Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

How to block all except ...

Locked
 
Term
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Jan 11, 2018 11:42 pm

How to block all except ...

Tue Jan 23, 2018 7:02 pm

Hello,
another question about firewall from me :-)
I'm too paranoid so I want to block everything I don't use. Have RBRB962UiGS.

Using PPPoE from my ISP, SSH on another port, winbox. Curently I have ssh access only from LAN. Using p2p torrents too but I don't want to block them.

Curently have this:
Code: Select all
add action=accept chain=input comment="allow SSH from local" dst-port=1922 in-interface=bridge1 protocol=tcp
add action=add-src-to-address-list address-list=remote_ssh_blacklist address-list-timeout=1w3d chain=input comment="block outside SSH permanently" connection-state=new dst-port=1922 limit=0,5:packet protocol=tcp src-address-list=remote_ssh_blacklist_temp
add action=add-src-to-address-list address-list=remote_ssh_blacklist_temp address-list-timeout=1m chain=input comment="Block outside SSH temp" connection-state=new dst-port=1922 protocol=tcp
add action=drop chain=input comment="Drop outside SSH" dst-port=1922 log=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes dst-port=1922 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=yes dst-port=1922 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=yes dst-port=1922 protocol=tcp
add action=add-src-to-address-list address-list=ssh_utok_na_port_22 address-list-timeout=1w3d chain=input comment="block attacks to 22 permanently" connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop attack to 22" dst-port=22 log=yes protocol=tcp
add action=add-src-to-address-list address-list=Connection_Limit address-list-timeout=1d chain=input comment="Connection limit because of DDoS" connection-limit=100,32 protocol=tcp
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
Found this but I don't know if it will be ok for me. Can anybody check it please? Thank you

Code: Select all
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comment "allow RDP via VPN"
add chain=forward action=drop
Last edited by Term on Wed Jan 24, 2018 7:19 pm, edited 1 time in total.
Top
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:
Contact Steveocee

Re: How to block all except ...

Wed Jan 24, 2018 2:40 pm

Hello,
another question about firewall from me :-)
I need too paranoid so I want to block everything I don't use. Have RBRB962UiGS.
Code: Select all
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comment "allow RDP via VPN"
add chain=forward action=drop

With this you don't need to create individual rules per NAT rule, simply create a NAT dst rule and the firewall will open up. Established & related can also be a single rule (efficiency).
Please note I've included an "in-interface" in the drop rule there as well so it doesn't drop anything from your LAN
Code: Select all
/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="allow already established & related connections"  
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" 
add chain=forward action=drop connection-nat-state=!dst-nat in-interface=WAN_INTERFACE comment="drop any other connections"
Top
 
Term
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Jan 11, 2018 11:42 pm

Re: How to block all except ...

Wed Jan 24, 2018 7:20 pm

Please note I've included an "in-interface" in the drop rule there as well so it doesn't drop anything from your LAN
Code: Select all
/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="allow already established & related connections"  
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" 
add chain=forward action=drop connection-nat-state=!dst-nat in-interface=WAN_INTERFACE comment="drop any other connections"
So if I add this only it will works fine?
Top
Locked

Who is online

Users browsing this forum: anav, Bing [Bot], miker3000 and 112 guests
  4. RouterOS
  5. Beginner Basics