Mikrotik RB750 GR Firewall Rules for a Mikrotik Newbie

Muttley · Dec 10, 2017

Hi all,

So I took the plunge and decided to buy meself a Mikrotik RB750GR to use with my Fibre line- I figured for the price, performance and learning opportunity, I couldn't go wrong.

I've got the device up and running and it working perfectly. According to the instructions which came in the box, all one really needs to do from a basic firewall point of view is add a password to the router login page - check.

I stumbled upon this video earlier which I'll watch a.s.a.p but I was wondering, do you guys have any suggestions in terms of firewall rules that I should add to ensure that my home network is ultra secure?

Thanks in advance

PS: Sorry for the complex question, I know it's a Sunday

ebendl · Dec 10, 2017

I’ll post some of mine later when I’m back home!

mh348 · Dec 10, 2017

Here's a basic firewall rules setup script

https://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

Hamish McPanji · Dec 10, 2017

Block everything, then open up what you need.

There are quite a few mikrotik recipes online

Muttley · Dec 11, 2017

ebendl said:
I’ll post some of mine later when I’m back home!

mh348 said:
Here's a basic firewall rules setup script

https://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

Hamish McPanji said:
Block everything, then open up what you need.

There are quite a few mikrotik recipes online

Thanks for all the feedback

Hamish McPanji · Dec 11, 2017

/waits for OP to get back....saying he's locked himself out if router

Muttley · Dec 11, 2017

Hamish McPanji said:
/waits for OP to get back....saying he's locked himself out if router

/OP holds in the reset button

DWPTA · Dec 12, 2017

Hamish McPanji said:
/waits for OP to get back....saying he's locked himself out if router

Well he should know about Winbox MAC access

DWPTA · Dec 12, 2017

But anyways what's it worth here is my home tik rules

Code:

/ip firewall filter
add action=fasttrack-connection chain=forward disabled=yes
add action=accept chain=forward
add action=accept chain=input comment="accept established connection packets" \
    connection-state=established
add action=accept chain=input comment="accept related connection packets" \
    connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment="detect and drop port scan connections" \
    protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP \
    protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=\
    services
add action=accept chain=input comment="Allow Broadcast Traffic" \
    dst-address-type=broadcast
add action=drop chain=input comment="drop everything else"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\
    0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
    3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
    3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
    8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="SYN/FIN scan" protocol=\
    tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="SYN/RST scan" protocol=\
    tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="ALL/ALL scan" protocol=\
    tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=services comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=services comment="allow winbox" dst-port=8291 \
    protocol=tcp
add action=accept chain=services comment="allow www" dst-port=80 protocol=tcp
add action=accept chain=services comment="allow ssh" dst-port=22 protocol=tcp
add action=accept chain=services comment="allow ftp" dst-port=21 protocol=tcp
add action=accept chain=services comment="allow IPSEC" dst-port=4500 \
    protocol=udp
add action=accept chain=services comment="allow IPSEC" protocol=ipsec-esp
add action=accept chain=services comment="allow IPSEC" dst-port=1701 \
    protocol=udp
add action=accept chain=services comment="allow IPSEC" dst-port=500 protocol=\
    udp
add action=accept chain=services comment="PPTP TCP 1723" dst-port=1723 \
    protocol=tcp
add action=accept chain=services comment="SSTP TCP 443" dst-port=443 \
    protocol=tcp src-address-list=ZA
add action=accept chain=services comment="PPTP GRE" protocol=gre
add action=drop chain=services comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=services comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp

Mikrotik RB750 GR Firewall Rules for a Mikrotik Newbie

Muttley

Expert Member

ebendl

Expert Member

mh348

Expert Member

Hamish McPanji

Honorary Master

Muttley

Expert Member

Hamish McPanji

Honorary Master

Muttley

Expert Member

DWPTA

Expert Member

DWPTA

Expert Member