Собрал firewall на две подсети, обычную и гостевую(доступ только в интернет).
Хотелось бы критики, профи себя не считаю, собирал по разным источника из интернета.
Может себе кто что заберет .
Код: Выделить всё
/ip firewall filter
add action=add-src-to-address-list address-list=TrapAddress \
address-list-timeout=1w chain=input comment=\
"#1 TopFirewallRule - Trap for port scanning" in-interface-list=WAN \
protocol=tcp psd=10,10s,3,1
add action=add-src-to-address-list address-list=TrapAddress \
address-list-timeout=1w chain=input comment=\
"#2 TopFirewallRule - Trap for TCP traffic" connection-nat-state=!dstnat \
dst-port=5000,5001,5060,5061,4569,3389,22,23,389,445 in-interface-list=\
WAN protocol=tcp src-address-list=!NotTrapsIP
add action=add-src-to-address-list address-list=TrapAddress \
address-list-timeout=1w chain=input comment=\
"#3 TopFirewallRule - Trap for UDP traffic" connection-nat-state=!dstnat \
dst-port=5000,5001,5060,4569,53,161 in-interface-list=WAN protocol=tcp \
src-address-list=!NotTrapsIP
add action=add-src-to-address-list address-list=TrapAddress \
address-list-timeout=1w chain=input comment=\
"#4 TopFirewallRule - Trap for L2TP without IPsec" dst-port=1701 \
in-interface-list=WAN ipsec-policy=in,none protocol=udp
add action=add-src-to-address-list address-list=DDoS-BlackList \
address-list-timeout=3h chain=forward comment=\
"#5 TopFirewallRule - DDoS detected from single IP" connection-limit=\
20,32 connection-nat-state=dstnat in-interface-list=WAN
add action=add-src-to-address-list address-list=DDoS-BlackList \
address-list-timeout=3h chain=forward comment=\
"#6 TopFirewallRule - DDoS detected from 24 subnet" connection-limit=\
100,24 connection-nat-state=dstnat in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="0.1.1 - Fasttrack Estab\
lished and Related connections, access only WAN (for LAN_guest)" \
connection-state=established,related in-interface-list=LAN_guest \
log-prefix=LAN_guest out-interface-list=WAN
add action=fasttrack-connection chain=forward comment="0.1.2 - Fasttrack Estab\
lished and Related connections, access only WAN (for LAN_guest)" \
connection-state=established,related in-interface-list=WAN log-prefix=\
LAN_guest out-interface-list=LAN_guest
add action=accept chain=forward comment=\
"0.1.3 - AdGuard DNS (udp), access only WAN (for LAN_guest)" dst-address=\
x.x.x.x dst-port=53 in-interface-list=LAN_guest protocol=udp
add action=accept chain=forward comment=\
"0.1.4 - AdGuard DNS (tcp), access only WAN (for LAN_guest)" dst-address=\
x.x.x.x dst-port=53 in-interface-list=LAN_guest protocol=tcp
add action=accept chain=forward comment="\? TEST: Fasttrack Established and Re\
lated connections, access only WAN (for LAN_guest)" connection-state=\
established,related in-interface-list=LAN_guest log-prefix=LAN_guest \
out-interface-list=WAN
add action=drop chain=forward comment=\
"0.1.6 - Forward invalid drop, access only WAN (for LAN_guest)" \
connection-state=invalid in-interface-list=LAN_guest
add action=drop chain=forward comment=\
"0.1.7 - Forward all drop, access only WAN (for LAN_guest)" \
in-interface-list=LAN_guest out-interface-list=!WAN
add action=accept chain=input comment=\
"0.1.8 - Input DNS (udp), access only WAN (for LAN_guest)" \
connection-state="" dst-port=53 in-interface-list=LAN_guest log-prefix=\
DNS protocol=udp
add action=accept chain=input comment=\
"0.1.9 - Input DNS (tcp), access only WAN (for LAN_guest)" \
connection-state="" dst-port=53 in-interface-list=LAN_guest log-prefix=\
DNS protocol=tcp
add action=drop chain=input comment=\
"0.1.10 - Input all drop, access only WAN (for LAN_guest)" \
in-interface-list=LAN_guest
add action=accept chain=forward comment="0.2.1 - Access list only LAN" \
dst-address-list=Access_to_WithOut-WAN src-address-list=WithOut-WAN
add action=accept chain=forward comment="0.2.2 - Access list only LAN" \
dst-address-list=WithOut-WAN src-address-list=Access_to_WithOut-WAN
add action=drop chain=forward comment="0.2.3 - Access list only LAN" \
src-address-list=WithOut-WAN
