Набор правил для Mikrotik

Разрешить IP билинга:

add action=accept chain=input comment="Allow Billing" disabled=no src-addres="10.10.10.1"

Разрешить пинги:

add action=accept chain=input comment="Allow Pings" disabled=no protocol=icmp
add action=accept chain=forward disabled=no protocol=icmp

Защита от DNS флуда или DNS Amplification: Нужно заменить внешний интерфейс(ether1) на ваш

add action=accept chain=forward comment="DNS Flood" disabled=no dst-port=53 protocol=udp
add action=add-src-to-address-list address-list=dns_flood address-list-timeout=1h chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp src-address-list=dns_flood

Блокировать сканеры портов:

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list=port_scanners

Блокировать invalid сессии:

add action=drop chain=input comment="DROP invalid" connection-state=invalid disabled=no

Блокировать Telnet брутфорс:

add action=drop chain=input comment="DROP Telnet brutforce" disabled=no dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp

Блокировать SSH брутфорс:

add action=drop chain=input comment="Drop SSH brutforce" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp

Блокировать SYN флуд:

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="SYN Flood" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="DROP syn flood" disabled=no src-address-list=Syn_Flooder
  • billing/howto/mikrotikfw.txt
  • Последние изменения: 3 лет назад
  • — Олег Вильковский