Securing your Mikrotik Router


Basic Security for mikrotik routers.


/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=82
set ssh disabled=yes




/ip firewall address-list
add address=192.168.155.0/24 list=local-addr
add address=192.168.154.0/30 list=safe-addr



/ip firewall filter
add action=accept chain=input comment="accept established connection packets" connection-state=established
add action=accept chain=input comment="accept related connection packets" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop blocked traffic" connection-state=new src-address-list=blocked-addr
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1h chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=20,32 protocol=tcp
add action=accept chain=input comment="Allow access to router from local network" connection-state=new src-address-list=local-addr
add action=accept chain=input comment="Allow access to router from safe network" connection-state=new src-address-list=safe-addr
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input disabled=yes log-prefix=Filter:
add action=drop chain=input comment="drop everything else"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=accept chain=services comment="accept localhost" src-address=127.0.0.1
add action=accept chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add action=accept chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add action=accept chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add action=accept chain=services comment="Allow BGP" dst-port=179 protocol=tcp
add action=accept chain=services comment="allow BGP" dst-port=5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" dst-port=123 protocol=udp
add action=accept chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" protocol=gre
add action=accept chain=services comment="allow DNS request" dst-port=53 protocol=tcp
add action=accept chain=services comment="Allow DNS request" dst-port=53 protocol=udp
add action=accept chain=services comment=UPnP dst-port=1900 protocol=udp
add action=accept chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add action=accept chain=services comment=UPnP dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow Web Proxy" dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" protocol=ipencap
add action=accept chain=services comment="allow https for Hotspot" dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" protocol=ipsec-esp
add action=accept chain=services comment="allow IPSec" protocol=ipsec-ah
add action=accept chain=services comment="allow RIP" dst-port=520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" protocol=ospf
add action=return chain=services
at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mikrotik Malicious Spam IP Blacklist – Firewall Auto Update Script

We have published a malicious ip blacklist for free! Combined dshield and spamhaus malicious blacklists formatted for Mikrotik RouterOS .r...