Securing a RouterOS Server

ChildOTK · December 12, 2006, 4:30pm

Hi Guys / Gals.

What is the best way to secure your RouterOS Server?

I have on the same network as my RouterOS Server, a CentOS Linux Firewall (which I SSH into, and use tunnels to get around the network for remote admin.)

Is there a way to somehow block everything (traffic) incomming from the PPPoE-Client, i.e. my public IP address, to stop hackers from trying to get in, or use my user manager, etc, and access the RouterOS server on the internal network, as I am atm, through my Linux Firewall, via a SSH Tunnel?

My Linux Firewall is way more secure than the RouterOS Server, and I need to have some sense of security. At present the box is live on a public IP address, and the only firewall rule I have in place is the masq rule for my clients.

I only want to block INCOMMING traffic, and obviously continue to let the customers use the internet.

Thanks.
ChildOTK

mneumark · December 12, 2006, 7:15pm

I would start out following the firewall rules on http://wiki.mikrotik.com/wiki/Securing_your_router

jonm · December 12, 2006, 7:15pm

Place rules in the [/ip firewall filter] to block traffic. There are 3 main ‘chains’ you can place rules in:

Input - For packets addressed to the router
Output - For packets leaving the router
Forward- For packets going through the router, this where you want to put most of your internet rules

I would recommend putting most of rules in the input or forward chains depending on what you are trying to block. There are some walkthroughs on this in the user manual.

http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php