Firewall Mikrotik Explicando Reglas Detalladas para Bloqueos de Servicios

   El servidor de seguridad implementa el filtrado de paquetes y por lo tanto proporciona funciones de seguridad que se utilizan para gestionar el flujo de datos hacia, desde y a través del router. Junto con la traducción de direcciones de red que sirve como una herramienta para prevenir el acceso no autorizado a las redes directamente conectados y el propio router, así como un filtro para el tráfico saliente.

En esta oportunidad mostraremos algunos ejemplos con detalles para bloquear servicios dentro de la red.

Script de reglas aplicadas: http://adf.ly/1h7XlG
Winbox Versión 3.7: http://adf.ly/1grCaP

Basic universal firewall script.

HANDS ON! First we need to create our ADDRESS LIST with all IPs we will use most times
Below you need to change x.x.x.x/x for your technical subnet. This subnet will have full access to the router.

/ip firewall address-list add address=10.0.10.1/30 disabled=no list=support

Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and much more. For more information read the comments.

ip firewall filter
	
    /ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=\
    tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allows access to winbox from the WAN  # DO NOT ENABLE THIS RULE IF YOU DO NOT WANT TO ACCESS FROM THE INTERNET" disabled=yes \
    dst-port=8291 in-interface="ISP ether10" protocol=tcp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" \
    disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp


I think this is basic. You can add or remove anything else according to your needs. I hope it helps!

Be the first to comment

Leave a Reply

Tu dirección de correo no será publicada.


*


3 + seis =