Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

a strong firewall rules for my router

Fri Sep 02, 2022 11:02 am

hi for all ..! i am using RB951ui and despite that i am using -as far as i think- a strong firewall rules i've had alot of hacking process on my router in the last few days, so please anyone can advise me
on a strong firewall rules that i can apply on my router that can make sence ...?
this is my firewall rules in my router..

2-ip-services-i disable all port except the winbox port


3-Mitigate the DDOS attack (the purpose of this rule is to mitigate the number of connection)

/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos

4-/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers

5-/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input connection-state=invalid
add action=drop chain=input disabled=yes in-interface=!ether1
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix="! public" src-address-list=not_in_internet

6-ip firewall address-list
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add list=ddos-attackers
add list=ddos-target

7-ip firewall filter

add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix="! public" \
src-address-list=not_in_internet
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos

please any advice to change or modify this rule ..
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: a strong firewall rules for my router

Fri Sep 02, 2022 11:18 am

Strong firewall is simple firewall.

Always make sure you have explicit drop-all-remaining for input and forward chain on the bottom. Otherwise any small mistake can create a hole.


Your rules are absolute nonsense and anyone from WAN is allowed to reach your router and your internal network. Take it off the network ASAP

e.g.
> add action=drop chain=input disabled=yes in-interface=!ether1

What is this supposed to mean? lets assume you enable the rule (at the moment its disabled) it will say "if input interface is NOT ethernet1, then drop packet". Assuming your Ether1 is WAN, then you would essentially cut off access to your router from LAN, but leave access from WAN.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: a strong firewall rules for my router

Fri Sep 02, 2022 11:30 am

What is wrote from @vecernik87 is correct.

You want "strong firewall rules"???

Reset to default settings your routerboard and do not touch it.


About:
«3-Mitigate the DDOS attack»
You can do NOTHING, only your ISP can help you.
If you are under DDoS attack, the packes still reach your ruter regardless any rule set.
The solution is unplug the cable, or call your ISP.
Last edited by rextended on Sat Jan 14, 2023 11:52 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: a strong firewall rules for my router

Fri Sep 02, 2022 3:33 pm

This works......................
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

******* Put this rule in last because if the allow LAN rule above that, is not in place you will lock yourself out of the router.

One problem might be that you have port forwardings.
Ensure that you use source address for the external users coming in (their public IP, or DYDNS name if their WANIP is dynamic)
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: a strong firewall rules for my router

Sun Sep 04, 2022 10:14 am

very thanksful for all....!
please anyone can quide me to any document that explain the default firewall rules in mikrotik router board...?
rule by rule..
# model = 951Ui-2HnD
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: a strong firewall rules for my router

Sun Sep 04, 2022 10:17 am

very thanksful vecernik87..!
please do you have any document that explain the default firewall rules in mikrotik ..?
thanks in advance
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: a strong firewall rules for my router

Sun Sep 04, 2022 10:20 am

Each rule is already commented, each line explains itself ...
Do you miss the terminology?

Who is online

Users browsing this forum: oscar120584, synchro and 26 guests