/ip firewall address-list
add address=x.x.x.x list=ipsec-allow
add address=z.z.z.z list=ssh-allow
add address=192.168.0.0/16 comment=RFC1918 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
/ip firewall connection tracking
set generic-timeout=5m tcp-established-timeout=10m

/ip firewall filter
add chain=input comment="=== INPUT RULES ===" connection-state=established in-interface=eth0-WAN
add chain=input connection-state=related in-interface=eth0-WAN
add chain=input comment="UDP - traceroute" dst-port=33434-33523 limit=3,2 protocol=udp src-port=32769-65535
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="ALLOW PPTP Traffic (GRE+1723/tcp)" in-interface=eth0-WAN protocol=gre
add chain=input dst-port=1723 in-interface=eth0-WAN protocol=tcp
add chain=input comment="IPSec IKE" dst-port=500 in-interface=eth0-WAN protocol=udp src-address-list=ipsec-allow
add chain=input dst-port=4500 in-interface=eth0-WAN protocol=udp src-address-list=ipsec-allow
add chain=input in-interface=eth0-WAN protocol=ipsec-esp src-address-list=ipsec-allow
add chain=input in-interface=eth0-WAN protocol=ipsec-ah src-address-list=ipsec-allow
add chain=input comment="IPSec IKE" dst-port=500 protocol=udp src-address-list=ipsec-allow
add chain=input comment="Allow SSH" connection-state=new dst-port=22,8291 protocol=tcp src-address-list=ssh-allow
add chain=input comment="Allow LAN interface" in-interface=eth1-LAN
add action=drop chain=input comment="Drop everything else"
add chain=forward comment="=== FORWARD RULES ===" connection-state=established
add chain=forward connection-state=related
add chain=forward comment="RFC1918 --> !RFC1918" dst-address-list=!RFC1918 src-address-list=RFC1918
add chain=forward comment="RFC1918 <--> RFC1918" dst-address-list=RFC1918 src-address-list=RFC1918
add chain=forward dst-address=192.168.69.40 dst-port=61413-61420 protocol=tcp
add chain=forward dst-address=192.168.69.40 dst-port=61413-61420 protocol=udp
add action=log chain=forward comment="DROP EVERYTHING ON FORWARD" log-prefix="DROP FORWARD>"
add action=drop chain=forward

/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.0.0/16 src-address=192.168.69.32/27 to-addresses=<outside-public-IP>
add action=src-nat chain=srcnat dst-address=192.168.69.0/24 src-address=<outside-public-IP> to-addresses=192.168.69.33
add action=dst-nat chain=dstnat dst-port=61413-61420 protocol=udp to-addresses=192.168.69.40 to-ports=61413-61420
add action=dst-nat chain=dstnat dst-port=61413-61420 protocol=tcp to-addresses=192.168.69.40 to-ports=61413-61420
mikrotik/simple-firewall.txt · Last modified: 2015/08/24 12:42 by a
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready