Community discussions

MikroTik App
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

DDOS Blacklist

Thu Jan 12, 2023 4:38 pm

Hello,
I installed DDOS in my firewall. But it happens again and again that my telephone system or my DNS server is blacklisted. Why?

Here is my Firewall:
# jan/12/2023 10:52:40 by RouterOS 7.6
# software id = S11F-7CCV
#
# model = RB4011iGS+
# serial number = HD30857WKJ4
/ip firewall address-list
add address=10.99.1.0/24 list=local
add address=10.245.1.0/24 list=local
add address=10.178.1.0/24 list=local
add address=10.178.2.0/24 list=local
add address=10.178.3.0/24 list=local
add address=192.168.114.0/24 list=local
add address=10.178.4.0/24 list=local
add address=10.178.5.0/24 list=local
add address=10.178.6.0/24 list=local
add address=10.178.7.0/24 list=local
add address=10.178.8.0/24 list=local
add list=local
add address=8.8.8.8 list=DNS
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=192.168.111.0/24 list=local
add address=10.246.1.0/24 list=local
add address=10.247.1.0/24 list=local
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=drop chain=input comment="Drop Netbios" connection-state="" \
    dst-port=137,138 protocol=udp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address-list=DNS
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=detect-ddos
add action=drop chain=forward comment="Drop DDOS" connection-state=new \
    disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment=\
    "Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
    yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
    "Black List (Port Scanner WAN)"
add action=drop chain=forward comment=\
    "Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
    yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
    "Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add TCP port scanner to Port Scanner (WAN) list." \
    in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Port Scanner WAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=\
    "Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
    yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"
add action=drop chain=forward comment=\
    "Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
    yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward \
    comment="Add TCP port scanner to Port Scanner (LAN) list." \
    in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Port Scanner LAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." \
    in-interface-list=WAN log=yes log-prefix="BL_Black List (Winbox)" \
    src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." \
    dst-port=8291 in-interface-list=WAN jump-target=\
    "Black List (Winbox) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" \
    address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment="Trans\
    fer repeated attempts from Black List (Winbox) Stage 6 to Black List (Winb\
    ox)." connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Winbox)" src-address-list="Black List (Winbox) Stage 6"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 6" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 6." \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Winbox) S6" src-address-list=\
    "Black List (Winbox) Stage 5"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 5" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 5." \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Winbox) S5" src-address-list=\
    "Black List (Winbox) Stage 4"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 4" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 4." \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Winbox) S4" src-address-list=\
    "Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 3." \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Winbox) S3" src-address-list=\
    "Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 2." \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (Winbox) S2" src-address-list=\
    "Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add initial attempt to Black List (Winbox) Stage 1." connection-state=\
    new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment=\
    "Return From Black List (Winbox) chain."
add action=drop chain=input comment="Drop anyone in Black List (SSH)." \
    in-interface-list=WAN log=yes log-prefix="BL_Black List (SSH)" \
    src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." \
    dst-port=45735 in-interface-list=WAN jump-target="Black List (SSH) Chain" \
    protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" \
    address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer\
    _repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "Add_Black List (SSH)" src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" \
    address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add successive attempts to Black List (SSH) Stage 3." connection-state=\
    new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S3" \
    src-address-list="Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" \
    address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add successive attempts to Black List (SSH) Stage 2." connection-state=\
