Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow VPN to VLAN" in-interface=all-ppp out-interface=vlan_client008
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow all from mgmt-outband" connection-state=new in-interface=bridge_mgmt
add action=accept chain=input comment="Allow all from mgmt-inband" connection-state=new in-interface=vlan_mgmt
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="drop port scanners" src-address-list="port scanners"
add action=accept chain=input comment="Allow mgmt from VPN" connection-state=new dst-port=22,11443 in-interface=!vlan_public28 protocol=tcp src-address=192.168.108.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - statistic" protocol=tcp psd=21,4s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="Allow ssh & www management from Public-trusted" connection-state=new dst-port=22,11443 in-interface=vlan_public28 protocol=tcp src-address-list=public_trusted
add action=accept chain=input comment="Accept www management from WAN" connection-state=new dst-port=11443 in-interface=vlan_public28 protocol=tcp
add action=accept chain=input comment="accept L2TP VPN" dst-port=4500,500,1701 in-interface=vlan_public28 protocol=udp
add action=accept chain=input comment="allow IPSEC input" in-interface=vlan_public28 protocol=ipsec-esp
add action=accept chain=input comment="Allow DNS queries from VPN" dst-port=53 protocol=udp src-address=192.168.50.0/24
add action=drop chain=input comment="defconf: drop all"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept VPN to VLAN client008" connection-state=new disabled=yes dst-address=10.10.8.0/24 src-address=192.168.108.0/24
add action=accept chain=forward comment="Test transferu" connection-state=new disabled=yes dst-address=10.10.8.30 dst-port=80 protocol=tcp
add action=accept chain=forward comment="Test transferu 2" connection-state=new disabled=yes dst-address=10.10.8.252 dst-port=80 protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=vlan_public28
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=vlan_public28 src-address-list=not_in_internet
add action=accept chain=forward comment="SQL - temp" connection-state=new dst-address=10.10.8.40 dst-port=1433 protocol=tcp
add action=accept chain=forward comment="Accept VPN to WAN" connection-state=new in-interface=all-ppp out-interface=vlan_public28
add action=drop chain=forward comment="Default rule: Block everything"
add action=accept chain=output comment="Accept all outgoing"
Code: Select all
curl -IL x.x.x.x:yyyy -v
* Trying x.x.x.x:yyyy...
* TCP_NODELAY set
* connect to x.x.x.x port yyyy failed: Connection timed out
* Failed to connect to x.x.x.x port yyyy: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to x.x.x.x port yyyy: Connection timed out