Firewall Filters

RouterOS Beginner Basics
1

Hi,

Was wondering if someone could look over my firewall filters and point out any errors or issues that may arise. Also if I have missed anything.

Credit to multiple people/posts/wikis that I have compiled this from...
/ip firewall filter

ZZZ.ZZZ.ZZZ.ZZZ is my internal subnet

YYY.YYY.YYY.YYY is my VPN subnet

I did this so other people could do an easy find-replace

add action=drop chain=input comment="Dropping Port Scanners" in-interface=WAN src-address-list="Port Scanners"
add action=drop chain=input comment="Drop SSH Bruteforcers" dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop FTP on WAN" dst-port=21 in-interface=WAN protocol=tcp
add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid
add action=tarpit chain=input comment="Supress DoS Attack" connection-limit=3,32 in-interface=WAN protocol=tcp src-address-list=black_list
add action=jump chain=input comment="Jump for ICMP Input Flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="Detect DoS Attack" connection-limit=10,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="Protect against DoS Attack" connection-limit=50,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=6w chain=input comment="Add to SSH Bruteforce Blacklist" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="Add to SSH Bruteforce Stage 3" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input comment="Add to SSH Bruteforce Stage 2" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input comment="Add to SSH Bruteforce Stage 1" connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Add Port Scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN Scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST Scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG Scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=jump chain=forward comment="Jump for ICMP forward flow" jump-target=ICMP protocol=icmp
add chain=input comment="Allow Local WinBox" dst-port=8291 in-interface=!WAN protocol=tcp
add chain=input comment="Allow API Internally" dst-port=8728 in-interface=!WAN protocol=tcp
add chain=input comment="Allow SSH" dst-port=22 protocol=tcp
add chain=input comment="Accept VPN GRE" in-interface=WAN protocol=gre
add chain=input comment="Accept VPN" dst-port=1723 in-interface=WAN protocol=tcp
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add chain=forward comment="Allow Already Established Connections" connection-state=established
add chain=forward comment="Allow Related Connections" connection-state=related
add chain=input comment="Allow Established Connections" connection-state=established
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add chain=input comment="Accept LAN" in-interface=!WAN src-address=ZZZ.ZZZ.ZZZ.ZZZ/ZZ
add chain=input comment="Accept VPN" in-interface=!WAN src-address=YYY.YYY.YYY.YYY/YY
add action=drop chain=input comment="Drop Everything Else"
add chain=ICMP comment="Echo Request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo Reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination Unreachable" icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for ICMP output" jump-target=ICMP protocol=icmpThanks!

2

You are missing a drop rule on your forward chain and also allowance from inside.
Also for easy reading I suggest to sort the rules per chain, and then on needed order.
Also I suggest to put the drop invalid on input chain almost as first.

3

Great, thanks for that, I mistakenly had two input drops. Could you elaborate a little on that second part? the allowance from inside?

OK, done, and do the jumps move further up the list to reduce the processing or remain as they are?

Done


Please see the amended rules below, and thanks for the assistance, still a noob… Also, do I need a return at the end of the forward chain?

/ip firewall filter
add action=drop chain=input comment=“Dropping Port Scanners” in-interface=WAN src-address-list=“Port Scanners”
add action=drop chain=input comment=“Drop SSH Bruteforcers” dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=“Drop FTP on WAN” dst-port=21 in-interface=WAN protocol=tcp
add action=drop chain=input comment=“Drop Invalid Connections” connection-state=invalid
add action=tarpit chain=input comment=“Supress DoS Attack” connection-limit=3,32 in-interface=WAN protocol=tcp src-address-list=black_list
add action=jump chain=input comment=“Jump for ICMP Input Flow” jump-target=ICMP protocol=icmp
add action=jump chain=forward comment=“Jump for ICMP Forward Flow” jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=“Detect DoS Attack” connection-limit=10,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=“Protect Against DoS Attack” connection-limit=50,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment=“List IP’s Who Try Remote Login” dst-port=20-23 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=6w chain=input comment=“Add to SSH Bruteforce Blacklist” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment=“Add to SSH Bruteforce Stage 3” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input comment=“Add to SSH Bruteforce Stage 2” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input comment=“Add to SSH Bruteforce Stage 1” connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment="Port Scanners to List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“NMAP FIN Stealth Scan” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“SYN/FIN Scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“SYN/RST Scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“FIN/PSH/URG Scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=drop chain=forward comment=“Drop Invalid Connections” connection-state=invalid
add chain=forward comment=“Allow Already Established Connections” connection-state=established
add chain=forward comment=“Allow Related Connections” connection-state=related
add chain=input comment=“Allow Winbox” dst-port=8291 in-interface=!WAN protocol=tcp
add chain=input comment=“Allow API” dst-port=8728 in-interface=!WAN protocol=tcp
add chain=input comment=“Allow SSH” dst-port=22 protocol=tcp
add chain=input comment=“Accept VPN GRE” protocol=gre
add chain=input comment=“Accept VPN” dst-port=1723 protocol=tcp
add chain=input comment=“Allow Established Connections” connection-state=established
add chain=input comment=“Acccept LAN” src-address=10.0.0.0/16
add chain=input comment=“Acccept VPN” src-address=192.168.5.0/24
add action=drop chain=input comment=“Drop Everything Else”
add chain=ICMP comment=“Echo Request - Avoiding Ping Flood” icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment=“Echo Reply” icmp-options=0:0 protocol=icmp
add chain=ICMP comment=“Time Exceeded” icmp-options=11:0 protocol=icmp
add chain=ICMP comment=“Destination Unreachable” icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=“Drop to the other ICMPs” protocol=icmp
add action=jump chain=output comment=“Jump for ICP Output” jump-target=ICMP protocol=icmp

