Firewall один из вариантов

Навигация
/interface list add name=Internet
/interface list add name=Local
/interface list add name=VPN

/ip firewall filter add action=accept chain=forward comment="1. Forward and Input Established and Related connections" connection-state=established,related
/ip firewall filter add action=drop chain=forward connection-state=invalid
/ip firewall filter add action=accept chain=input connection-state=established,related
/ip firewall filter add action=drop chain=input connection-state=invalid
/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=Internet

/ip firewall filter add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=input comment="2. DDoS Protect - Connection Limit" connection-limit=100,32 in-interface-list=Internet protocol=tcp
/ip firewall filter add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist

/ip firewall filter add action=jump chain=forward comment="3. DDoS Protect - SYN Flood" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
/ip firewall filter add action=jump chain=input connection-state=new in-interface-list=Internet jump-target=SYN-Protect protocol=tcp tcp-flags=syn
/ip firewall filter add action=return chain=SYN-Protect connection-state=new limit=200,5:packet protocol=tcp tcp-flags=syn
/ip firewall filter add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn

/ip firewall filter add action=drop chain=input comment="4. Protected - Ports Scanners" src-address-list="Port Scanners"
/ip firewall filter add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=none-dynamic chain=input in-interface-list=Internet protocol=tcp psd=21,3s,3,1

/ip firewall filter add action=drop chain=input comment="5. Protected - WinBox Access" src-address-list="Black List Winbox"
/ip firewall filter add action=add-src-to-address-list address-list="Black List Winbox" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=8291 in-interface-list=Internet log=yes log-prefix="BLACK WINBOX" protocol=tcp src-address-list="Winbox Stage 3"
/ip firewall filter add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 2"
/ip firewall filter add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 1"
/ip firewall filter add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=Internet protocol=tcp
/ip firewall filter add action=accept chain=input dst-port=8291 in-interface-list=Internet protocol=tcp

/ip firewall filter add action=accept chain=input comment="6. Сonnection allowed" src-address=10.4.22.0/24

/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=0:0 in-interface-list=Internet comment="7. Access Normal Ping"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=8:0 in-interface-list=Internet
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=11:0 in-interface-list=Internet
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=3:3 in-interface-list=Internet
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=3:4 in-interface-list=Internet
/ip firewall filter add chain=input action=accept protocol=icmp limit=2,2:packet in-interface-list=Internet

/ip firewall filter add action=drop chain=input comment="8. Drop All Other"

/ip firewall raw add action=drop chain=prerouting dst-port=137,138,139 in-interface-list=Internet protocol=udp

/ip firewall mangle add action=change-mss chain=forward in-interface-list=Internet new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1300-65535
/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=Internet passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1300-65535

Вам также может понравиться...

Популярные записи