First time scripting firewall rules form Mikrotik

NAMPSTER · January 28, 2025, 11:09am

Can someone help me. It is my first time to make firewall script rules for Mikrotik model CRS320-8P-8B-4S+RM

For top security for home use.

Thank you!

# ---------------------------------
# Global Configuration (with Port Knocking)
# ---------------------------------
:global WAN_INTERFACE "ether1"
:global LAN_INTERFACE "bridge"
:global ADMIN_EMAIL "admin@example.com"
:global LAN_SUBNET "192.168.0.0/24"
:global WAN_BANDWIDTH "10M/10M"
:global LAN_BANDWIDTH "50M/50M"
:global BLOCKLIST_SOURCES {"https://urlhaus.abuse.ch/downloads/text_online/;https://lists.blocklist.de/lists/all.txt;https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt;https://malicious-site-blocklist.com/blocklist.txt"}
:global AD_DOMAINS {"ads.google.com;ad.doubleclick.net;ads.yahoo.com;tracking.example.com"}
:global PORT_KNOCK_SEQUENCE {12345;23456;34567}  # The sequence of ports to be knocked

# ---------------------------------
# 1. Cleanup Existing Configuration (Ensuring Clean Setup)
# ---------------------------------
/ip firewall filter remove [find]
/queue simple remove [find]
/system logging remove [find]
/ip firewall address-list remove [find]

# ---------------------------------
# 2. Strict Default Policies (Everything Blocked by Default)
# ---------------------------------
/ip firewall filter add chain=input action=accept connection-state=established,related comment="Allow established/related connections"
/ip firewall filter add chain=forward action=accept connection-state=established,related comment="Allow established/related connections"
/ip firewall filter add chain=input action=drop connection-state=invalid log=yes log-prefix="INVALID-PKT: " comment="Drop invalid packets"
/ip firewall filter add chain=forward action=drop connection-state=invalid log=yes log-prefix="INVALID-PKT: " comment="Drop invalid packets"
/ip firewall filter add chain=input action=drop log=yes log-prefix="DROP-ALL: " comment="Drop all incoming traffic"
/ip firewall filter add chain=forward action=drop log=yes log-prefix="DROP-ALL-FWD: " comment="Drop all forwarded traffic"
/ip firewall filter add chain=input action=drop connection-state=invalid log=yes log-prefix="DROP-ALL-INVALID: " comment="Strict: Drop all invalid connections"
/ip firewall filter add chain=forward action=drop connection-state=invalid log=yes log-prefix="DROP-ALL-FWD-INVALID: " comment="Strict: Drop invalid forwarded connections"

# ---------------------------------
# 3. Port Knocking (Enhanced Protection for SSH)
# ---------------------------------
# Define the sequence of ports to be knocked
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=$PORT_KNOCK_SEQUENCE[0] connection-state=new log-prefix="KNOCK-SEQ-1: " comment="First port knock"
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=$PORT_KNOCK_SEQUENCE[1] connection-state=new log-prefix="KNOCK-SEQ-2: " comment="Second port knock"
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=$PORT_KNOCK_SEQUENCE[2] connection-state=new log-prefix="KNOCK-SEQ-3: " comment="Third port knock"

/# Once the sequence is completed, allow SSH (port 22) for the knocking IP
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=22 src-address-list=Knock-Addresses comment="Allow SSH after correct port knock"
/ip firewall address-list add list=Knock-Addresses address=0.0.0.0/0 timeout=5m comment="Temporary address list for port knockers"

# Timeout mechanism: Reset the IP address after knocking to prevent brute-force attacks
/ip firewall filter add chain=input action=drop protocol=tcp dst-port=22 src-address-list=Knock-Addresses timeout=5m log=yes log-prefix="PORT-KNOCK-TIMEOUT: " comment="Drop knockers after timeout"
/system script add name=PortKnockTimeout source={
    :foreach address in=[/ip firewall address-list find list="Knock-Addresses"] do={
        :local ip [/ip firewall address-list get $address address]
        /ip firewall address-list remove $address
    }
}
# Scheduled script to remove timed-out knockers
/system scheduler add name="PortKnockTimeout" on-event="PortKnockTimeout" interval=5m comment="Clean up knocked IPs after timeout"

