Hi,
I consider myself a beginner when it comes to Mikrotik routers, my friend lend it to me about 2 months ago, and I finally managed to get my own yesterday (RB962UiGS-5HacT2HnT).
I’ve been reading quite a bit about firewalls, filters and chains in Mikrotik and come up with this firewall filters.
I would really appreciate it if someone could take a look and maybe add/remove/change a few things. “lan.pri” is the address list of my internal network (192.168.10.0/24).
/ip firewall filter
add action=drop chain=input comment=“drop blacklisted ip’s” src-address-list=Blacklist
add action=drop chain=input comment=“drop invalid ‘input’ packets” connection-state=invalid in-interface=</small>
pppoe-isp
add action=drop chain=forward comment=“drop invalid ‘forward’ packets” connection-state=invalid </small>
in-interface=pppoe-isp
add action=drop chain=input comment=“drop remote dns requests (tcp)” dst-port=53 protocol=tcp </small>
src-address-list=!lan.pri
add action=drop chain=input comment=“drop remote dns requests (udp)” dst-port=53 protocol=udp </small>
src-address-list=!lan.pri
add chain=input comment=“allow icmp” protocol=icmp
add chain=input comment=“allow ssh on lan.pri” dst-port=22 protocol=tcp src-address-list=lan.pri
add chain=input comment=“allow winbox from lan.pri” dst-port=8291 protocol=tcp src-address-list=lan.pri
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“add port scanners to blacklist” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“nmap fin stealth scan” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“syn/fin scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“syn/rst scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“fin/psh/urg scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“all/all scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=2w chain=input comment=</small>
“nmap null scan” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=input comment=“allow established,related on input chain” connection-state=established,related
add chain=forward comment=“allow established,related on forward chain” connection-state=</small>
established,related
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=input comment=“drop everything else” in-interface=pppoe-isp
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=pppoe-isp disabled=yes
Regards, js.