input
重点在这里,先把扫描路由端口的IP统统加入黑名单,然后拒绝黑名单任何连接;再跳转到ICMP链表做一些限制,防止Ping攻击之类的;再跳转到services 链表(注意这里只有连接Winbox和DNS的53端口是默认允许的而且是192.168.0.0/16根据自己实际情况修改,其它常用的路由服务端口默认关闭,如果你需要其它服务,请打开,都写上注释了),最后拒绝所有连接!
output
没什么可说的,路由器不会中病毒,也不会无缘无故输出什么没用数据!也没什么策略!
forward
通过的连接,意思就是从客户机和外网之间的那些连接了!
也没什么需要设置的了(因为如果外网想攻击内网IP那是不可能的,因为只有防火墙暴露在公网,也就没有目标了)!
input除我们允许的服务端口外,都关闭了,攻击软件也没什么可乘之机了!服务端口也有策略有条件限制!
注意了:
这个防火墙默认只打开了,8291(winbox) TCP53(DNS) UDP53(DNS) 而且只有内网才能访问!
如果你还是害怕有人从内网攻击这几个端口,那么我建议 winbox干脆指定一个IP,DNS嘛,所有客户机都用得,你关闭了,用公网的得了!
[code]/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=" port scanners " disabled=no \
src-address-list="port scanners"
add action=drop chain=input comment=" Black list " disabled=no \
src-address-list=black_list
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=accept chain=input comment="accept related packets" \
connection-state=related disabled=no
add action=accept chain=input comment="accept established packets" \
connection-state=established disabled=no
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 disabled=no protocol=tcp
add action=drop chain=input comment="drop all that is not to local" disabled=\
no dst-address-type=!local
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to service" disabled=no \
jump-target=services
add action=jump chain=input comment="jump to Virus" disabled=yes jump-target=\
virus
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=services comment="Allow winbox" disabled=no dst-port=\
8291 protocol=tcp src-address=192.168.0.0/16
add action=accept chain=services comment="allow ftp" disabled=yes dst-port=\
20-21 protocol=tcp
add action=accept chain=services comment="allow Web Proxy" disabled=yes \
dst-port=8080 protocol=tcp
add action=accept chain=services comment="accept localhost" disabled=yes \
dst-address=127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment="allow sftp, ssh" disabled=yes \
dst-port=22 protocol=tcp
add action=accept chain=services comment="allow telnet" disabled=yes \
dst-port=23 protocol=tcp
add action=accept chain=services comment="allow http, webbox" disabled=yes \
dst-port=81 protocol=tcp
add action=accept chain=services comment="allow MACwinbox " disabled=yes \
dst-port=20561 protocol=udp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=\
yes dst-port=5678 protocol=udp
add action=accept chain=services comment="allow DNS request" disabled=no \
dst-port=53 protocol=tcp src-address=192.168.0.0/16
add action=accept chain=services comment="Allow DNS request" disabled=no \
dst-port=53 protocol=udp src-address=192.168.0.0/16
add action=accept chain=services comment="allow L2TP" disabled=yes dst-port=\
1701 protocol=udp
add action=accept chain=services comment="allow PPTP" disabled=yes dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes \
protocol=gre
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=\
ipencap
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 \
protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 \
protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=\
67-68 protocol=udp
add action=accept chain=services comment="allow NTP" disabled=yes dst-port=\
123 protocol=tcp
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port=\
161 protocol=tcp
add action=accept chain=services comment="allow https for Hotspot" disabled=\
yes dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=\
yes dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=\
yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-ah
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=\
179 protocol=tcp
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=\
520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=\
ospf
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=\
5000-5100 protocol=udp
add action=accept chain=services comment="allow Telephony" disabled=yes \
dst-port=1720 protocol=tcp
add action=accept chain=services comment="allow Telephony" disabled=yes \
dst-port=1719 protocol=udp
add action=accept chain=services comment="allow VRRP " disabled=yes protocol=\
vrrp
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid disabled=no
add action=drop chain=output comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=drop chain=input comment="Drop All input" disabled=no[/code]