    new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S2" \
    src-address-list="Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" \
    address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add initial attempt to Black List (SSH) Stage 1." connection-state=new \
    in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment=\
    "Return From Black List (SSH) chain."
add action=accept chain=input comment="Accept established connections" \
    connection-state=established
add action=accept chain=input comment="Accept related connections" \
    connection-state=related
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
    45735 log=yes log-prefix=SSH_LOGIN protocol=tcp
add action=accept chain=input comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="Accept VPN" protocol=ipsec-esp
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 log=yes \
    log-prefix=VPN_LOGIN protocol=tcp
add action=accept chain=input comment="Accept VPN" dst-port=500,4500,1701 \
    protocol=udp
add action=accept chain=input comment="Accept Winbox access" dst-port=8291 \
    log=yes log-prefix=MIKROTIK_LOGIN protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Winbox access" dst-port=51308 \
    log=yes log-prefix=MIKROTIK_LOGIN protocol=udp
add action=accept chain=input comment="Accept Winbox MAC" dst-port=20561 \
    in-interface-list=!WAN log=yes log-prefix=MIKROTIK_MAC_LOGIN protocol=udp \
    src-address-list=local
add action=accept chain=input comment="Accept NDP" dst-port=5678 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DNS Querry" dst-port=53 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NTP Querry" dst-port=123 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DHCP Querry" dst-port=67 \
    in-interface-list=!WAN protocol=udp src-address-list=local src-port=68
add action=accept chain=input comment="Accept SNMP" dst-port=161 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept Winbox http" dst-port=1455 \
    in-interface-list=!WAN protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
    src-address-type=local
add action=drop chain=input comment="Drop everything else" log=yes \
    log-prefix="IN DROP REST -> "
add action=accept chain=forward comment="PF Mailserver" disabled=yes \
    dst-port=443 protocol=tcp
add action=accept chain=forward comment="PF Mailserver" disabled=yes \
    dst-port=80 protocol=tcp
add action=accept chain=forward comment="Accept DSTNAT connections" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Accept established connections" \
    connection-state=established
add action=accept chain=forward comment="Accept related connections" \
    connection-state=related
add action=accept chain=forward comment="Accept VPN" in-interface=l2tp-XX
add action=accept chain=forward comment="Accept VPN" in-interface=CLOUD
add action=accept chain=forward comment="Accept VPN" out-interface=l2tp-XX
add action=accept chain=forward comment="Accept VPN" out-interface=CLOUD
add action=accept chain=forward comment="Accept VPN" in-interface=\
    l2tp-MKI01DK01
add action=accept chain=forward comment="Accept VPN" out-interface=\
    l2tp-MKI01DK01
# l2tp-MKI01DK02 not ready
add action=accept chain=forward comment="Accept VPN" in-interface=\
    l2tp-MKI01DK02 log=yes
# l2tp-MKI01DK02 not ready
add action=accept chain=forward comment="Accept VPN" out-interface=\
    l2tp-MKI01DK02
add action=accept chain=forward comment="Allow Forward to WAN1" \
    out-interface=WAN1
add action=accept chain=forward comment="Allow Forward to WAN2" \
    out-interface=WAN2
add action=accept chain=forward comment="Allow Forward to WAN3" disabled=yes \
    out-interface=ether10
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=forward comment="Log everything else" log-prefix=\
    "DROP FORWARD"
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.52.31.0/24 \
    src-address=10.245.1.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=WAN1 \
    log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=WAN1 \
    log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=80
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat disabled=yes out-interface=ether10
add action=accept chain=srcnat
/ip firewall service-port
set sip disabled=yes
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: DDOS Blacklist

Thu Jan 12, 2023 6:19 pm

I'm not even going to try to read through your spaghetti. You have all your chains are mixed up. Although it makes no difference to the router, it makes it REALLY hard for us humans to read. Re-sort your chains so the entire Input chain is together, then the Forward, etc.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDOS Blacklist

Thu Jan 12, 2023 6:39 pm

If you insist on using a non-edge router for business purposes that includes like a phone system that has to open to the public, then suggest you
look at some other solutions and get rid of all the garbage bloatware you have added to the default firewall rules.....

This is a starting place - https://itexpertoncall.com/index.html
specializes in MT setups - https://itexpertoncall.com/promotional/moab.html

and specifically addresses PBX concerns here - https://itexpertoncall.com/additional_i ... hield.html

Who is online

Users browsing this forum: Ahrefs [Bot] and 46 guests