4

If you ask me, I would order the rules like this:
/ip firewall filter
add action=drop chain=input comment=“Drop Invalid Connections” connection-state=invalid
add action=jump chain=input comment=“Jump for ICMP Input Flow” jump-target=ICMP protocol=icmp
add chain=input comment=“Allow Established Connections” connection-state=established
add chain=input comment=“Allow Related Connections” connection-state=related
add action=drop chain=input comment=“Dropping Port Scanners” in-interface=WAN src-address-list=“Port Scanners”
add action=drop chain=input comment=“Drop SSH Bruteforcers” dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=“Drop FTP on WAN” dst-port=21 in-interface=WAN protocol=tcp
add action=tarpit chain=input comment=“Supress DoS Attack” connection-limit=3,32 in-interface=WAN protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=“Detect DoS Attack” connection-limit=10,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=“Protect Against DoS Attack” connection-limit=50,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment=“List IP’s Who Try Remote Login” dst-port=20-23 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=6w chain=input comment=“Add to SSH Bruteforce Blacklist” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment=“Add to SSH Bruteforce Stage 3” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input comment=“Add to SSH Bruteforce Stage 2” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input comment=“Add to SSH Bruteforce Stage 1” connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment="Port Scanners to List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“NMAP FIN Stealth Scan” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“SYN/FIN Scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“SYN/RST Scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=6w chain=input comment=“FIN/PSH/URG Scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add chain=input comment=“Allow SSH” dst-port=22 protocol=tcp in-interface=WAN
add chain=input comment=“Accept VPN GRE” protocol=gre in-interface=WAN
add chain=input comment=“Accept VPN” dst-port=1723 protocol=tcp in-interface=WAN
add chain=input comment=“Acccept LAN” src-address=10.0.0.0/16
add chain=input comment=“Acccept VPN” src-address=192.168.5.0/24
add action=drop chain=input comment=“Drop Everything Else”

add action=drop chain=forward comment=“Drop Invalid Connections” connection-state=invalid
add chain=forward comment=“Allow Already Established Connections” connection-state=established
add chain=forward comment=“Allow Related Connections” connection-state=related
add action=jump chain=forward comment=“Jump for ICMP Forward Flow” jump-target=ICMP protocol=icmp
add chain=forward comment=“Accept LAN” src-address=10.0.0.0/16 in-interface=
add chain=forward comment=“Accept VPN” src-address=192.168.5.0/24 in-interface=
add action=drop chain=forward comment=“Drop everything else”

add action=jump chain=output comment=“Jump for ICP Output” jump-target=ICMP protocol=icmp

add chain=ICMP comment=“Echo Request - Avoiding Ping Flood” icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment=“Echo Reply” icmp-options=0:0 protocol=icmp
add chain=ICMP comment=“Time Exceeded” icmp-options=11:0 protocol=icmp
add chain=ICMP comment=“Destination Unreachable” icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=“Drop to the other ICMPs” protocol=icmpThese are my changes (besides reordering):

  • I added an allowance for related traffic for the input chain.
  • I deleted the allowance for Winbox and API (if the in-interface is !WAN) because you’re already have an allowance for LAN/VPN on your input chain (I assume that you only have WAN/LAN/VPN)
  • Added in-interface=WAN to the allowances for ssh/VPN access in your input chain
  • I added a allowance for both LAN and VPN on your forward chain and a default drop after that. (You have to specify the LAN interface though)
5

Awesome!

Thanks Rudios!

6

Heya, back again…

Silly question:
add chain=forward comment=“Accept VPN” src-address=192.168.5.0/24 in-interface=How do I define and inbound PPTP connection when the interface name is dynamic? eg. depending how many connections are active the name changes , , etc etc

not sure if I can use all-ppp , as I have an outbound L2TP VPN used for specific traffic and don’t want to mix up the traffic…

does that make sense?

7

You have to first create a pptp-server binding per user. If you have a lot of users, it is a bit apita. I do not know a different solution out of my head but maybe something can be found on google…

8

Thanks!