WereDoku

User Tools

Site Tools

Trace:
mikrotik

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
mikrotik [2022/03/16 08:38] – external edit 127.0.0.1mikrotik [2026/06/20 15:35] (current) – external edit 127.0.0.1
Line 91: Line 91:
   /ip firewall filter   /ip firewall filter
     add chain=forward  connection-state=established,related              action=fasttrack-connection  comment="Fasttrack"     add chain=forward  connection-state=established,related              action=fasttrack-connection  comment="Fasttrack"
-    add chain=forward  connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (FORWARD)+    add chain=forward  connection-state=established,related,untracked    action=accept                comment="FORWARD :: Allow ESTABLISHED, RELATED, UNTRACKED" 
-    add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (FORWARD)"+    add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="FORWARD :: Drop INVALID"
     add chain=forward  connection-nat-state=!dstnat  \     add chain=forward  connection-nat-state=!dstnat  \
                        connection-state=new \                        connection-state=new \
-                       in-interface-list=WAN                             action=drop disabled=yes     comment="Drop all from WAN not DST-NATted (FORWARD)"  +                       in-interface-list=WAN                             action=drop disabled=yes     comment="FORWARD :: Drop all from WAN not DST-NATted"  
-    add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (INPUT)+    add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="INPUT :: Drop INVALID" 
-    add chain=input    connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (INPUT)+    add chain=input    connection-state=established,related,untracked    action=accept                comment="INPUT :: Allow ESTABLISHED, RELATED, UNTRACKED" 
-    add chain=input    protocol=icmp                                     action=accept                comment="Allow ICMP (INPUT)+    add chain=input    protocol=icmp                                     action=accept                comment="INPUT :: Allow ICMP" 
-    add chain=input    in-interface-list=!LAN                            action=drop disabled=yes     comment="Drop all not coming from LAN (INPUT)"+    add chain=input    in-interface-list=!LAN                            action=drop disabled=yes     comment="INPUT :: Drop all not coming from LAN"
  
 ---- ----
Line 195: Line 195:
   * Nevýhoda: Google DNS NEbude dostupné přes GW2.   * Nevýhoda: Google DNS NEbude dostupné přes GW2.
   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]   * [[https://www.prinmath.com/ham/mikrotik-failover.htm|Zdroj]]
 +
 +----
 +
 +===== Ban list =====
 +<code>
 +/ ip firewall filter 
 +add chain=input in-interface=ether1-wan protocol=tcp dst-port=22 \
 +    connection-state=new connection-limit=5/1m;1:packet \
 +    action=add-src-to-address-list address-list=ssh_logins \
 +    address-list-timeout=12h comment="" disabled=no 
 +add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins \
 +    action=accept comment="" disabled=no 
 +</code>
mikrotik.1647419930.txt.gz · Last modified: (external edit)