Some rules for MikroTik v.2.9.27... Is there any correction?

RouterOS Scripting
1

Hi,
I’m new in using MikroTik router OS. It’s powerful I must admit. I’ve collected and compiled these rules for my OS. But I’m a bit confused is this okay or if I could make it better. Any help would be appreciated. There’s a notepad attachment. Thanks!

For quick viewing I’m pasting it below:

---------------------------------------------------------------------------MIKROTIK RULES----------------------------------------------------------

------------------------------------------------IP FIrewall Nat------------------------------------------------------------------------------------

/ip firewall nat
add chain=srcnat action=masquerade out-interface=WAN

------------------------------------------------IP Firewall Mangle---------------------------------------------------------------------------------

/ip firewall mangle
add chain=forward src-address=192.168.1.1/24 action=mark-connection new-connection-mark=users-connection
add connection-mark=users-connection action=mark-packet new-packet-mark=users-packet chain=forward


------------------------------------------------Queue Type-----------------------------------------------------------------------------------------

/queue type
add name=pcq-download kind=pcq pcq-classifier=dst-address
add name=pcq-upload kind=pcq pcq-classifier=src-address


------------------------------------------------Queue Tree-----------------------------------------------------------------------------------------

/queue tree
add name=Download parent=LAN max-limit=10240000
add parent=Download queue=pcq-download packet-mark=users-packet
add name=Upload parent=WAN max-limit=2048000
add parent=Upload queue=pcq-upload packet-mark=users-packet
or
/queue tree
add parent=LAN queue=pcq-download packet-mark=users-packet
add parent=WAN queue=pcq-upload packet-mark=users-packet


-------------------------------------------------IP Firewall Filter----------------------------------------------------------------------------------

/ip firewall filter
add chain=input connection-state=invalid action=drop comment=“Drop Invalid connections”
add chain=input connection-state=established action=accept comment=“Allow Established connections”
add chain=input protocol=udp action=accept comment=“Allow UDP”
add chain=input protocol=icmp action=accept comment=“Allow ICMP”
add chain=input src-address=192.168.1.0/24 action=accept comment=“Allow access to router from known network”
add chain=input action=drop comment=“Drop anything else”

add chain=forward protocol=tcp connection-state=invalid action=drop comment=“drop invalid connections”
add chain=forward connection-state=established action=accept comment=“allow already established connections”
add chain=forward connection-state=related action=accept comment=“allow related connections”
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp

add chain=tcp protocol=tcp dst-port=69 action=drop comment=“deny TFTP”
add chain=tcp protocol=tcp dst-port=111 action=drop comment=“deny RPC portmapper”
add chain=tcp protocol=tcp dst-port=135 action=drop comment=“deny RPC portmapper”
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=“deny NBT”
add chain=tcp protocol=tcp dst-port=445 action=drop comment=“deny cifs”
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=“deny NFS”
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=“deny NetBus”
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=“deny NetBus”
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=“deny BackOriffice”
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=“deny DHCP”
add chain=udp protocol=udp dst-port=69 action=drop comment=“deny TFTP”
add chain=udp protocol=udp dst-port=111 action=drop comment=“deny PRC portmapper”
add chain=udp protocol=udp dst-port=135 action=drop comment=“deny PRC portmapper”
add chain=udp protocol=udp dst-port=137-139 action=drop comment=“deny NBT”
add chain=udp protocol=udp dst-port=2049 action=drop comment=“deny NFS”
add chain=udp protocol=udp dst-port=3133 action=drop comment=“deny BackOriffice”

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=“drop invalid connections”
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=“allow established connections”
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=“allow already established connections”
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=“allow source quench”
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=“allow echo request”
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=“allow time exceed”
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=“allow parameter bad”
add chain=icmp action=drop comment=“deny all other types”

/ip firewall filter
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=“Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=“Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=1080 action=drop comment=“Drop MyDoom”
add chain=virus protocol=tcp dst-port=1363 action=drop comment=“ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=“ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=“screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=“hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=“cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=“Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=“Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=“Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=“Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=“Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=“Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=“Drop Sasser”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=“Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=“Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=“Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=“Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=“Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=“Drop Kuang2”
add chain=virus protocol=tcp dst-port=27374 action=drop comment=“Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=“Drop PhatBot, Agobot, Gaobot”
add chain=virus protocol=tcp dst-port=593 action=drop comment=“”
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=“”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=“”

