Настроил микротик RG951 ,правильно ли ? Нужен свежи взгляд!

Обсуждение оборудования и его настройки
Ответить
avolon
Сообщения: 1
Зарегистрирован: 03 сен 2018, 14:00

Привет
Настроил MT rb951 соединил с офисом по gre + ipsec
Нужен свежи взгляд на мои правила может что то не доглядел или неправильно сделал! ((
Это мой первый МТ настроенный!!
МТ как клиширующий DNS
 ip export
# sep/03/2018 09:18:48 by RouterOS 6.42.7
# software id = G4T4-MWS1
#
# model = 951G-2HnD
# serial number = 469902F9596A
/ip firewall layer7-protocol
add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebo\
ok|ok.ru|my.mail.ru|love.mail.ru).*\$"
/ip ipsec policy group
add name=group1_Avolon_l2tp
add name=GRE
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=ubo_l2tp ranges=10.10.10.100-10.10.10.254
/ip address
add address=192.168.0.6/24 interface=bridge1 network=192.168.0.0
add address=94.181.180.137/24 interface=ISP1 network=94.181.180.0
add address=85.237.57.68/24 interface=ISP2 network=85.237.57.0
add address=10.10.10.1/30 interface=gre-tunnel-kur2 network=10.10.10.0
/ip dhcp-relay
add dhcp-server=192.168.0.99 disabled=no name=relay1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
109.194.128.3,80.95.37.230,5.3.3.3,80.95.37.231,8.8.8.8,1.1.1.1
/ip firewall address-list
add address=vk.com list=Soc_list
add address=ok.ru list=Soc_list
add address=facebook.com list=Soc_list
add address=love.mail.ru list=Soc_list
add address=loveplanet.ru list=Soc_list
add address=youtube.ru list=Soc_list
add address=youtube.com list=Soc_list
add address=twitter.com list=Soc_list
add address=odnoklassniki.ru list=Soc_list
add address=my.mail.ru list=Soc_list
add address=192.168.0.199 list=USER_SOC_ALLOW
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
add address=mail.mag-rf.ru list=Video_web_in
add address=94.181.180.88 list=Video_web_in
/ip firewall filter
add action=drop chain=input comment=DNS dst-port=53 in-interface-list=WAN \
protocol=udp
add action=accept chain=input comment=PPTP dst-port=1723 log=yes log-prefix=\
PPP_A protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input disabled=yes dst-port=1701,500,4500 \
in-interface-list=WAN protocol=udp src-address=85.237.62.65
add action=accept chain=input comment="Block l2tp brute forcer" dst-port=\
1701,500,4500 protocol=udp src-address-list=l2tp_success tcp-flags=""
add action=drop chain=input connection-state="" dst-port=1701,500,4500 log=\
yes log-prefix="--==DROP L2TP brute forcer==--" protocol=udp \
src-address-list=l2tp_blacklist tcp-flags=""
add action=add-src-to-address-list address-list=l2tp_blacklist \
address-list-timeout=3d chain=input connection-state=new dst-port=\
1701,500,4500 protocol=udp src-address-list=l2tp_stage5 tcp-flags=""
add action=add-src-to-address-list address-list=l2tp_stage5 \
address-list-timeout=1m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=udp src-address-list=l2tp_stage4 tcp-flags=""
add action=add-src-to-address-list address-list=l2tp_stage4 \
address-list-timeout=1m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=udp src-address-list=l2tp_stage3 tcp-flags=""
add action=add-src-to-address-list address-list=l2tp_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=udp src-address-list=l2tp_stage2 tcp-flags=""
add action=add-src-to-address-list address-list=l2tp_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=udp src-address-list=l2tp_stage1 tcp-flags=""
add action=add-src-to-address-list address-list=l2tp_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=udp tcp-flags=""
add action=accept chain=input comment="Allow L2TP" dst-port=1701,500,4500 \
protocol=udp
add action=accept chain=input comment=L2tp/ipsec disabled=yes port=\
1701,500,4500 protocol=udp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=passthrough chain=forward disabled=yes protocol=l2tp
add action=passthrough chain=forward disabled=yes protocol=ipsec-ah
add action=accept chain=input comment=Established_RELATED_Wan_Accept \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=Allow_limited_pings in-interface-list=\
WAN limit=50/5s,2:packet protocol=icmp
add action=tarpit chain=input comment=KNOCK dst-port=80 in-interface-list=WAN \
protocol=tcp
add action=jump chain=input in-interface-list=WAN jump-target=\
"KnockKnockKnock "
add action=add-src-to-address-list address-list=white_list1 \
address-list-timeout=20s chain="KnockKnockKnock " connection-state=new \
dst-port=12343 log=yes log-prefix=KNOCK-1 protocol=tcp
add action=add-src-to-address-list address-list=white_list2 \
address-list-timeout=20s chain="KnockKnockKnock " connection-state=new \
dst-port=12344 log=yes log-prefix=KNOCK-2 protocol=tcp src-address-list=\
white_list1
add action=add-src-to-address-list address-list=white_list \
address-list-timeout=30m20s chain="KnockKnockKnock " connection-state=new \
dst-port=12345 log=yes log-prefix=white_list protocol=tcp \
src-address-list=white_list2
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
white_list
add action=return chain="KnockKnockKnock "
add action=add-dst-to-address-list address-list=connection-limit \
address-list-timeout=3w3d chain=input comment=Connection_limit \
connection-limit=200,32 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=Adr_list_connection-limit_drop \
in-interface-list=WAN src-address-list=connection-limit
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=3w3d1h30m chain=input comment=\
Perebor_portov_add_list dst-port=22,5060,3389,23,8291,23,80,8080 \
