Тема: Mrejata.net :: Защитна стена за микротик

Публикувана от admin на 18-11-2010 11:33
#1

Drop port scanners
Код
/ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no





Bruteforce login prevention (FTP & SSH)

Код
/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no




TCP SYN flood

Код
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32  \
action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \
connection-limit=3,32 action=tarpit
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no
/ip firewall connection tracking set tcp-syncookie=yes





Protecting your customers
Virus filter


Код
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections" 
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"   
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"





Set up packet filtering

Код
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox"




[color=red]Edit these rules to reflect your actual IP addresses![/color]

Код
add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network"
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"




[color=red]End of Edit [/color]
Код
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"





Redirect mail traffic to a specified server

Код
ip firewall nat add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=10.0.0.1 to-ports=25




FIREWALL

Код
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s


/ip firewall filter
add action=accept chain=accept_list comment="Forward HTTP to webserver" dst-address=192.168.11.10 dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" dst-address=192.168.11.10 dst-port=443 \
    protocol=tcp
add action=accept chain=accept_list comment="Forward FTP to Server" dst-address=192.168.11.10 dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" dst-address=192.168.11.10 dst-port=3389 protocol=tcp \
    src-port=3389
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139 protocol=tcp
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139 protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445 protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" dst-port=593 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" dst-port=4444 protocol=tcp
add action=drop chain=known_viruses comment="WITTY worm" dst-port=4000 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=995-999 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=8998 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" dst-port=2745 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" dst-port=4751 protocol=tcp
add action=drop chain=known_viruses comment="SQL Slammer" dst-port=1434 protocol=tcp
add action=drop chain=bad_people comment="Known Spammer" src-address=81.180.98.3
add action=drop chain=bad_people comment="Known Spammer" src-address=24.73.97.226
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" src-address=67.75.20.112
add action=drop chain=bad_people src-address=218.104.138.166
add action=drop chain=bad_people src-address=212.3.250.194
add action=drop chain=bad_people src-address=203.94.243.191
add action=drop chain=bad_people src-address=202.101.235.100
add action=drop chain=bad_people src-address=58.16.228.42
add action=drop chain=bad_people src-address=58.248.8.2
add action=drop chain=bad_people src-address=202.99.11.99
add action=drop chain=bad_people src-address=218.52.237.219
add action=drop chain=bad_people src-address=222.173.101.157
add action=drop chain=bad_people src-address=58.242.34.235
add action=drop chain=bad_people src-address=222.80.184.23
add action=accept chain=forward comment="Allow WIFI access to ALL" src-address=192.168.22.0/24
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp
add action=drop chain=input comment="allows only 10 FTP login incorrect answers per minute" dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login \
    incorrect" protocol=tcp
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid
add action=drop chain=forward comment="Blocks SSH" dst-port=22 protocol=tcp
add action=jump chain=forward comment="Known virus ports DELETE" jump-target=known_viruses
add action=jump chain=forward comment="kill known bad source addresses DELETE" jump-target=bad_people
add action=jump chain=forward comment="Jump to Accepted List" jump-target=accept_list
add action=accept chain=forward comment="allow established connections DELETE" connection-state=established
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related
add action=accept chain=forward comment="Allow All"

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.11.0/24
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=3389 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=80 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=21 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=443 protocol=tcp to-addresses=192.168.11.10





END :)

Публикувана от pafkata86 на 07-08-2013 10:43
#2

браво това е много добър урок Smile