Scribd
Upload
277 views4 pages

Firewall

Uploaded by

Andika87

The document configures firewall rules and connection tracking settings for a MikroTik router. It sets various timeout values for connection tracking and enables connection tracking. It then defines many firewall filter rules to allow/drop traffic based on source address, port, and MAC address. It also defines NAT and mangle rules for packet marking.

Copyright:

Attribution Non-Commercial (BY-NC)
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt

Firewall

Uploaded by

Andika87
277 views4 pages
The document configures firewall rules and connection tracking settings for a MikroTik router. It sets various timeout values for connection tracking and enables connection tracking. It then defines many firewall filter rules to allow/drop traffic based on source address, port, and MAC address. It also defines NAT and mangle rules for packet marking.

Copyright

© Attribution Non-Commercial (BY-NC)

Available Formats

TXT, PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

The document configures firewall rules and connection tracking settings for a MikroTik router. It sets various timeout values for connection tracking and enables connection tracking. It then defines many firewall filter rules to allow/drop traffic based on source address, port, and MAC address. It also defines NAT and mangle rules for packet marking.

Copyright:

Attribution Non-Commercial (BY-NC)
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt
277 views4 pages

Firewall

Uploaded by

Andika87
The document configures firewall rules and connection tracking settings for a MikroTik router. It sets various timeout values for connection tracking and enables connection tracking. It then defines many firewall filter rules to allow/drop traffic based on source address, port, and MAC address. It also defines NAT and mangle rules for packet marking.

Copyright:

Attribution Non-Commercial (BY-NC)
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt
You are on page 1/ 4

/ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-c lose-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \ tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s

tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \ udp-timeout=10s /ip firewall filter add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=no add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.2 src -mac-address=!00:11:95:22:99:73 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.3 src -mac-address=!00:25:22:9B:2E:AD add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.4 src -mac-address=!00:E0:4C:36:27:F6 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.5 src -mac-address=!00:0C:F1:A2:CF:20 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.6 src -mac-address=!00:00:00:00:00:00 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.7 src -mac-address=!00:00:00:00:00:00 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.8 src -mac-address=!00:E0:4C:36:16:D8 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.9 src -mac-address=!00:1A:92:E0:D5:6C add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.10 sr c-mac-address=!00:24:8C:87:93:56 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.11 sr c-mac-address=!00:27:0E:05:9F:31 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.12 sr c-mac-address=!00:00:00:00:00:00 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.13 sr c-mac-address=!00:25:22:6F:BB:0D add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.14 sr c-mac-address=!00:27:0E:05:8F:F9 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.15 sr c-mac-address=!00:27:0E:05:9F:E5 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.2 sr c-mac-address=00:11:95:22:99:73 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.3 sr c-mac-address=00:25:22:9B:2E:AD add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.8 sr c-mac-address=00:E0:4C:36:16:D8 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.9 sr c-mac-address=00:1A:92:E0:D5:6C add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.10 s rc-mac-address=00:24:8C:87:93:56 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.13 s rc-mac-address=00:25:22:6F:BB:0D add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.14 s rc-mac-address=00:27:0E:05:8F:F9 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.15 s rc-mac-address=00:27:0E:05:9F:E5 add action=accept chain=forward comment="allow established connections" connecti on-state=established disabled=no add action=accept chain=forward comment="allow related connections" connection-s tate=related disabled=no add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=1 35-139 protocol=udp add action=drop chain=forward comment="drop invalid connections" connection-stat

e=invalid disabled=no add action=drop chain=virus -139 protocol=tcp add action=drop chain=virus =tcp add action=drop chain=virus protocol=tcp add action=drop chain=virus protocol=udp add action=drop chain=virus cp add action=drop chain=virus ocol=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus tcp add action=drop chain=virus otocol=tcp add action=drop chain=virus col=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus =tcp add action=drop chain=virus cp add action=drop chain=virus ocol=tcp add action=drop chain=virus otocol=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus protocol=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus t=3410 protocol=tcp add action=drop chain=virus add action=drop chain=virus add action=drop chain=virus ocol=tcp add action=drop chain=virus otocol=tcp add action=drop chain=virus protocol=tcp add action=drop chain=virus a juga sering digunakan utk protocol=tcp add action=drop chain=virus rotocol=tcp add action=drop chain=virus tocol=tcp add action=drop chain=virus tocol=tcp add action=drop chain=virus rotocol=tcp add action=drop chain=virus st-port=65506 protocol=tcp