# ---------------------------------
# 4. Enhanced Flood Protection (SYN, UDP, ICMP, and Application Layer)
# ---------------------------------
/ip firewall filter add chain=input action=add-src-to-address-list connection-limit=3,32 protocol=tcp tcp-flags=syn address-list=SYN-Flooders address-list-timeout=10m in-interface=$WAN_INTERFACE comment="Detect and rate-limit SYN flood"
/ip firewall filter add chain=input action=drop src-address-list=SYN-Flooders log=yes log-prefix="SYN-FLOOD: " comment="Drop SYN flooders"
/ip firewall filter add chain=input action=add-src-to-address-list protocol=udp connection-limit=20,32 address-list=UDP-Flooders address-list-timeout=10m in-interface=$WAN_INTERFACE comment="Detect and rate-limit UDP flood"
/ip firewall filter add chain=input action=drop src-address-list=UDP-Flooders log=yes log-prefix="UDP-FLOOD: " comment="Drop UDP flooders"
/ip firewall filter add chain=input action=drop protocol=icmp limit=10,5 log=yes log-prefix="ICMP-DROP: " comment="Limit ICMP requests"
/ip firewall filter add chain=input action=drop protocol=tcp dst-port=443 connection-limit=10,32 log=yes log-prefix="SSL-FLOOD: " comment="Limit SSL connections to prevent flood"
/ip firewall filter add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port-Scanners address-list-timeout=1d in-interface=$WAN_INTERFACE comment="Detect port scanners"
/ip firewall filter add chain=input action=drop src-address-list=Port-Scanners log=yes log-prefix="PORT-SCAN: " comment="Drop port scanners"

# ---------------------------------
# 5. SSH Brute Force Protection (More Granular Limits)
# ---------------------------------
/ip firewall filter add chain=input action=add-src-to-address-list protocol=tcp dst-port=22 connection-limit=3,32 address-list=Brute-Forcers address-list-timeout=5m comment="Detect brute-force SSH"
/ip firewall filter add chain=input action=drop src-address-list=Brute-Forcers log=yes log-prefix="SSH-BRUTE: " comment="Drop brute-force attackers"
/ip firewall filter add chain=input action=drop protocol=tcp dst-port=22 connection-limit=2,32 log=yes log-prefix="SSH-LIMIT: " comment="Limit SSH login attempts"

# ---------------------------------
# 6. Automated Blocklist Updates (Include New Blocklist Sources)
# ---------------------------------
/system script add name=UpdateBlocklists source={
    :foreach url in=$BLOCKLIST_SOURCES do={
        /tool fetch url=$url mode=http dst-path="blocklist.txt"
        :local contents [/file get "blocklist.txt" contents]
        :foreach line in=[:toarray $contents] do={
            :if ($line ~ "^[0-9.]+/[0-9]+$") do={
                /ip firewall address-list add list="Blocklist" address=$line comment="Auto-updated blocklist"
            }
        }
        /file remove "blocklist.txt"
    }
}
/system scheduler add name=BlocklistUpdater on-event=UpdateBlocklists interval=6h comment="Update blocklists every 6 hours"
/ip firewall filter add chain=input action=drop src-address-list=Blocklist log=yes log-prefix="BLOCKED-IP: " comment="Drop malicious IPs"

# ---------------------------------
# 7. GeoIP Blocking (More Countries)
# ---------------------------------
/ip firewall address-list add list="Blocked-Countries" address=103.0.0.0/8 comment="Block country A IP range"
/ip firewall address-list add list="Blocked-Countries" address=85.0.0.0/8 comment="Block country B IP range"
/ip firewall address-list add list="Blocked-Countries" address=190.0.0.0/8 comment="Block country C IP range"
/ip firewall filter add chain=input action=drop src-address-list=Blocked-Countries log=yes log-prefix="GEO-BLOCK: " comment="Block GeoIP traffic"

