my problem is that my rules doesn't work, it seems like they get bypass!! for example ssh and winbox are allowed while i have an input rule to drop everything from wan. also my bruteforce rules are not "catching" packets, they should count traffic these rules.
bellow is my config:
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
/ip address
add address=5.XXXX.XXXX.196/24 interface=ether1 network=5.XXX.XXX.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dns
set servers=XXXXXXXXX,XXXXXXX
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port Scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=jump chain=input comment="SYN Flood INPUT" connection-state=new \
jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=bruteforce_blacklist \
address-list-timeout=1d chain=input comment=Blacklist connection-state=\
new dst-port=1026,8292 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
address-list-timeout=1h chain=input comment="Third attempt" \
connection-state=new dst-port=1026,8292 protocol=tcp src-address-list=\
connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
address-list-timeout=15m chain=input comment="Second attempt" \
connection-state=new dst-port=1026,8292 protocol=tcp src-address-list=\
connection1
add action=add-src-to-address-list address-list=connection1 \
address-list-timeout=5m chain=input comment="First attempt" \
connection-state=new dst-port=1026,8292 protocol=tcp
add action=accept chain=input comment="bruteforce ssh&winbox" disabled=yes \
dst-port=1026,8292 protocol=tcp src-address-list=!bruteforce_blacklist
add action=accept chain=input comment="WG VPN Rule" dst-port=13231 protocol=\
udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input src-address-list="port scanners"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
add action=jump chain=forward comment="SYN Flood FW" connection-state=new \
jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
SYN-ATK protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \
log-prefix="WAN DNS" protocol=udp
/ip route
add dst-address=0.0.0.0/0 gateway=5.XXXX.XXXX.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1026
set api disabled=yes
set winbox port=8292
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Amsterdam
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no