add action=fasttrack-connection chain=forward comment=\
"1.0.1 - Fasttrack Established and Related connections (for LAN_main)" \
connection-state=established,related in-interface-list=LAN_main \
log-prefix=LAN_main out-interface-list=WAN
add action=fasttrack-connection chain=forward comment=\
"1.0.2 - Fasttrack Established and Related connections (for LAN_main)" \
connection-state=established,related in-interface-list=WAN log-prefix=\
LAN_main out-interface-list=LAN_main
add action=accept chain=forward comment=\
"1.1.1 - Forward Established and Related connections" connection-state=\
established,related log-prefix="fwd main"
add action=drop chain=forward comment="1.1.2 - Forward invalid drop" \
connection-state=invalid
add action=accept chain=input comment=\
"1.2.1 - Input Established and Related connections" connection-state=\
established,related
add action=drop chain=input comment="1.2.2 - Input invalid drop" \
connection-state=invalid
add action=reject chain=input comment="1.3.1 - Input Ping reject" \
icmp-options=8:0 in-interface-list=WAN protocol=icmp reject-with=\
icmp-network-unreachable
add action=drop chain=forward comment="1.4.1 - Forward not-dsnat drop" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=tarpit chain=input comment="2.0.1 - DDoS Protect" \
connection-limit=3,32 protocol=tcp src-address-list=DDoS-BlackList
add action=jump chain=forward comment="3.0.1 - DDoS Protect - SYN Flood" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input comment="3.0.2 - DDoS Protect - SYN Flood" \
connection-state=new in-interface-list=WAN jump-target=SYN-Protect \
protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect comment=\
"3.1.1 - DDoS Protect - SYN Flood" connection-state=new limit=\
200,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="3.2.1 - DDoS Protect - SYN Flood" \
connection-state=new protocol=tcp tcp-flags=syn
add action=reject chain=input comment="4.0.1 - WinBox-BlackList IP reject" \
dst-port=8291 protocol=tcp reject-with=icmp-network-unreachable \
src-address-list=WinBox-BlackList
add action=accept chain=output comment="4.1.1 - WinBox login 3 try" content=\
"invalid user name or password" dst-limit=1/1m,1,dst-address/10m \
out-interface-list=WAN protocol=tcp src-port=8291
add action=add-dst-to-address-list address-list=WinBox-BlackList \
address-list-timeout=1w chain=output comment=\
"4.1.2 - Put IP in address-list, list=WinBox-BlackList" content=\
"invalid user name or password" out-interface-list=WAN protocol=tcp \
src-port=8291
add action=accept chain=input comment="4.2.1 - WinBox WAN Access" disabled=\
yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=reject chain=input comment="5.0.1 - L2TP-BlackList IP reject" \
connection-state=new dst-port=1701,500,4500 protocol=udp reject-with=\
icmp-network-unreachable src-address-list=L2TP-BlackList
add action=accept chain=output comment="5.1.1 - L2TP login 3 try" content=\
"M=bad" dst-limit=1/1m,1,dst-address/10m protocol=udp src-port=\
1701,500,4500
add action=add-dst-to-address-list address-list=L2TP-BlackList \
address-list-timeout=1w chain=output comment=\
"5.1.2 - Put IP in address-list, list=L2TP-BlackList" content="M=bad" \
protocol=udp src-port=1701,500,4500
add action=accept chain=input comment="5.2.1 - Accept L2TP only with IPsec" \
dst-port=1701 in-interface-list=WAN ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="5.2.2 - Drop L2TP without IPsec" \
dst-port=1701 in-interface-list=WAN ipsec-policy=in,none protocol=udp
add action=accept chain=input comment="5.2.3 - Accept L2TP" dst-port=500,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="\? 6.1 - Access L2TP Tunnel Data" \
disabled=yes in-interface-list=L2TP
add action=drop chain=input comment="7.0.1 - Drop what not Allowed" \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=add-src-to-address-list address-list=TrapAddress \
address-list-timeout=1w chain=prerouting comment=\
"1.0.1 - Recursive TrapAddress IP" src-address-list=TrapAddress
add action=drop chain=prerouting comment=\
"1.1.1 - Drop TrapAddress IP prerouting" src-address-list=TrapAddress