comment="Drop Blaster Worm" disabled=no dst-port=135 comment=Worm disabled=no dst-port=1433-1434 protocol comment="Drop Blaster Worm" disabled=no dst-port=445 comment="Drop Blaster Worm" disabled=no dst-port=445 comment=________ disabled=no dst-port=593 protocol=t comment=________ disabled=no dst-port=1024-1030 prot comment="Drop MyDoom" disabled=no dst-port=1080 prot comment=________ disabled=no dst-port=1214 protocol= comment="ndm requester" disabled=no dst-port=1363 pr comment="ndm server" disabled=no dst-port=1364 proto comment="screen cast" disabled=no dst-port=1368 prot comment=hromgrafx disabled=no dst-port=1373 protocol comment=cichlid disabled=no dst-port=1377 protocol=t comment="Bagle Virus" disabled=no dst-port=2745 prot comment="Drop Dumaru.Y" disabled=no dst-port=2283 pr comment="Drop Beagle" disabled=no dst-port=2535 prot comment="Drop Beagle.C-K" disabled=no dst-port=2745 comment="Drop MyDoom" disabled=no dst-port=3127 prot comment="Drop Backdoor OptixPro" disabled=no dst-por comment=Worm disabled=no dst-port=4444 protocol=tcp comment=Worm disabled=no dst-port=4444 protocol=udp comment="Drop Sasser" disabled=no dst-port=5554 prot comment="Drop Beagle.B" disabled=no dst-port=8866 pr comment="Drop Dabber.A-B" disabled=no dst-port=9898 comment="Drop Dumaru.Y, sebaiknya di didisable karen vpn atau webmin" disabled=yes dst-port=10000 \ comment="Drop MyDoom.B" disabled=no dst-port=10080 p comment="Drop NetBus" disabled=no dst-port=12345 pro comment="Drop Kuang2" disabled=no dst-port=17300 pro comment="Drop SubSeven" disabled=no dst-port=27374 p comment="Drop PhatBot, Agobot, Gaobot" disabled=no d

