/ip dns export
/ip firewall export
uploaded image
https://ibb.co/BVVbQtK
/ip dns export
# feb/24/2021 07:47:59 by RouterOS
# software id = ***
#
#
#
/ip firewall export
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop ICMP Ping" protocol=icmp
add action=drop chain=forward icmp-options=3:3 protocol=icmp
add action=drop chain=input protocol=icmp src-address-list=!Local
add action=accept chain=output comment="Drop Brute Force" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist address-list-timeout=23h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp src-address-list=Blacklist
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="Drop Virus Port" dst-port=40016 protocol=udp
add action=drop chain=virus dst-port=135-139 protocol=udp
. DROP SOME OF PORTS
.
.
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=virus comment="Drop Spammer" dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 dst-port=25 limit=10,5:packet \
protocol=tcp src-address-list=!smtpOK
add action=drop chain=virus comment="SMTP SPAM stopper!" dst-port=25 protocol=tcp src-address-list=!smtpOK
add action=drop chain=input comment="Drop 53 DoS attack" dst-port=53 protocol=tcp src-address-list=spammer
add action=drop chain=virus comment="Drop 80 DoS attack" dst-port=80 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=2d chain=virus comment="Drop 80 DoS attack" connection-limit=40,32 dst-port=80 limit=20,5:packet \
protocol=tcp src-address-list=!smtpOK
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input comment="fw rules start here" dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input dst-port=7331 protocol=tcp src-address-list=knock
add action=accept chain=input comment="accept established connection packets" connection-state=established
add action=accept chain=input comment="Allow access to router from known network" src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input comment="fw rules start here" dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input dst-port=7331 protocol=tcp src-address-list=knock
add action=accept chain=input comment="accept established connection packets" connection-state=established
add action=accept chain=input comment="Allow access to router from known network" src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add action=accept chain=services comment=winbox dst-port=8219 protocol=tcp
add action=accept chain=services comment=Telnet dst-port=23 protocol=tcp
add action=accept chain=services comment="SSH for secure shell" dst-port=22 protocol=tcp
add action=accept chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add action=accept chain=services comment=uTorrent dst-port=53658 protocol=tcp
add action=accept chain=services dst-port=53658 protocol=udp
add action=accept chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add action=accept chain=services comment="Allow BGP" dst-port=179 protocol=tcp
add action=accept chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" protocol=gre
add action=accept chain=services comment=UPnP dst-port=1900 protocol=udp
add action=accept chain=services comment=UPnP dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add action=accept chain=services comment="DC++ TLS 13336" dst-port=13336 protocol=tcp
add action=accept chain=services comment="DC++ TCP 19030" dst-port=19030 protocol=tcp
add action=accept chain=services comment="DC++ UDP 12620" dst-port=12620 protocol=udp
add action=accept chain=services comment="allow Web Proxy" dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" protocol=ipencap
add action=accept chain=services comment="allow https for Hotspot" dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" protocol=ipsec-esp
add action=accept chain=services comment="allow IPSec" protocol=ipsec-ah
add action=accept chain=services comment="allow RIP" dst-port=520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" protocol=ospf
add action=return chain=services
add action=accept chain=input src-address=10.11.11.0/24
add action=accept chain=forward src-address=10.11.11.0/24
add action=drop chain=input comment="Drop Invalid DNS request" dst-port=53 protocol=udp
add action=drop chain=input comment="Squild Blacklist: SBL Blocklist.de." in-interface=ether1 log=yes log-prefix="BL_sbl blocklist.de" src-address-list="sbl blocklist.de"
add action=drop chain=input comment="Squild Blacklist: SBL DShield." in-interface=ether1 log=yes log-prefix="BL_sbl dshield" src-address-list="sbl dshield"
add action=drop chain=input comment="Squild Blacklist: SBL Spamhaus." in-interface=ether1 log=yes log-prefix="BL_sbl spamhaus" src-address-list="sbl spamhaus"
add action=drop chain=forward comment="Squild Blacklist: SBL Blocklist.de." dst-address-list="sbl blocklist.de" log=yes log-prefix="BL_sbl blocklist.de" out-interface=ether1
add action=drop chain=forward comment="Squild Blacklist: SBL DShield." dst-address-list="sbl dshield" log=yes log-prefix="BL_sbl dshield" out-interface=ether1
add action=drop chain=forward comment="Squild Blacklist: SBL Spamhaus." dst-address-list="sbl spamhaus" log=yes log-prefix="BL_sbl spamhaus" out-interface=ether1
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input comment="IPSEC ACCCEPT" ipsec-policy=in,ipsec src-address=12.12.12.0/24
add action=accept chain=input connection-state=established protocol=tcp src-port=9000-65535
add action=drop chain=input connection-state=invalid,related,untracked protocol=tcp src-port=9000-65535
add action=drop chain=detect-ddos connection-state=invalid,related,untracked
add action=accept chain=input connection-state=established protocol=udp src-port=9000-65535
add action=drop chain=input connection-state=invalid,related,untracked protocol=udp src-port=9000-65535
add action=drop chain=virus dst-port=161 protocol=tcp
add action=drop chain=virus dst-port=4444 protocol=tcp
add action=drop chain=virus dst-port=5672 protocol=tcp
add action=drop chain=virus dst-port=9567 protocol=tcp
add action=drop chain=virus dst-port=9344 protocol=tcp
/ip firewall nat
add action=netmap chain=srcnat log=yes src-address=10.10.10.0/24 to-addresses=IP
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=10.10.10.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.11.11.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=11.11.11.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=12.12.12.0/24
/ip firewall raw
add action=notrack chain=prerouting comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=!1,5:packet protocol=icmp
add action=drop chain=prerouting comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=!1,5:packet protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes