accept chain=icmp4 comment="ICMP: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="ICMP: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="ICMP: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="ICMP: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="ICMP: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="ICMP: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="ICMP: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="ICMP: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="ICMP: drop other icmp" protocol=icmp
/ip firewall filter
add action=accept chain=input comment="IN - Accept Winbox" dst-port=XXXXX,XXXXX in-interface-list=LAN protocol=tcp src-address-list=LAN0-FIABLE
/***** PORTS BLOCKED ****/
add action=add-src-to-address-list address-list=Blacklist_CommonPorts address-list-timeout=10h chain=input comment="IN - Add Src to Blacklist (TCP)" connection-state=new dst-port=\
20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 in-interface-list=WAN log-prefix="FWALL- ADD BLACKLIST" protocol=tcp
add action=add-src-to-address-list address-list=Blacklist_CommonPorts address-list-timeout=10h chain=input comment="IN - Add Src to Blacklist (UDP)" connection-state=new dst-port=\
20-25,53,80,110,161,443,445,3128,3306,3333,3389,7547,8291 in-interface-list=WAN log-prefix="FWALL- ADD BLACKLIST" protocol=udp
/**** DoS****/
add action=add-src-to-address-list address-list=Blacklist_DoS address-list-timeout=12h chain=input comment="IN - DoS Detect by Limit" connection-limit=150,32 protocol=tcp
add action=tarpit chain=input comment="IN - DoS Tarpit" connection-limit=3,32 protocol=tcp src-address-list=Blacklist_DoS
/****INPUT*****/
add action=accept chain=input comment="IN - Accept Established and related" connection-state=established,related
add action=drop chain=input comment="IN - Drop Invalid" connection-state=invalid
add action=accept chain=input comment="IN - Accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="IN WAN - Allow Wireguard" dst-port=65345 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IN WAN IPTV - Allow IPTV Multicast UDP" in-interface-list=WAN-IPTV protocol=udp
add action=accept chain=input comment="IN WAN IPTV - Accept IGMP" in-interface-list=WAN-IPTV protocol=igmp
add action=accept chain=input comment="IN LAN - Accept 53 UDP (DNS)" dst-port=53 protocol=udp src-address-list=LAN0
add action=accept chain=input comment="IN LAN IPTV - Allow IGMP" protocol=igmp src-address-list=LAN-IPTV
add action=accept chain=input comment="IN LAN IPTV - Allow UDP" protocol=udp src-address-list=LAN-IPTV
add action=drop chain=input comment="IN - Drop all not comming from LAN" log=yes log-prefix="FWALL - IN DROP" src-address-list=!LAN0-FIABLE
/*****FORWARD******/
add action=fasttrack-connection chain=forward comment="FW - FastTrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="FW - Accept Established and related" connection-state=established,related
add action=drop chain=forward comment="FW - Drop Invalid" connection-state=invalid
add action=reject chain=forward comment="FW - Reject From LAN-GUEST. Only allow WAN" out-interface-list=!EXT-ALL reject-with=icmp-network-unreachable src-address-list=LAN0-GUEST
add action=accept chain=forward comment="FW WAN IPTV - Allow IPTV Multicast UDP" in-interface-list=WAN-IPTV protocol=udp
add action=drop chain=forward comment="FW - Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=EXT-ALL log-prefix="FWALL - FW DROP"
add action=drop chain=forward comment="Drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT - WAN-IPTV" out-interface-list=WAN-IPTV
add action=masquerade chain=srcnat comment="NAT - WAN" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="SFTP" dst-port=XXXXX in-interface-list=WAN protocol=tcp src-address=XX.XX.XX.XX to-addresses=XX.XX.XX.XX to-ports=XXXXXX
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=XXXXX in-interface-list=WAN protocol=udp to-addresses=XX.XX.XX.XX to-ports=XXXXXX