/ip firewall filter
add chain=forward action=accept protocol=tcp dst-port=80 comment=“Allow HTTP”
add chain=forward action=accept protocol=tcp dst-port=25 comment=“Allow SMTP”

/ip firewall filter
add chain=input protocol=tcp dst-port=80 connection-limit=30,0 action=drop comment=“limit http connections” disabled=no
add chain=input src-address-type=!unicast action=drop comment=“discard all non-unicast data” disabled=no
add chain=forward protocol=tcp connection-limit=50,32 action=drop comment=“limit TCP connections” disabled=no

/ip firewall filter
add chain=virus protocol=tcp dst-port=41 action=drop comment=“DeepThroat.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=82 action=drop comment=“W32.Korgo.Ah” disabled=no
add chain=virus protocol=tcp dst-port=113 action=drop comment=“W32.Korgo.A/B/C/D/E/F-1” disabled=no
add chain=virus protocol=tcp dst-port=2041 action=drop comment=“W33.Korgo.A/B/C/D/E/F-2” disabled=no
add chain=virus protocol=tcp dst-port=3150 action=drop comment=“DeepThroat.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=3067 action=drop comment=“W32.Korgo.A/B/C/D/E/F-3” disabled=no
add chain=virus protocol=tcp dst-port=3422 action=drop comment=“Backdoor.IRC.Aladdinz.R-1” disabled=no
add chain=virus protocol=tcp dst-port=6667 action=drop comment=“W32.Korgo.A/B/C/D/E/F-4” disabled=no
add chain=virus protocol=tcp dst-port=6789 action=drop comment=“1111111” disabled=no
add chain=virus protocol=tcp dst-port=8787 action=drop comment=“Back.Office.2000.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=8879 action=drop comment=“Back.Office.2000.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=8967 action=drop comment=“W32.Dabber.A/B-2” disabled=no
add chain=virus protocol=tcp dst-port=9999 action=drop comment=“W32.Dabber.A/B-3” disabled=no
add chain=virus protocol=tcp dst-port=20034 action=drop comment=“Block.NetBus.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=21554 action=drop comment=“GirlFriend.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=31666 action=drop comment=“Back.Orifice.2000.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=43958 action=drop comment=“Backdoor.IRC.Aladdinz.R-2” disabled=no
add chain=virus protocol=tcp dst-port=999 action=drop comment=“DeepThroat.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=6670 action=drop comment=“DeepThroat.Trojan-4” disabled=no
add chain=virus protocol=tcp dst-port=6771 action=drop comment=“DeepThroat.Trojan-5” disabled=no
add chain=virus protocol=tcp dst-port=60000 action=drop comment=“DeepThroat.Trojan-6” disabled=no
add chain=virus protocol=tcp dst-port=2140 action=drop comment=“DeepThroat.Trojan-7” disabled=no
add chain=virus protocol=tcp dst-port=10067 action=drop comment=“Portal.of.Doom.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=10167 action=drop comment=“Portal.of.Doom.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=3700 action=drop comment=“Portal.of.Doom.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=9872-9875 action=drop comment=“Portal.of.Doom.Trojan-4” disabled=no
add chain=virus protocol=tcp dst-port=6883 action=drop comment=“Delta.Source.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=26274 action=drop comment=“Delta.Source.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment=“Delta.Source.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=47262 action=drop comment=“Delta.Source.Trojan-4” disabled=no
add chain=virus protocol=tcp dst-port=3791 action=drop comment=“Eclypse.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=3801 action=drop comment=“Eclypse.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=65390 action=drop comment=“Eclypse.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=5880-5882 action=drop comment=“Y3K.RAT.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=5888-5889 action=drop comment=“Y3K.RAT.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=30100-30103 action= drop comment=“NetSphere.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=30133 action=drop comment=“NetSphere.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=7300-7301 action=drop comment=“NetMonitor.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=7306-7308 action=drop comment=“NetMonitor.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=79 action=drop comment=“FireHotcker.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=5031 action=drop comment=“FireHotcker.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=5321 action=drop comment=“FireHotcker.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=6400 action=drop comment=“TheThing.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=7777 action=drop comment=“TheThing.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=1047 action=drop comment=“GateCrasher.Trojan-1” disabled = no
add chain=virus protocol=tcp dst-port=969-6970 action=drop comment=“GateCrasher.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=2774 action=drop comment=“SubSeven-1” disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment=“SubSeven-2” disabled=no
add chain=virus protocol=tcp dst-port=1243 action=drop comment=“SubSeven-3” disabled=no
add chain=virus protocol=tcp dst-port=1234 action=drop comment=“SubSeven-4” disabled=no
add chain=virus protocol=tcp dst-port=6711-6713 action=drop comment=“SubSeven-5” disabled=no
add chain=virus protocol=tcp dst-port=16959 action=drop comment=“SubSeven-7” disabled=no
