Mikrotik RB750 GR Firewall Rules for a Mikrotik Newbie

Muttley

Expert Member
Joined
Jan 6, 2016
Messages
1,595
Hi all,

So I took the plunge and decided to buy meself a Mikrotik RB750GR to use with my Fibre line- I figured for the price, performance and learning opportunity, I couldn't go wrong.

I've got the device up and running and it working perfectly. According to the instructions which came in the box, all one really needs to do from a basic firewall point of view is add a password to the router login page - check.

I stumbled upon this video earlier which I'll watch a.s.a.p but I was wondering, do you guys have any suggestions in terms of firewall rules that I should add to ensure that my home network is ultra secure?

Thanks in advance

PS: Sorry for the complex question, I know it's a Sunday :D
 

Hamish McPanji

Honorary Master
Joined
Oct 29, 2009
Messages
42,084
Block everything, then open up what you need.

There are quite a few mikrotik recipes online
 

DWPTA

Expert Member
Joined
Jul 28, 2006
Messages
4,366
But anyways what's it worth here is my home tik rules

Code:
/ip firewall filter
add action=fasttrack-connection chain=forward disabled=yes
add action=accept chain=forward
add action=accept chain=input comment="accept established connection packets" \
    connection-state=established
add action=accept chain=input comment="accept related connection packets" \
    connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment="detect and drop port scan connections" \
    protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP \
    protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=\
    services
add action=accept chain=input comment="Allow Broadcast Traffic" \
    dst-address-type=broadcast
add action=drop chain=input comment="drop everything else"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\
    0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
    3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
    3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
    8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="SYN/FIN scan" protocol=\
    tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="SYN/RST scan" protocol=\
    tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="ALL/ALL scan" protocol=\
    tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=services comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=services comment="allow winbox" dst-port=8291 \
    protocol=tcp
add action=accept chain=services comment="allow www" dst-port=80 protocol=tcp
add action=accept chain=services comment="allow ssh" dst-port=22 protocol=tcp
add action=accept chain=services comment="allow ftp" dst-port=21 protocol=tcp
add action=accept chain=services comment="allow IPSEC" dst-port=4500 \
    protocol=udp
add action=accept chain=services comment="allow IPSEC" protocol=ipsec-esp
add action=accept chain=services comment="allow IPSEC" dst-port=1701 \
    protocol=udp
add action=accept chain=services comment="allow IPSEC" dst-port=500 protocol=\
    udp
add action=accept chain=services comment="PPTP TCP 1723" dst-port=1723 \
    protocol=tcp
add action=accept chain=services comment="SSTP TCP 443" dst-port=443 \
    protocol=tcp src-address-list=ZA
add action=accept chain=services comment="PPTP GRE" protocol=gre
add action=drop chain=services comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=services comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp
 
Top