Montar un Firewall con Mikrotik

Quería compartir un pequeño script para mikrotik, que uso siempre como uno de los primeros pasos al configurar un mikrotik.

A partir de éste luego ya voy haciendo mis modificaciones, pero ahorra mucho tiempo tenerlo siempre a mano.

MI FIREWALL

/ip firewall filter

# Acceso FTP a un servidor Cambiar IP#

add action=accept chain=accept_list comment=»Forward FTP to Server» dst-address=192.168.20.10 dst-port=21 protocol=tcp

# Acceso VNC a un equipo Cambiar IP#

add action=accept chain=accept_list comment=»Forward VNC to PC» dst-address=192.168.20.10 dst-port=5900 protocol=tcp

# known_viruses AND Bad People #

add action=drop chain=known_viruses comment=»windows – not EXACTLY a virus» dst-port=135-139 protocol=tcp

add action=drop chain=known_viruses comment=»windows – not EXACTLY a virus» dst-port=135-139 protocol=udp

add action=drop chain=known_viruses comment=»winXP netbios not EXACTLY a virus» dst-port=445 protocol=udp

add action=drop chain=known_viruses comment=»winXP netbios not EXACTLY a virus» dst-port=445 protocol=tcp

add action=drop chain=known_viruses comment=»msblast worm» dst-port=593 protocol=tcp

add action=drop chain=known_viruses comment=»msblast worm» dst-port=4444 protocol=tcp

add action=drop chain=known_viruses comment=»WITTY worm» dst-port=4000 protocol=tcp

add action=drop chain=known_viruses comment=»SoBig.f worm» dst-port=995-999 protocol=tcp

add action=drop chain=known_viruses comment=»SoBig.f worm» dst-port=8998 protocol=tcp

add action=drop chain=known_viruses comment=»beagle worm» dst-port=2745 protocol=tcp

add action=drop chain=known_viruses comment=»beagle worm» dst-port=4751 protocol=tcp

add action=drop chain=known_viruses comment=»SQL Slammer» dst-port=1434 protocol=tcp

add action=drop chain=bad_people comment=»Known Spammer» src-address=81.180.98.3

add action=drop chain=bad_people comment=»Known Spammer» src-address=24.73.97.226

add action=drop chain=bad_people comment=»http://isc.incidents.org/top10.html listed» src-address=67.75.20.112

add action=drop chain=bad_people src-address=218.104.138.166

add action=drop chain=bad_people src-address=212.3.250.194

add action=drop chain=bad_people src-address=203.94.243.191

add action=drop chain=bad_people src-address=202.101.235.100

add action=drop chain=bad_people src-address=58.16.228.42

add action=drop chain=bad_people src-address=58.248.8.2

add action=drop chain=bad_people src-address=202.99.11.99

add action=drop chain=bad_people src-address=218.52.237.219

add action=drop chain=bad_people src-address=222.173.101.157

add action=drop chain=bad_people src-address=58.242.34.235

add action=drop chain=bad_people src-address=222.80.184.23

add chain=virus protocol=tcp dst-port=135-139 action=drop comment=»Drop Blaster Worm»

add chain=virus protocol=udp dst-port=135-139 action=drop comment=»Drop Messenger Worm»    

add chain=virus protocol=tcp dst-port=445 action=drop comment=»Drop Blaster Worm»

add chain=virus protocol=udp dst-port=445 action=drop comment=»Drop Blaster Worm»

add chain=virus protocol=tcp dst-port=593 action=drop comment=»________»

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=»________»

add chain=virus protocol=tcp dst-port=1080 action=drop comment=»Drop MyDoom»

add chain=virus protocol=tcp dst-port=1214 action=drop comment=»________»

add chain=virus protocol=tcp dst-port=1363 action=drop comment=»ndm requester»

add chain=virus protocol=tcp dst-port=1364 action=drop comment=»ndm server»

add chain=virus protocol=tcp dst-port=1368 action=drop comment=»screen cast»

add chain=virus protocol=tcp dst-port=1373 action=drop comment=»hromgrafx»

add chain=virus protocol=tcp dst-port=1377 action=drop comment=»cichlid»

add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=»Worm»

add chain=virus protocol=tcp dst-port=2745 action=drop comment=»Bagle Virus»

add chain=virus protocol=tcp dst-port=2283 action=drop comment=»Drop Dumaru.Y»

