Firewall один из вариантов

Firewall один из вариантов

Навигация
/interface list
add name=Internet
add name=ovpn

/ip firewall filter
add action=accept chain=input comment=l2tp connection-state=new disabled=yes dst-port=1701,500,4500 in-interface-list=Internet log=yes protocol=udp disabled=no
add action=drop chain=input dst-port=53 in-interface-list=Internet protocol=udp

add action=accept chain=forward comment="1.1. Forward and Input Established and Related connections" connection-state=established,related add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related 
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=Internet

add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1w chain=input comment="1.2. DDoS Protect - Connection Limit" connection-limit=100,32 in-interface-list=Internet protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist

add action=jump chain=forward comment="1.3. DDoS Protect - SYN Flood" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=Internet jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn

add action=drop chain=input comment="1.4. Protected - Ports Scanners" src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=1w chain=input in-interface-list=Internet protocol=tcp psd=21,3s,3,1

add action=drop chain=input comment="1.5. Protected tcp - BruteForce" src-address-list="Black List BruteForce"
add action=add-src-to-address-list address-list="Black List BruteForce" address-list-timeout=1w chain=input connection-state=new dst-port=8291,21,445 in-interface-list=Internet log=yes log-prefix="BLACK BruteForce" protocol=tcp src-address-list="BruteForce Stage 3"
add action=add-src-to-address-list address-list="BruteForce Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=8291,21,445 in-interface-list=Internet protocol=tcp src-address-list="BruteForce Stage 2"
add action=add-src-to-address-list address-list="BruteForce Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=8291,21,445 in-interface-list=Internet protocol=tcp src-address-list="BruteForce Stage 1"
add action=add-src-to-address-list address-list="BruteForce Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=8291,21,445 in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=8291,21,445 in-interface-list=Internet protocol=tcp

add action=drop chain=input comment="1.7. Protected udp - BruteForce" src-address-list="Black List BruteForce"
add action=add-src-to-address-list address-list="Black List BruteForce" address-list-timeout=1w chain=input connection-state=new dst-port=1701,500,4500 in-interface-list=Internet log=yes log-prefix="BLACK BruteForce" protocol=udp src-address-list="BruteForce Stage 3"
add action=add-src-to-address-list address-list="BruteForce Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=1701,500,4500 in-interface-list=Internet protocol=udp src-address-list="BruteForce Stage 2"
add action=add-src-to-address-list address-list="BruteForce Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=1701,500,4500 in-interface-list=Internet protocol=udp src-address-list="BruteForce Stage 1"
add action=add-src-to-address-list address-list="BruteForce Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=1701,500,4500 in-interface-list=Internet protocol=udp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=Internet protocol=udp

add action=accept chain=input comment="1.8. Protected - OpenVPN Connections" dst-port=1194 protocol=tcp src-address-list=ovpn_success tcp-flags=""
add action=drop chain=input src-address-list="Black List OpenVPN"
add action=add-src-to-address-list address-list="Black List OpenVPN" address-list-timeout=1w chain=input connection-state=new dst-port=1194 in-interface-list=Internet log=yes log-prefix="BLACK OVPN" protocol=tcp src-address-list="OpenVPN Stage 3"
add action=add-src-to-address-list address-list="OpenVPN Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=Internet protocol=tcp src-address-list="OpenVPN Stage 2"
add action=add-src-to-address-list address-list="OpenVPN Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=Internet protocol=tcp src-address-list="OpenVPN Stage 1"
add action=add-src-to-address-list address-list="OpenVPN Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=1194 in-interface-list=Internet protocol=tcp

add action=accept chain=input comment="1.9. Access Normal Ping" icmp-options=0:0 in-interface-list=Internet protocol=icmp
add action=accept chain=input icmp-options=8:0 in-interface-list=Internet protocol=icmp
add action=accept chain=input icmp-options=11:0 in-interface-list=Internet protocol=icmp
add action=accept chain=input icmp-options=3:3 in-interface-list=Internet protocol=icmp
add action=accept chain=input icmp-options=3:4 in-interface-list=Internet protocol=icmp
add action=accept chain=input in-interface-list=Internet limit=2,2:packet protocol=icmp

add action=drop chain=input comment="1.10. Drop All Other" in-interface-list=Internet