ISP Firewall Best Practices

This has probably been covered but I couldn’t find it on a search. ISP’s are for providing service, not firewall protection I get it; but I’m trying to put together some information on best practices for an ISP’s firewall to prevent their users from participating in DDoS etc. traffic that will only generate network problems and solicit email to the abuse admin. Not looking for a comprehensive rule list how to harden your router, but focusing more on filtering out user malicious traffic without undo disruption to legitimate traffic. Here’s a few things I have so far, please comment!


Block known abuse IP’s traffic from SpamHaus, dshield, and OpenBL
http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/

Block ports:
*25 TCP SMTP Both SMTP Relays
*80 TCP HTTP Inbound Web servers, worms
135 UDP NetBios Both Net Send Spam / Pop-ups, Worms
136-139 UDP, TCP NetBios Both Worms, Network Neighborhood
445 TCP MS-DS/ NetBios Both Worms, Network Neighborhood
1433 TCP MS-SQL Inbound Worms, Trojans
1434 UDP MS-SQL Inbound Worms, SQLslammer
1900 UDP MS-DS/NetBios Both Worms, Network Neighborhood
*Net admin’s discretion

Drop invalid packets

That is a script that my predecessor came up with. It is a good place to start. Be careful working with firewall templates though, it is easy to block traffic that you intent to allow. I tend to use this as a starter firewall and then customize it to meet my needs.

#Secure your MikroTik Firewall

#Here is an example of how to protect your MikroTik router from the most common attacks today.
#This example is taken from the MikroTik Wiki and is only an example.
#You should thoroughly test this configuration before deploying in a live environment.

#DMCI Allow rules

/ip firewall address-list
add address=x.x.x.x/x comment=My Server Subnet list=safe



#Lets say our private network is 192.168.1.0/24 and public (WAN) interface is ether1.
#We will set up firewall to allow connections to router itself only from our local network and drop the rest.
#Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.


/ip firewall filter
add chain=input in-interface=ether10-WAN src-address-list=safe action=accept comment=“Allow connections from safe list”
add chain=input connection-state=invalid action=drop comment=“Drop Invalid connections”
add action=drop chain=input comment=“Drop external DNS requests” dst-port=53 in-interface=ether10-WAN protocol=tcp
add action=drop chain=input comment=“Drop external DNS requests” dst-port=53 in-interface=ether10-WAN protocol=udp
add chain=input connection-state=established action=accept comment=“Allow Established connections”
add chain=input protocol=icmp action=accept comment=“Allow ICMP”
add chain=input src-address=192.168.10.0/24 action=accept in-interface=!ether10-WAN comment=“Allow LAN connections”
add chain=input src-address=192.168.11.0/24 action=accept in-interface=!ether10-WAN comment=“Allow LAN connections”
add chain=input action=drop comment=“Drop everything else”

#Optional

add action=log chain=input comment=“Log any other inbound traffic” log-prefix=“Inbound Alert”


#For icmp, tcp, udp traffic we will create chains, where we will drop all unwanted packets:


/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment=“drop invalid connections”
add chain=forward connection-state=established action=accept comment=“allow already established connections”
add chain=forward connection-state=related action=accept comment=“allow related connections”
add chain=forward comment=“Allow all new outbound LAN connections” connection-state=new out-interface=ether1-WAN

#Block “bogon” IP Addresses:

add chain=forward src-address=0.0.0.0/8 action=drop comment=“block bogon ip addresses”
add chain=forward dst-address=0.0.0.0/8 action=drop comment=“block bogon ip addresses”
add chain=forward src-address=127.0.0.0/8 action=drop comment=“block bogon ip addresses”
add chain=forward dst-address=127.0.0.0/8 action=drop comment=“block bogon ip addresses”
add chain=forward src-address=224.0.0.0/3 action=drop comment=“block bogon ip addresses”
add chain=forward dst-address=224.0.0.0/3 action=drop comment=“block bogon ip addresses”



#Make jumps to new chains:

add chain=forward protocol=tcp action=jump jump-target=tcp comment=“make jumps to new chains”
add chain=forward protocol=udp action=jump jump-target=udp comment=“make jumps to new chains”
add chain=forward protocol=icmp action=jump jump-target=icmp comment=“make jumps to new chains”

#Create TCP chain and deny some TCP ports in it:

add chain=tcp protocol=tcp dst-port=69 action=drop comment=“deny TFTP”
add chain=tcp protocol=tcp dst-port=111 action=drop comment=“deny RPC portmapper”
add chain=tcp protocol=tcp dst-port=135 action=drop comment=“deny RPC portmapper”
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=“deny NBT”
add chain=tcp protocol=tcp dst-port=445 action=drop comment=“deny cifs”
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=“deny NFS”
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=“deny NetBus”
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=“deny NetBus”
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=“deny BackOriffice”
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=“deny DHCP”

#Deny UDP ports in UDP chain:

add chain=udp protocol=udp dst-port=69 action=drop comment=“deny TFTP”
add chain=udp protocol=udp dst-port=111 action=drop comment=“deny PRC portmapper”
add chain=udp protocol=udp dst-port=135 action=drop comment=“deny PRC portmapper”
add chain=udp protocol=udp dst-port=137-139 action=drop comment=“deny NBT”
add chain=udp protocol=udp dst-port=2049 action=drop comment=“deny NFS”
add chain=udp protocol=udp dst-port=3133 action=drop comment=“deny BackOriffice”

#Allow only needed ICMP codes in ICMP chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=“echo reply”
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=“net unreachable”
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=“host unreachable”
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment=“host unreachable fragmentation required”
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=“allow source quench”
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=“allow echo request”
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=“allow time exceed”
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=“allow parameter bad”
add chain=icmp action=drop comment=“deny all other types”

#Create NAT rules

/ip firewall nat
add action=masquerade chain=srcnat

It needs to goto border or edge ?