WereDoku

User Tools

Site Tools

Trace: nas_howto
mikrotik

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
mikrotik [2021/02/04 22:57]
ww [IPv6 firewall stub] 		mikrotik [2022/03/16 09:52] (current)
ww
Line 85: Line 85:
 /ip route add gateway=ether2-wan2 routing-mark=routing_mark_guests </code> Note: Gateway can also be a PPPoE connection (in case of DSL).  /ip route add gateway=ether2-wan2 routing-mark=routing_mark_guests </code> Note: Gateway can also be a PPPoE connection (in case of DSL). 
   - Set up masquerade for the second wan interface (assuming that masquerade was set up only for the ''ether1-wan1'').   - Set up masquerade for the second wan interface (assuming that masquerade was set up only for the ''ether1-wan1'').
 +
 +----
 +
 +===== IPv4 firewall stub =====
 +  /ip firewall filter
 +    add chain=forward  connection-state=established,related              action=fasttrack-connection  comment="Fasttrack"
 +    add chain=forward  connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (FORWARD)"
 +    add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (FORWARD)"
 +    add chain=forward  connection-nat-state=!dstnat  \
 +                       connection-state=new \
 +                       in-interface-list=WAN                             action=drop disabled=yes     comment="Drop all from WAN not DST-NATted (FORWARD)" 
 +    add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (INPUT)"
 +    add chain=input    connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (INPUT)"
 +    add chain=input    protocol=icmp                                     action=accept                comment="Allow ICMP (INPUT)"
 +    add chain=input    in-interface-list=!LAN                            action=drop disabled=yes     comment="Drop all not coming from LAN (INPUT)"
  
 ---- ----
Line 90: Line 105:
 ===== IPv6 firewall stub ===== ===== IPv6 firewall stub =====
   /ipv6 firewall filter   /ipv6 firewall filter
-  add chain=forward connection-state=established                action=accept comment="Allow ESTABLISHED (FORWARD)" +  add chain=forward connection-state=established                action=accept             comment="Allow ESTABLISHED (FORWARD)" 
-  add chain=forward connection-state=related                    action=accept comment="Allow RELATED (FORWARD)" +  add chain=forward connection-state=related                    action=accept             comment="Allow RELATED (FORWARD)" 
-  add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept comment="Allow ICMPv6 (FORWARD)" +  add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (FORWARD)" 
-  add chain=forward in-interface-list=WAN                       action=drop   comment="Drop everything else (FORWARD)" +  add chain=forward in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (FORWARD)" 
-  add chain=input   connection-state=established                action=accept comment="Allow ESTABLISHED (INPUT)" +  add chain=input   connection-state=established                action=accept             comment="Allow ESTABLISHED (INPUT)" 
-  add chain=input   connection-state=related                    action=accept comment="Allow RELATED (INPUT)" +  add chain=input   connection-state=related                    action=accept             comment="Allow RELATED (INPUT)" 
-  add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept comment="Allow ICMPv6 (INPUT)" +  add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (INPUT)" 
-  add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept comment="Allow DHCPv6 (INPUT)" +  add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept             comment="Allow DHCPv6 (INPUT)" 
-  add chain=input   in-interface-list=WAN                       action=drop   comment="Drop everything else (INPUT)"+  add chain=input   in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (INPUT)"
  
 ---- ----
Line 180: Line 195:
   * Nevýhoda: Google DNS NEbude dostupné přes GW2.   * Nevýhoda: Google DNS NEbude dostupné přes GW2.
   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]
 +
 +----
 +
 +===== Ban list =====
 +<code>
 +/ ip firewall filter 
 +add chain=input in-interface=ether1-wan protocol=tcp dst-port=22 \
 +    connection-state=new connection-limit=5/1m;1:packet \
 +    action=add-src-to-address-list address-list=ssh_logins \
 +    address-list-timeout=12h comment="" disabled=no 
 +add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins \
 +    action=accept comment="" disabled=no 
 +</code>
mikrotik.1612475859.txt.gz · Last modified: 2022/03/16 09:38 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki