Код: Выделить всё
@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; Accept from outside all packets with connection status "Established" and "Related"
chain=input action=accept connection-state=established,related log=no log-prefix=""
2 ;;; Accept packets if the IP address from which they are accessing is in the "allowed_to_router" list
chain=input action=accept src-address-list=allowed_to_router log=no log-prefix=""
3 ;;; This command allows receiving and processing ICMP packets from outside
chain=input action=accept protocol=icmp log=no log-prefix=""
4 ;;; Discard all remaining packets that do not match the rules above
chain=input action=drop log=no log-prefix=""
5 ;;; FastTrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""
6 ;;; Processing established connections in the Forward chain
chain=forward action=accept connection-state=established,related log=no log-prefix=""
7 ;;; Drop invalid
chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid"
8 ;;; Drop tries to reach not public addresses from LAN
chain=forward action=drop dst-address-list=not_in_internet in-interface=bridge1 out-interface=!bridge1 log=yes log-prefix="!public_from_LAN"
9 ;;; Drop incoming packets that are not NAT
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=yes log-prefix="!NAT"
10 ;;; Drop incoming from internet which is not public IP
chain=forward action=drop src-address-list=not_in_internet in-interface=ether1 log=yes log-prefix="!public"
11 ;;; Drop packets from LAN that do not have LAN IP
chain=forward action=drop src-address=!192.168.88.0/24 in-interface=bridge1 log=yes log-prefix="LAN_!LAN"
12 ;;; Drop SSH brutforce
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
13 ;;; Stage1
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no
log-prefix=""
14 ;;; Stage2
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22 log=no log-prefix=""
15 ;;; Stage3
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22 log=no log-prefix=""
16 ;;; ssh blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22 log=no log-prefix=""