add chain=virus protocol=tcp dst-port=5685-25686 action=drop comment=“Moonpie.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=25982 action=drop comment=“Moonpie.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=31337-31339 action=drop comment=“NetSpy.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=8102 action=drop comment=“Trojan” disabled=no
add chain=virus protocol=tcp dst-port=8011 action=drop comment=“WAY.Trojan” disabled=no
add chain=virus protocol=tcp dst-port=7626 action=drop comment=“Trojan.BingHe” disabled=no
add chain=virus protocol=tcp dst-port=19191 action=drop comment=“Trojan.NianSeHoYian” disabled=no
add chain=virus protocol=tcp dst-port=23444-23445 action=drop comment=“NetBull.Trojan” disabled=no
add chain=virus protocol=tcp dst-port=2583 action=drop comment=“WinCrash.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=3024 action=drop comment=“WinCrash.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=4092 action=drop comment=“WinCrash.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=5714 action=drop comment=“WinCrash.Trojan-4” disabled=no
add chain=virus protocol=tcp dst-port=1010-1012 action=drop comment=“Doly1.0/1.35/1.5trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=1015 action=drop comment=“Doly1.0/1.35/1.5trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=2004-2005 action=drop comment=“TransScout.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=9878 action=drop comment=“TransScout.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=2773 action=drop comment=“Backdoor.YAI .. Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=7215 action=drop comment=“Backdoor.YAI.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=54283 action=drop comment=“Backdoor.YAI.Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=1003 action=drop comment=“BackDoorTrojan-1” disabled=no
add chain=virus protocol=tcp dst-port=5598 action=drop comment=“BackDoorTrojan-2” disabled=no
add chain=virus protocol=tcp dst-port=5698 action=drop comment=“BackDoorTrojan-3” disabled=no
add chain=virus protocol=tcp dst-port=31554 action=drop comment=“SchainwindlerTrojan-2” disabled=no
add chain=virus protocol=tcp dst-port=18753 action=drop comment=“Shaft.DDoS.Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=20432 action=drop comment=“Shaft.DDoS.Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=65000 action=drop comment=“Devil.DDoS.Trojan” disabled=no
add chain=virus protocol=tcp dst-port=11831 action=drop comment=“LatinusTrojan-1” disabled=no
add chain=virus protocol=tcp dst-port=29559 action=drop comment=“LatinusTrojan-2” disabled=no
add chain=virus protocol=tcp dst-port=1784 action=drop comment=“Snid.X2Trojan-1” disabled=no
add chain=virus protocol=tcp dst-port=3586 action=drop comment=“Snid.X2Trojan-2” disabled=no
add chain=virus protocol=tcp dst-port=7609 action=drop comment=“Snid.X2Trojan-3” disabled=no
add chain=virus protocol=tcp dst-port=12348-12349 action=drop comment=“BionetTrojan-1” disabled=no
add chain=virus protocol=tcp dst-port=12478 action=drop comment=“BionetTrojan-2” disabled=no
add chain=virus protocol=tcp dst-port=57922 action=drop comment=“BionetTrojan-3” disabled=no
add chain=virus protocol=tcp dst-port=3127 action=drop comment=“Worm.Novarg.a.Mydoom.a1.” disabled=no
add chain=virus protocol=tcp dst-port=6777 action=drop comment=“Worm.BBeagle.a.Bagle.a.” disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment=“Worm.BBeagle.b” disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Worm.BBeagle.cg / jl” disabled=no
add chain=virus protocol=tcp dst-port=2556 action=drop comment=“Worm.BBeagle.p / q / r / n” disabled=no
add chain=virus protocol=tcp dst-port=20742 action=drop comment=“Worm.BBEagle.m-2” disabled=no
add chain=virus protocol=tcp dst-port=4751 action=drop comment=“Worm.BBeagle.s / t / u / v” disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment=“Worm.BBeagle.aa/ab/w/xz-2” disabled=no
add chain=virus protocol=tcp dst-port=5238 action=drop comment=“Worm.LovGate.r.RpcExploit” disabled=no
add chain=virus protocol=tcp dst-port=1068 action=drop comment=“Worm.Sasser.a” disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment=“Worm.Sasser.b / c / f” disabled=no
add chain=virus protocol=tcp dst-port=9996 action=drop comment=“Worm.Sasser.b / c / f” disabled=no
add chain=virus protocol=tcp dst-port=9995 action=drop comment=“Worm.Sasser.d” disabled=no
add chain=virus protocol=tcp dst-port=10168 action=drop comment=“Worm.Lovgate.a / b / c / d” disabled=no
add chain=virus protocol=tcp dst-port=20808 action=drop comment=“Worm.Lovgate.v.QQ” disabled=no
add chain=virus protocol=tcp dst-port=1092 action=drop comment=“Worm.Lovgate.f / g” disabled=no
add chain=virus protocol=tcp dst-port=20168 action=drop comment=“Worm.Lovgate.f / g” disabled=no
add chain=virus protocol=tcp dst-port=1363-1364 action=drop comment=“ndm.requester” disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment=“screen.cast” disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment=“hromgrafx” disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment=“cichainlid” disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment=“Backdoor.Optixprotocol” disabled=no
add chain=virus protocol=tcp dst-port=8888 action=drop comment=“Worm.BBeagle.b” disabled=no
add chain=virus protocol=tcp dst-port=3198 action=drop comment=“Worm.Novarg.a.Mydoom.a2.” disabled=no
add chain=virus protocol=tcp dst-port=139 action=drop comment=“Drop Blaster Worm” disabled=no
add chain=virus protocol=tcp dst-port=135 action=drop comment=“Drop Blaster Worm” disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment=“Drop Blaster Worm” disabled=no
Mikrotik Rules.txt (19.2 KB)

