Скрипт фаервола. (НЕ ПРОВЕРЕНО)

Здесь выкладываем скрипты
Правила форума
Уважаемые Пользователи форума, обратите внимание!
Ни при каких обстоятельствах, Администрация форума, не несёт ответственности за какой-либо, прямой или косвенный, ущерб причиненный в результате использования материалов, взятых на этом Сайте или на любом другом сайте, на который имеется гиперссылка с данного Сайта. Возникновение неисправностей, потерю программ или данных в Ваших устройствах, даже если Администрация будет явно поставлена в известность о возможности такого ущерба.
Просим Вас быть предельно осторожными и внимательными, в использовании материалов раздела. Учитывать не только Ваши пожелания, но и границы возможностей вашего оборудования.
Ответить
sergey.ermolin
Сообщения: 3
Зарегистрирован: 31 окт 2018, 16:13

Хочу представить на суд, и по возможности получить разумную критику, и дополнения. Написал общий в целом фаервол микротика для домашнего использования, с защитой от перебора ВПН.

Старался блокировать в RAW, так как это ближе всего к "входу". что должно разгрузить процессор.

Уточнение, интерфейсы к провайдерам помечены в интерфейс листах как

Код: Выделить всё

internet

Код: Выделить всё

/ip settings set tcp-syncookies=yes
/ip firewall filter
# Access Normal Ping
add action=accept chain=input comment="Access Normal Ping" in-interface-list=Internet limit=50/5s,2:packet protocol=icmp
# Bruteforce Protect"
# "blacklist" drop in RAW table
# Bruteforce PPTP Protect"
add action=add-src-to-address-list address-list=blacklist address-list-timeout=7d chain=input connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_blacklist_stage3 comment="Bruteforce PPTP Protect"
add action=add-src-to-address-list address-list=pptp_blacklist_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_blacklist_stage2
add action=add-src-to-address-list address-list=pptp_blacklist_stage2 address-list-timeout=2h chain=input dst-port=1723 protocol=tcp src-address-list=pptp_blacklist_stage1
add action=add-src-to-address-list address-list=pptp_blacklist_stage1 address-list-timeout=1d chain=input connection-state=new dst-port=1723 protocol=tcp
# Bruteforce L2TP Protect"
add action=add-dst-to-address-list address-list=blacklist address-list-timeout=7d chain=output content="M=bad" dst-address-list=l2tp_blacklist_stage3 comment="Bruteforce L2TP Protect"
add action=add-dst-to-address-list address-list=l2tp_blacklist_stage3 address-list-timeout=1m chain=output content="M=bad" dst-address-list=l2tp_blacklist_stage2
add action=add-dst-to-address-list address-list=l2tp_blacklist_stage2 address-list-timeout=2h chain=output content="M=bad" dst-address-list=l2tp_blacklist_stage1
add action=add-dst-to-address-list address-list=l2tp_blacklist_stage1 address-list-timeout=1d chain=output content="M=bad"
# DDoS Protect - Connection Limit
add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=input comment="DDoS Protect - Connection Limit" connection-limit=200,32 in-interface-list=Internet protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist
# DDoS Protect - SYN Flood
add action=jump chain=forward comment="DDoS Protect - SYN Flood" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=Internet jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
#Protected - Ports Scanners
add action=add-src-to-address-list address-list=blacklist address-list-timeout=7d chain=input in-interface-list=Internet protocol=tcp psd=21,3s,3,1 comment="Protected - Ports Scanners"
# VPN chain INPUT 
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec disabled=yes
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec disabled=yes
add action=accept chain=input protocol=gre disabled=yes
add action=accept chain=input protocol=tcp dst-port=1723 in-interface-list=Internet comment="PPTP allow"
add action=accept chain=input dst-port=500,4500 in-interface-list=Internet protocol=udp comment="L2TP allow"
add action=accept chain=input in-interface-list=Internet protocol=ipsec-esp comment="IPSec allow"
# Allow FORWARD and INPUT Established and Related connections
add action=accept chain=forward comment="Allow FORWARD Established and Related connections" connection-state=established,related in-interface-list=Internet
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Allow INPUT Established and Related connections" connection-state=established,related in-interface-list=Internet
add action=drop chain=input connection-state=invalid
##Drop Access
add action=drop chain=forward comment="Drop all in FORWARD from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=Internet
add action=drop chain=input comment="Drop all INPUT" in-interface-list=Internet
## RAW Table
/ip firewall raw
# Block blacklist connection
add action=drop chain=prerouting src-address-list=blacklist
# DHCP Drop
add action=drop chain=prerouting dst-port=67,68 in-interface=ISP tocol=tcp comment="DHCP Drop" disabled=yes
# DNS Flood Drop
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet protocol=udp comment="DNS Flood Drop"
# Drop Worms and flood
add action=drop chain=prerouting dst-port=69,111,2049,12346,20034,3133 in-interface-list=Internet protocol=tcp
add action=drop chain=prerouting dst-port=69,111,2049,3133 in-interface-list=Internet protocol=udp
add action=drop chain=prerouting comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Blaster Worm" dst-port=445 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Blaster Worm" dst-port=445 protocol=udp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Messenger Worm" dst-port=135-139 protocol=udp in-interface-list=Internet
add action=drop chain=prerouting comment=Conficker dst-port=593 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment=Worm dst-port=1024-1030 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="ndm requester" dst-port=1363 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="ndm server" dst-port=1364 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="screen cast" dst-port=1368 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment=hromgrafx dst-port=1373 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop MyDoom" dst-port=1080 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment=cichlid dst-port=1377 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment=Worm dst-port=1433-1434 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Dumaru.Y" dst-port=2283 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Beagle" dst-port=2535 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Beagle.C-K" dst-port=2745 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop MyDoom" dst-port=3127-3128 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Backdoor OptixPro" dst-port=3410 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Sasser" dst-port=5554 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment=Worm dst-port=4444 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment=Worm dst-port=4444 protocol=udp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Beagle.B" dst-port=8866 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Dabber.A-B" dst-port=9898 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Dumaru.Y" dst-port=10000 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop MyDoom.B" dst-port=10080 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop NetBus" dst-port=12345 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop Kuang2" dst-port=17300 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop SubSeven" dst-port=27374 protocol=tcp in-interface-list=Internet
add action=drop chain=prerouting comment="Drop PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp in-interface-list=Internet


Ответить