add chain=virus protocol=tcp dst-port=2535 action=drop comment=»Drop Beagle»

add chain=virus protocol=tcp dst-port=2745 action=drop comment=»Drop Beagle.C-K»

add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=»Drop MyDoom»

add chain=virus protocol=tcp dst-port=3410 action=drop comment=»Drop Backdoor OptixPro»

add chain=virus protocol=tcp dst-port=4444 action=drop comment=»Worm»

add chain=virus protocol=udp dst-port=4444 action=drop comment=»Worm»

add chain=virus protocol=tcp dst-port=5554 action=drop comment=»Drop Sasser»

add chain=virus protocol=tcp dst-port=8866 action=drop comment=»Drop Beagle.B»

add chain=virus protocol=tcp dst-port=9898 action=drop comment=»Drop Dabber.A-B»

add chain=virus protocol=tcp dst-port=10000 action=drop comment=»Drop Dumaru.Y»

add chain=virus protocol=tcp dst-port=10080 action=drop comment=»Drop MyDoom.B»

add chain=virus protocol=tcp dst-port=12345 action=drop comment=»Drop NetBus»

add chain=virus protocol=tcp dst-port=17300 action=drop comment=»Drop Kuang2″

add chain=virus protocol=tcp dst-port=27374 action=drop comment=»Drop SubSeven»

add chain=virus protocol=tcp dst-port=65506 action=drop comment=»Drop PhatBot, Agobot, Gaobot»

# Drop SSH por fuerza bruta#

add action=drop chain=input comment=»drop ssh brute forcers» dst-port=22 protocol=tcp src-address-list=ssh_blacklist

add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new

    dst-port=22 protocol=tcp src-address-list=ssh_stage3

add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new

    dst-port=22 protocol=tcp src-address-list=ssh_stage2

add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new

    dst-port=22 protocol=tcp src-address-list=ssh_stage1

add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new

    dst-port=22 protocol=tcp

# Limite conexiones FTP #

add action=drop chain=input comment=»allows only 10 FTP login incorrect answers per minute» dst-port=21 protocol=tcp

    src-address-list=ftp_blacklist

# Añadir a listas #

add action=accept chain=output content=»530 Login incorrect» dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=»530 Login

    incorrect» protocol=tcp

add action=drop chain=forward comment=»drop invalid connections DELETE» connection-state=invalid

add action=drop chain=forward comment=»Blocks SSH» dst-port=22 protocol=tcp

add action=jump chain=forward comment=»Known virus ports DELETE» jump-target=known_viruses

add action=jump chain=forward comment=»kill known bad source addresses DELETE» jump-target=bad_people

add action=jump chain=forward comment=»Jump to Accepted List» jump-target=accept_list

add action=accept chain=forward comment=»allow established connections DELETE» connection-state=established

add action=accept chain=forward comment=»allow related connections DELETE» connection-state=related

add action=accept chain=forward comment=»Allow All»

add chain=input connection-state=established comment=»Accept established connections»

add chain=input connection-state=related comment=»Accept related connections»

add chain=input connection-state=invalid action=drop comment=»Drop invalid connections»

add chain=input protocol=udp action=accept comment=»UDP» disabled=no

add chain=input protocol=tcp dst-port=8291 comment=»winbox»

# Ataques de DoS #

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=»detect and drop port scan connections» disabled=no

add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit

comment=»suppress DoS attack» disabled=no

add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list

address-list=black_list  address-list-timeout=1d comment=»detect DoS attack» disabled=no

# Limites de PING #

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=»0:0 and limit for 5pac/s» disabled=no

add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=»3:3 and limit for 5pac/s» disabled=no

add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=»3:4 and limit for 5pac/s» disabled=no

add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=»8:0 and limit for 5pac/s» disabled=no

add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=»11:0 and limit for 5pac/s» disabled=no

add chain=ICMP protocol=icmp action=drop comment=»Drop everything else» disabled=no

# Un Outgoing allow, expecto el trafico no deseado #

add chain=forward action=accept protocol=tcp dst-port=80 comment=»Allow HTTP»

add chain=forward action=accept protocol=tcp dst-port=25 comment=»Allow SMTP»

add chain=forward protocol=tcp comment=»allow TCP»

add chain=forward protocol=icmp comment=»allow ping»

add chain=forward protocol=udp comment=»allow udp»

add chain=forward action=drop comment=»drop everything else»

Comparte si te ha gustado el artículo!

Deja un comentario