# ---------------------------------
# 8. Bandwidth Management (Critical Service Priority)
# ---------------------------------
/queue simple add name="WAN-Limit" target=$WAN_INTERFACE max-limit=$WAN_BANDWIDTH comment="Limit WAN bandwidth"
/queue simple add name="LAN-Limit" target=$LAN_SUBNET max-limit=$LAN_BANDWIDTH comment="Limit LAN bandwidth"
/queue simple add name="Critical-Apps" target=$LAN_SUBNET max-limit=100M/100M comment="Prioritize critical services bandwidth"

# ---------------------------------
# 9. Ad Blocking & DNS Over HTTPS (Force Secure DNS)
# ---------------------------------
:foreach domain in=$AD_DOMAINS do={
    /ip dns static add name=$domain address=0.0.0.0 comment="Blocked ad domain"
}
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=443 comment="Force DNS over HTTPS"
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=443 log=yes log-prefix="DNS-QUERY-SECURE: " comment="Allow DNS-over-HTTPS only"
/ip firewall filter add chain=input action=drop protocol=tcp dst-port=53 log=yes log-prefix="DNS-QUERY-UNSECURE: " comment="Block insecure DNS"

# ---------------------------------
# 10. Application Layer Blocking (Blocking Malicious File Types)
# ---------------------------------
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=80,443 content=".exe" log=yes log-prefix="VIRUS-BLOCK: " comment="Block EXE downloads"
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=80,443 content=".vbs" log=yes log-prefix="VIRUS-BLOCK: " comment="Block VBS downloads"
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=80,443 content=".bat" log=yes log-prefix="VIRUS-BLOCK: " comment="Block BAT downloads"
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=80,443 content=".scr" log=yes log-prefix="VIRUS-BLOCK: " comment="Block Screensaver downloads"
/ip firewall filter add chain=forward action=drop protocol=tcp content=".zip" log=yes log-prefix="VIRUS-BLOCK: " comment="Block ZIP downloads"

# ---------------------------------
# 11. Real-Time Security Alerts (Email Notifications)
# ---------------------------------
/tool e-mail set server=smtp.gmail.com port=587 user="your-email@gmail.com" password="your-app-password" from="your-email@gmail.com"
/system script add name=SendAlert source={
    :local attackers [/ip firewall address-list find list="Port-Scanners"]
    :foreach id in=$attackers do={
        :local address [/ip firewall address-list get $id address]
        /tool e-mail send to=$ADMIN_EMAIL subject="Security Alert: Port Scan Detected" body="Port scan detected from: $address"
    }
    :local bruteForce [/ip firewall address-list find list="Brute-Forcers"]
    :foreach id in=$bruteForce do={
        :local address [/ip firewall address-list get $id address]
        /tool e-mail send to=$ADMIN_EMAIL subject="Security Alert: SSH Brute Force Detected" body="SSH brute force attack detected from: $address"
    }
}
/system scheduler add name="SecurityAlert" on-event="SendAlert" interval=5m comment="Send security alerts every 60 minutes"

rextended · January 28, 2025, 1:38pm

CRS320-8P-8B-4S+RM is a switch, not a router.

Do not expect more speed than aggregated 200/300Mbps…

Default firewall rules and config are the best security for who copy & paste other scripts randomly because do not know RouterOS.

The first security breach is someone that think that can randomly change the config for increase security…

The second is someone who stands between the screen and the chair…

The third are stupid scripts that logs during attacks, send mail for each unique IP every 5 minutes, etc. etc. etc.
Often those scripts are auto-DoS because cause the router send continuosly email or fill the firewall memory with IPs…

:foreach id in=$attackers do={
[...]
/tool e-mail send to=$ADMIN_EMAIL [...]
}
:foreach id in=$bruteForce do={
[...]
/tool e-mail send to=$ADMIN_EMAIL [...]
}
/system scheduler add name="SecurityAlert" on-event="SendAlert" interval=5m [...]

BartoszP · January 28, 2025, 2:28pm

@Nampster: please use code tag (button < / > in the editor) when you post long scripts … even short ones should be surrounded with that tag as it helps reading.