Differences

This shows you the differences between two versions of the page.

Link to this comparison view

mikrotik:simple-firewall [2015/08/24 12:42] (current)
a created
Line 1: Line 1:
 +
 +<​code>​
 +/ip firewall address-list
 +add address=x.x.x.x list=ipsec-allow
 +add address=z.z.z.z list=ssh-allow
 +add address=192.168.0.0/​16 comment=RFC1918 list=RFC1918
 +add address=10.0.0.0/​8 list=RFC1918
 +add address=172.16.0.0/​12 list=RFC1918
 +/ip firewall connection tracking
 +set generic-timeout=5m tcp-established-timeout=10m
 +
 +/ip firewall filter
 +add chain=input comment="​=== INPUT RULES ===" connection-state=established in-interface=eth0-WAN
 +add chain=input connection-state=related in-interface=eth0-WAN
 +add chain=input comment="​UDP - traceroute"​ dst-port=33434-33523 limit=3,2 protocol=udp src-port=32769-65535
 +add chain=input comment="​Allow limited pings" limit=50/​5s,​2 protocol=icmp
 +add action=drop chain=input comment="​Drop excess pings" protocol=icmp
 +add chain=input comment="​ALLOW PPTP Traffic (GRE+1723/​tcp)"​ in-interface=eth0-WAN protocol=gre
 +add chain=input dst-port=1723 in-interface=eth0-WAN protocol=tcp
 +add chain=input comment="​IPSec IKE" dst-port=500 in-interface=eth0-WAN protocol=udp src-address-list=ipsec-allow
 +add chain=input dst-port=4500 in-interface=eth0-WAN protocol=udp src-address-list=ipsec-allow
 +add chain=input in-interface=eth0-WAN protocol=ipsec-esp src-address-list=ipsec-allow
 +add chain=input in-interface=eth0-WAN protocol=ipsec-ah src-address-list=ipsec-allow
 +add chain=input comment="​IPSec IKE" dst-port=500 protocol=udp src-address-list=ipsec-allow
 +add chain=input comment="​Allow SSH" connection-state=new dst-port=22,​8291 protocol=tcp src-address-list=ssh-allow
 +add chain=input comment="​Allow LAN interface"​ in-interface=eth1-LAN
 +add action=drop chain=input comment="​Drop everything else"
 +add chain=forward comment="​=== FORWARD RULES ===" connection-state=established
 +add chain=forward connection-state=related
 +add chain=forward comment="​RFC1918 --> !RFC1918"​ dst-address-list=!RFC1918 src-address-list=RFC1918
 +add chain=forward comment="​RFC1918 <--> RFC1918"​ dst-address-list=RFC1918 src-address-list=RFC1918
 +add chain=forward dst-address=192.168.69.40 dst-port=61413-61420 protocol=tcp
 +add chain=forward dst-address=192.168.69.40 dst-port=61413-61420 protocol=udp
 +add action=log chain=forward comment="​DROP EVERYTHING ON FORWARD"​ log-prefix="​DROP FORWARD>"​
 +add action=drop chain=forward
 +
 +/ip firewall nat
 +add action=masquerade chain=srcnat dst-address=!192.168.0.0/​16 src-address=192.168.69.32/​27 to-addresses=<​outside-public-IP>​
 +add action=src-nat chain=srcnat dst-address=192.168.69.0/​24 src-address=<​outside-public-IP>​ to-addresses=192.168.69.33
 +add action=dst-nat chain=dstnat dst-port=61413-61420 protocol=udp to-addresses=192.168.69.40 to-ports=61413-61420
 +add action=dst-nat chain=dstnat dst-port=61413-61420 protocol=tcp to-addresses=192.168.69.40 to-ports=61413-61420
 +</​code>​
  
mikrotik/simple-firewall.txt ยท Last modified: 2015/08/24 12:42 by a
CC Attribution-Noncommercial-Share Alike 4.0 International
Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0 ipv6 ready