I am quite new to Mikrotik, so feel free to correct me in any way.
I've been told to make a firewall with FastTrack and port scanner blocking, I am wondering will this one work as an universal rule list?
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept established/related/untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment=\
"Fasttrack established/related" connection-state=established,related
add action=accept chain=forward comment=\
"Accept established/related/untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid protocol=tcp
add action=drop chain=input dst-port=21 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=23 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=161 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
in-interface-list=WAN protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" \
in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" \
in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
in-interface-list=WAN protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" \
in-interface-list=WAN protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" \
in-interface-list=WAN protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22,23 \
protocol=tcp src-address-list=brute-force_blacklist
add action=add-src-to-address-list address-list=brute-force_blacklist \
address-list-timeout=1d chain=input comment="Drop SSH Brute Forcers" \
connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp \
src-address-list=bruteforce_stage3
add action=add-src-to-address-list address-list=bruteforce_stage3 \
address-list-timeout=30s chain=input comment="Drop SSH Brute Forcers" \
connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp \
src-address-list=bruteforce_stage2
add action=add-src-to-address-list address-list=bruteforce_stage2 \
address-list-timeout=30s chain=input comment="Drop SSH Brute Forcers" \
connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp \
src-address-list=bruteforce_stage1
add action=add-src-to-address-list address-list=bruteforce_stage1 \
address-list-timeout=1m chain=input comment="Drop SSH Brute Forcers" \
connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN