WereDoku

User Tools

Site Tools

Trace:
mikrotik

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
mikrotik [2021/03/13 14:30] – [IPv4 firewall stub] wwmikrotik [2026/06/20 15:35] (current) – external edit 127.0.0.1
Line 91: Line 91:
   /ip firewall filter   /ip firewall filter
     add chain=forward  connection-state=established,related              action=fasttrack-connection  comment="Fasttrack"     add chain=forward  connection-state=established,related              action=fasttrack-connection  comment="Fasttrack"
-    add chain=forward  connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (FORWARD)+    add chain=forward  connection-state=established,related,untracked    action=accept                comment="FORWARD :: Allow ESTABLISHED, RELATED, UNTRACKED" 
-    add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (FORWARD)"+    add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="FORWARD :: Drop INVALID"
     add chain=forward  connection-nat-state=!dstnat  \     add chain=forward  connection-nat-state=!dstnat  \
                        connection-state=new \                        connection-state=new \
-                       in-interface-list=WAN                             action=drop disabled=yes     comment="Drop all from WAN not DST-NATted (FORWARD)"  +                       in-interface-list=WAN                             action=drop disabled=yes     comment="FORWARD :: Drop all from WAN not DST-NATted"  
-    add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (INPUT)+    add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="INPUT :: Drop INVALID" 
-    add chain=input    connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (INPUT)+    add chain=input    connection-state=established,related,untracked    action=accept                comment="INPUT :: Allow ESTABLISHED, RELATED, UNTRACKED" 
-    add chain=input    protocol=icmp                                     action=accept                comment="Allow ICMP (INPUT)+    add chain=input    protocol=icmp                                     action=accept                comment="INPUT :: Allow ICMP" 
-    add chain=input    in-interface-list=!LAN                            action=drop disabled=yes     comment="Drop all not coming from LAN (INPUT)"+    add chain=input    in-interface-list=!LAN                            action=drop disabled=yes     comment="INPUT :: Drop all not coming from LAN"
  
 ---- ----
Line 105: Line 105:
 ===== IPv6 firewall stub ===== ===== IPv6 firewall stub =====
   /ipv6 firewall filter   /ipv6 firewall filter
-  add chain=forward connection-state=established                action=accept comment="Allow ESTABLISHED (FORWARD)" +  add chain=forward connection-state=established                action=accept             comment="Allow ESTABLISHED (FORWARD)" 
-  add chain=forward connection-state=related                    action=accept comment="Allow RELATED (FORWARD)" +  add chain=forward connection-state=related                    action=accept             comment="Allow RELATED (FORWARD)" 
-  add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept comment="Allow ICMPv6 (FORWARD)" +  add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (FORWARD)" 
-  add chain=forward in-interface-list=WAN                       action=drop   comment="Drop everything else (FORWARD)" +  add chain=forward in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (FORWARD)" 
-  add chain=input   connection-state=established                action=accept comment="Allow ESTABLISHED (INPUT)" +  add chain=input   connection-state=established                action=accept             comment="Allow ESTABLISHED (INPUT)" 
-  add chain=input   connection-state=related                    action=accept comment="Allow RELATED (INPUT)" +  add chain=input   connection-state=related                    action=accept             comment="Allow RELATED (INPUT)" 
-  add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept comment="Allow ICMPv6 (INPUT)" +  add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (INPUT)" 
-  add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept comment="Allow DHCPv6 (INPUT)" +  add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept             comment="Allow DHCPv6 (INPUT)" 
-  add chain=input   in-interface-list=WAN                       action=drop   comment="Drop everything else (INPUT)"+  add chain=input   in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (INPUT)"
  
 ---- ----
Line 195: Line 195:
   * Nevýhoda: Google DNS NEbude dostupné přes GW2.   * Nevýhoda: Google DNS NEbude dostupné přes GW2.
   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]
 +
 +----
 +
 +===== Ban list =====
 +<code>
 +/ ip firewall filter 
 +add chain=input in-interface=ether1-wan protocol=tcp dst-port=22 \
 +    connection-state=new connection-limit=5/1m;1:packet \
 +    action=add-src-to-address-list address-list=ssh_logins \
 +    address-list-timeout=12h comment="" disabled=no 
 +add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins \
 +    action=accept comment="" disabled=no 
 +</code>
mikrotik.1615645843.txt.gz · Last modified: (external edit)