add action=jump chain=forward comment="jump to the virus chain" disabled=no jump -target=virus add action=accept chain=input comment="Accept established connections" connectio n-state=established disabled=no add action=accept chain=input comment="Accept related connections" connection-st ate=related disabled=no add action=drop chain=input comment="Drop invalid connections" connection-state= invalid disabled=no add action=accept chain=input comment=UDP disabled=no protocol=udp add action=accept chain=input comment="Allow limited pings" disabled=no limit=50 /5s,2 protocol=icmp add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icm p add action=accept chain=input comment="FTP 1" disabled=no dst-port=21 protocol=t cp src-address-list=admin1 add action=accept chain=input comment="FTP 2" disabled=no dst-port=21 protocol=t cp src-address-list=admin2 add action=accept chain=input comment="SSH for secure shell 1" disabled=no dst-p ort=22 protocol=tcp src-address-list=admin1 add action=accept chain=input comment="SSH for secure shell 2" disabled=no dst-p ort=22 protocol=tcp src-address-list=admin2 add action=accept chain=input comment="Telnet 1" disabled=no dst-port=23 protoco l=tcp src-address-list=admin1 add action=accept chain=input comment="Telnet 2" disabled=no dst-port=23 protoco l=tcp src-address-list=admin2 add action=accept chain=input comment="Web 1" disabled=no dst-port=80 protocol=t cp src-address-list=admin1 add action=accept chain=input comment="Web 2" disabled=no dst-port=80 protocol=t cp src-address-list=admin2 add action=accept chain=input comment="winbox 1" disabled=no dst-port=8291 proto col=tcp src-address-list=admin1 add action=accept chain=input comment="winbox 2" disabled=no dst-port=8291 proto col=tcp src-address-list=admin2 add action=accept chain=input comment=pptp-server disabled=no dst-port=1723 prot ocol=tcp add action=accept chain=input comment="komp 1" disabled=no src-address-list=admi n1 add action=accept chain=input comment="komp 2" disabled=no src-address-list=admi n2 add action=log chain=input comment="Log everything else" disabled=no log-prefix= "DROP INPUT" add action=drop chain=input comment="Drop everything else" disabled=yes /ip firewall mangle add action=mark-packet chain=output comment="" disabled=no dscp=4 new-packet-mar k=proxy-hit out-interface=Wireles passthrough=no add action=mark-packet chain=output comment="" disabled=no dscp=4 new-packet-mar k=proxy-hit-lan out-interface=Lokal passthrough=no add action=mark-packet chain=prerouting comment="" disabled=no in-interface=Wire les new-packet-mark=test-up passthrough=no src-address=192.168.2.0/25 add action=mark-packet chain=prerouting comment="" disabled=no in-interface=Loka l new-packet-mark=test-up-lan passthrough=no src-address=10.10.10.0/28 add action=mark-connection chain=forward comment="" disabled=no new-connection-m ark=test-con passthrough=yes src-address=192.168.2.0/25 add action=mark-connection chain=forward comment="" disabled=no new-connection-m ark=test-con-lan passthrough=yes src-address=10.10.10.0/28 add action=mark-packet chain=forward comment="" connection-mark=test-con disable d=no in-interface="Modem 3.1" new-packet-mark=test-down passthrough=no \ src-address=192.168.2.0/25 add action=mark-packet chain=forward comment="" connection-mark=test-con-lan dis abled=no in-interface="Modem 3.1" new-packet-mark=test-down-lan passthrough=\

no src-address=10.10.10.0/28 add action=mark-packet chain=output comment="" disabled=no dst-address=192.168.2 .0/25 new-packet-mark=test-down out-interface=Wireles passthrough=no add action=mark-packet chain=output comment="" disabled=no dst-address=10.10.10. 0/28 new-packet-mark=test-down-lan out-interface=Lokal passthrough=no /ip firewall nat add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes add action=masquerade chain=srcnat comment="" disabled=no out-interface="Modem 3 .1" src-address=0.0.0.0/0 add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=10.10.10.0/28 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes out-interface=Proxy s rc-address=192.168.20.0/24 add action=redirect chain=dstnat comment="" disabled=yes in-interface=Lokal prot ocol=udp src-address=10.10.10.0/28 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=80 protocol=tc p src-address=192.168.2.0/25 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes out-interface="Modem 3.1" src-address=192.168.2.0/25 add action=masquerade chain=srcnat comment="" disabled=yes out-interface="Modem 3.1" src-address=10.10.10.0/28 add action=redirect chain=dstnat comment="" disabled=yes dst-port=443 in-interfa ce=Wireles protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=443 in-interfa ce=Lokal protocol=tcp src-address=10.10.10.0/28 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes src-address=192.168.1 0.0/24 add action=redirect chain=dstnat comment="" disabled=yes dst-port=3128 in-interf ace=Wireles protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=8080 in-interf ace=Wireles protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes src-address=10.10.10. 0/24 add action=masquerade chain=srcnat comment="" disabled=yes src-address=192.168.2 .0/25 add action=masquerade chain=srcnat comment="" disabled=yes src-address=192.168.2 0.0/24 add action=dst-nat chain=dstnat comment="" disabled=yes in-interface=Lokal proto col=tcp src-address=10.10.10.0/28 src-port=80 to-addresses=192.168.20.2 \ to-ports=3128 add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=80 in-interface =Lokal protocol=tcp src-address=10.10.10.0/28 to-addresses=192.168.20.2 \ to-ports=3128 /ip firewall service-port set ftp disabled=no ports=21 set tftp disabled=no ports=69 set irc disabled=no ports=6667 set h323 disabled=no set sip disabled=no ports=5060,5061 set pptp disabled=no

You might also like