in-interface-list=WAN log=yes log-prefix=Attack protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=3w3d1h30m chain=input disabled=yes dst-port=\
22,5060,3389,23,8291,23,80,8080 in-interface=ISP2 log=yes log-prefix=\
Attack protocol=tcp
add action=drop chain=input comment=Perebor_portov_list_drop \
in-interface-list=WAN src-address-list=perebor_portov_drop
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
src-address-list=blocked-addr
add action=drop chain=input comment=Port_scanner_drop src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=user_soc_list \
address-list-timeout=none-dynamic chain=forward comment=BLOCK_SOC_LIST \
in-interface=bridge1 layer7-protocol=social protocol=tcp
add action=add-src-to-address-list address-list=user_soc_list \
address-list-timeout=none-dynamic chain=forward in-interface=bridge1 \
protocol=tcp src-address-list=Soc_list
add action=accept chain=forward disabled=yes dst-address-list=USER_SOC_ALLOW \
protocol=tcp src-address-list=Soc_list
add action=accept chain=forward disabled=yes dst-address-list=USER_SOC_ALLOW \
layer7-protocol=social protocol=tcp
add action=accept chain=forward disabled=yes dst-address-list=USER_SOC_ALLOW \
layer7-protocol=social protocol=tcp
add action=reject chain=forward dst-address=192.168.0.0/24 protocol=tcp \
reject-with=tcp-reset src-address-list=Soc_list
add action=reject chain=forward disabled=yes dst-address=192.168.0.0/24 \
layer7-protocol=social protocol=tcp reject-with=tcp-reset
add action=reject chain=forward disabled=yes layer7-protocol=social log=yes \
log-prefix=BLSOC_ protocol=tcp reject-with=tcp-reset
add action=drop chain=forward comment=Drop_nestandart_port_nat_black_list \
dst-port=3389,8222 in-interface-list=WAN protocol=tcp src-address-list=\
black_list
add action=drop chain=input comment=Drop_winbox_black_list dst-port=3389,8222 \
in-interface-list=WAN protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=5m chain=forward comment=\
nestandart_port_nat__add_black_list connection-state=new dst-port=\
3389,8222 in-interface-list=WAN protocol=tcp src-address-list=\
nestandart_port_nat_stage3
add action=add-src-to-address-list address-list=nestandart_port_nat_stage3 \
address-list-timeout=1m chain=forward comment=\
_nestandart_port_nat__stage3 connection-state=new dst-port=3389,8222 \
in-interface-list=WAN protocol=tcp src-address-list=\
nestandart_port_nat_stage2
add action=add-src-to-address-list address-list=nestandart_port_nat_stage2 \
address-list-timeout=1m chain=forward comment=nestandart_port_nat__stage2 \
connection-state=new dst-port=3389,8222 in-interface-list=WAN protocol=\
tcp src-address-list=nestandart_port_nat_stage1
add action=add-src-to-address-list address-list=nestandart_port_nat_stage1 \
address-list-timeout=1m chain=forward comment=nestandart_port_nat__stage1 \
connection-state=new dst-port=3389,8222 in-interface-list=WAN protocol=\
tcp
add action=accept chain=forward comment=Accept__nestandart_port_nat dst-port=\
3389,8222 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=FORWARD connection-state=\
established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment=Drop_all_WAN in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input in-interface=ISP1 new-connection-mark=\
ISP1-conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-conn \
new-routing-mark=ISP1-route passthrough=no
add action=mark-connection chain=input in-interface=ISP2 new-connection-mark=\
ISP2-conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2-conn \
new-routing-mark=ISP2-route passthrough=no
add action=mark-connection chain=forward in-interface=ISP1 \
new-connection-mark=ISP1-conn-f passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1-conn-f \
in-interface=bridge1 new-routing-mark=ISP1-route
add action=mark-connection chain=forward in-interface=ISP2 \
new-connection-mark=ISP2-conn-f passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-conn-f \
in-interface=bridge1 new-routing-mark=ISP2-route
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=dst-nat chain=dstnat comment=RDP dst-port=8222 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.0.8 to-ports=3389
add action=dst-nat chain=dstnat comment=VIDEO_HIWATCH dst-port=80 \
in-interface-list=WAN protocol=tcp src-address-list=Video_web_in \
to-addresses=192.168.0.134 to-ports=80
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des \
exchange-mode=ike2 generate-policy=port-override passive=yes \
policy-template-group=group1_Avolon_l2tp secret="Olya4#\$#"
add address=10.10.10.2/32 dh-group=modp1024 enc-algorithm=aes-128 \
nat-traversal=no policy-template-group=GRE secret=12345678 \
send-initial-contact=no
/ip ipsec policy
add comment=KUR2 dst-address=192.168.87.0/24 sa-dst-address=10.10.10.2 \
sa-src-address=10.10.10.1 src-address=192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=94.181.180.254 routing-mark=ISP1-route
add distance=1 gateway=85.237.57.1 routing-mark=ISP2-route
add check-gateway=ping distance=1 gateway=8.8.4.4
add check-gateway=ping distance=2 gateway=8.8.8.8
add disabled=yes distance=1 gateway=94.181.180.254
add distance=1 dst-address=8.8.4.4/32 gateway=85.237.57.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=94.181.180.254 scope=10
add distance=1 dst-address=192.168.0.9/32 gateway=192.168.0.2
add distance=1 dst-address=192.168.87.0/24 gateway=10.10.10.2 pref-src=\
192.168.0.6
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no



Ответить