2

Define “better”.

RouterOS is so powerful, that it can do pretty much anything… but the question is what do you want it to do… and how do you go about doing it. I can’t even begin to tell you the latter without the former.

(P.S. 2.9.27 is ancient… consider an upgrade)

3

Any suggestion on my script?

4

There are a few things you could improve in regards to your firewall rules:

The first thing I would do is create a “safe” address-list and put your management ip’s in the “safe” list then make your first rule be accept when the source is in the safe list. This ensures that you will not loose your connection to the router. You pretty much have this with your 192.168.1.0/24 rule which will suffice.

The input chain is data destened to the router… you are accepting all upd packets going to the router. You should be able to disable this rule.
You are accepting all ICMP traffic as well. I would recommend accepting only a limited number of ICMP packets per second.

Another thing I like to do is trap IP’s into address-list when the src address attempts to make unwanted connections to my firewall. For example if you don’t use MSSQL then you can trap any IP’s that try to connect to you on the MSSQL and add the IP to a list like bannedForRogueConnectionToMSSQL for a given time then ad a rule to drop all traffic from anyone in any of your banned address lists. I have seen this where people add to a “hacker” list but then you never know why someone ended up in that list.

I would convert all of your drop actions in your virus chain to rules that add to an address-list like bannedForVirusLikeActivity for 7 days or some such and have one drop rule for any src IP’s in that address-list.

I have collected hundreds of IP’s (mostly from foreign countries) that are in my banned lists. Its also nice to have a bannedForPortScanning list.

5

Thanks a lot! Would u please give your blacklisted IPs. Also how can I convert all these rules into one for virus? Thanks in advance again :slight_smile: