Montar un Firewall con Mikrotik

Quería compartir un pequeño script para mikrotik, que uso siempre como uno de los primeros pasos al configurar un mikrotik.

A partir de éste luego ya voy haciendo mis modificaciones, pero ahorra mucho tiempo tenerlo siempre a mano.

MI FIREWALL

/ip firewall filter

# Acceso FTP a un servidor Cambiar IP#

add action=accept chain=accept_list comment=”Forward FTP to Server” dst-address=192.168.20.10 dst-port=21 protocol=tcp

# Acceso VNC a un equipo Cambiar IP#

add action=accept chain=accept_list comment=”Forward VNC to PC” dst-address=192.168.20.10 dst-port=5900 protocol=tcp

# known_viruses AND Bad People #

add action=drop chain=known_viruses comment=”windows – not EXACTLY a virus” dst-port=135-139 protocol=tcp

add action=drop chain=known_viruses comment=”windows – not EXACTLY a virus” dst-port=135-139 protocol=udp

add action=drop chain=known_viruses comment=”winXP netbios not EXACTLY a virus” dst-port=445 protocol=udp

add action=drop chain=known_viruses comment=”winXP netbios not EXACTLY a virus” dst-port=445 protocol=tcp

add action=drop chain=known_viruses comment=”msblast worm” dst-port=593 protocol=tcp

add action=drop chain=known_viruses comment=”msblast worm” dst-port=4444 protocol=tcp

add action=drop chain=known_viruses comment=”WITTY worm” dst-port=4000 protocol=tcp

add action=drop chain=known_viruses comment=”SoBig.f worm” dst-port=995-999 protocol=tcp

add action=drop chain=known_viruses comment=”SoBig.f worm” dst-port=8998 protocol=tcp

add action=drop chain=known_viruses comment=”beagle worm” dst-port=2745 protocol=tcp

add action=drop chain=known_viruses comment=”beagle worm” dst-port=4751 protocol=tcp

add action=drop chain=known_viruses comment=”SQL Slammer” dst-port=1434 protocol=tcp

add action=drop chain=bad_people comment=”Known Spammer” src-address=81.180.98.3

add action=drop chain=bad_people comment=”Known Spammer” src-address=24.73.97.226

add action=drop chain=bad_people comment=”http://isc.incidents.org/top10.html listed” src-address=67.75.20.112

add action=drop chain=bad_people src-address=218.104.138.166

add action=drop chain=bad_people src-address=212.3.250.194

add action=drop chain=bad_people src-address=203.94.243.191

add action=drop chain=bad_people src-address=202.101.235.100

add action=drop chain=bad_people src-address=58.16.228.42

add action=drop chain=bad_people src-address=58.248.8.2

add action=drop chain=bad_people src-address=202.99.11.99

add action=drop chain=bad_people src-address=218.52.237.219

add action=drop chain=bad_people src-address=222.173.101.157

add action=drop chain=bad_people src-address=58.242.34.235

add action=drop chain=bad_people src-address=222.80.184.23

add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”

add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”    

add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”

add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”

add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________”

add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”

add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________”

add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”

add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”

add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”

add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”

add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”

add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”

add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”

add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”

add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”

add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”

add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”

add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”

add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”

add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”

add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”

add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”

add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”

add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”

add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”

add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”

add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″

add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”

add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”

# Drop SSH por fuerza bruta#

add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22 protocol=tcp src-address-list=ssh_blacklist

add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new

    dst-port=22 protocol=tcp src-address-list=ssh_stage3

add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new

    dst-port=22 protocol=tcp src-address-list=ssh_stage2

add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new

    dst-port=22 protocol=tcp src-address-list=ssh_stage1

add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new

    dst-port=22 protocol=tcp

# Limite conexiones FTP #

add action=drop chain=input comment=”allows only 10 FTP login incorrect answers per minute” dst-port=21 protocol=tcp

    src-address-list=ftp_blacklist

# Añadir a listas #

add action=accept chain=output content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=”530 Login

    incorrect” protocol=tcp

add action=drop chain=forward comment=”drop invalid connections DELETE” connection-state=invalid

add action=drop chain=forward comment=”Blocks SSH” dst-port=22 protocol=tcp

add action=jump chain=forward comment=”Known virus ports DELETE” jump-target=known_viruses

add action=jump chain=forward comment=”kill known bad source addresses DELETE” jump-target=bad_people

add action=jump chain=forward comment=”Jump to Accepted List” jump-target=accept_list

add action=accept chain=forward comment=”allow established connections DELETE” connection-state=established

add action=accept chain=forward comment=”allow related connections DELETE” connection-state=related

add action=accept chain=forward comment=”Allow All”

add chain=input connection-state=established comment=”Accept established connections”

add chain=input connection-state=related comment=”Accept related connections”

add chain=input connection-state=invalid action=drop comment=”Drop invalid connections”

add chain=input protocol=udp action=accept comment=”UDP” disabled=no

add chain=input protocol=tcp dst-port=8291 comment=”winbox”

# Ataques de DoS #

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port scan connections” disabled=no

add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit

comment=”suppress DoS attack” disabled=no

add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list

address-list=black_list  address-list-timeout=1d comment=”detect DoS attack” disabled=no

# Limites de PING #

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”0:0 and limit for 5pac/s” disabled=no

add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”3:3 and limit for 5pac/s” disabled=no

add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”3:4 and limit for 5pac/s” disabled=no

add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”8:0 and limit for 5pac/s” disabled=no

add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”11:0 and limit for 5pac/s” disabled=no

add chain=ICMP protocol=icmp action=drop comment=”Drop everything else” disabled=no

# Un Outgoing allow, expecto el trafico no deseado #

add chain=forward action=accept protocol=tcp dst-port=80 comment=”Allow HTTP”

add chain=forward action=accept protocol=tcp dst-port=25 comment=”Allow SMTP”

add chain=forward protocol=tcp comment=”allow TCP”

add chain=forward protocol=icmp comment=”allow ping”

add chain=forward protocol=udp comment=”allow udp”

add chain=forward action=drop comment=”drop everything else”

Comparte si te ha gustado el artículo!

Deja un comentario