Код: Выделить всё
/ip firewall address-list
add address=192.168.1.0/24 list=Private
add address=192.168.3.0/24 list=Guest
add address=192.168.4.0/24 list=OpenVPN
add address=192.168.89.0/24 list="VPN - PPTP"
/ip firewall filter
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=\
"Accept to local loopback (for CAPsMAN)" dst-address=192.168.1.1
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,new,untracked
add chain=forward comment="Permit all PPP" in-interface=all-ppp
add action=accept chain=input comment="Permit all PPP" in-interface=all-ppp
add chain=input comment="Permit PPTP" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Permit GRE" protocol=gre
add action=accept chain=input comment="Allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="Allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Permit L2TP" dst-port=1701 protocol=\
udp
add chain=input comment="Permit IPSec ports 500 and 4500" port=500,4500 \
protocol=udp
add chain=input comment="Permit IPSec protocol ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Permit OpenVPN" dst-port=1194 \
protocol=tcp
add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp
add action=accept chain=input comment="Permit GRE" protocol=gre
add action=accept chain=input comment="Permit IPIP" protocol=ipip
add action=accept chain=output comment="Accept output - TCP" content=\
"530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment="PPTP + Established - Drop" \
connection-state=invalid,established connection-type=pptp in-interface=\
ether1 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquarade - Ether 1" \
out-interface=ether1 out-interface-list=WAN
add action=masquerade chain=srcnat comment="Masquarade - Private" \
out-interface=ether1 out-interface-list=WAN src-address-list=Private
add action=masquerade chain=srcnat comment="Masquarade - Guest" \
out-interface=ether1 out-interface-list=WAN src-address-list=Guest
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat comment="OpenVPN -> LAN" dst-address=\
192.168.1.0/24 src-address-list=OpenVPN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes