Differences

This shows you the differences between two versions of the page.

--- mikrotik [2021/03/13 15:29]
ww
+++ mikrotik [2022/03/16 09:52] (current)
ww
@@ Line 94: / Line 94: @@
     add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (FORWARD)"
     add chain=forward  connection-nat-state=!dstnat  \
-                   connection-state=new \
+                       connection-state=new \
-				   in-interface-list=WAN                             action=drop disabled=yes     comment="Drop all from WAN not DST-NATted (FORWARD)"
+                       in-interface-list=WAN                             action=drop disabled=yes     comment="Drop all from WAN not DST-NATted (FORWARD)"
     add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (INPUT)"
     add chain=input    connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (INPUT)"
@@ Line 105: / Line 105: @@
 ===== IPv6 firewall stub =====
   /ipv6 firewall filter
-  add chain=forward connection-state=established                action=accept comment="Allow ESTABLISHED (FORWARD)"
+  add chain=forward connection-state=established                action=accept             comment="Allow ESTABLISHED (FORWARD)"
-  add chain=forward connection-state=related                    action=accept comment="Allow RELATED (FORWARD)"
+  add chain=forward connection-state=related                    action=accept             comment="Allow RELATED (FORWARD)"
-  add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept comment="Allow ICMPv6 (FORWARD)"
+  add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (FORWARD)"
-  add chain=forward in-interface-list=WAN                       action=drop   comment="Drop everything else (FORWARD)"
+  add chain=forward in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (FORWARD)"
-  add chain=input   connection-state=established                action=accept comment="Allow ESTABLISHED (INPUT)"
+  add chain=input   connection-state=established                action=accept             comment="Allow ESTABLISHED (INPUT)"
-  add chain=input   connection-state=related                    action=accept comment="Allow RELATED (INPUT)"
+  add chain=input   connection-state=related                    action=accept             comment="Allow RELATED (INPUT)"
-  add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept comment="Allow ICMPv6 (INPUT)"
+  add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (INPUT)"
-  add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept comment="Allow DHCPv6 (INPUT)"
+  add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept             comment="Allow DHCPv6 (INPUT)"
-  add chain=input   in-interface-list=WAN                       action=drop   comment="Drop everything else (INPUT)"
+  add chain=input   in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (INPUT)"
 ----
@@ Line 195: / Line 195: @@
   * Nevýhoda: Google DNS NEbude dostupné přes GW2.
   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]
+----
+===== Ban list =====
+<code>
+/ ip firewall filter
+add chain=input in-interface=ether1-wan protocol=tcp dst-port=22 \
+    connection-state=new connection-limit=5/1m;1:packet \
+    action=add-src-to-address-list address-list=ssh_logins \
+    address-list-timeout=12h comment="" disabled=no
+add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins \
+    action=accept comment="" disabled=no
+</code>

WereDoku

User Tools

Site Tools

Differences

Page Tools