[[mikrotik:simple-firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

mikrotik:simple-firewall [2015/08/24 12:42] (current)
a created
Line 1: Line 1:
 +
 +<code>
 +/ip firewall address-list
 +add address=x.x.x.x list=ipsec-allow
 +add address=z.z.z.z list=ssh-allow
 +add address=192.168.0.0/16 comment=RFC1918 list=RFC1918
 +add address=10.0.0.0/8 list=RFC1918
 +add address=172.16.0.0/12 list=RFC1918
 +/ip firewall connection tracking
 +set generic-timeout=5m tcp-established-timeout=10m
 +
 +/ip firewall filter
 +add chain=input comment="=== INPUT RULES ===" connection-state=established in-interface=eth0-WAN
 +add chain=input connection-state=related in-interface=eth0-WAN
 +add chain=input comment="UDP - traceroute" dst-port=33434-33523 limit=3,2 protocol=udp src-port=32769-65535
 +add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
 +add action=drop chain=input comment="Drop excess pings" protocol=icmp
 +add chain=input comment="ALLOW PPTP Traffic (GRE+1723/tcp)" in-interface=eth0-WAN protocol=gre
 +add chain=input dst-port=1723 in-interface=eth0-WAN protocol=tcp
 +add chain=input comment="IPSec IKE" dst-port=500 in-interface=eth0-WAN protocol=udp src-address-list=ipsec-allow
 +add chain=input dst-port=4500 in-interface=eth0-WAN protocol=udp src-address-list=ipsec-allow
 +add chain=input in-interface=eth0-WAN protocol=ipsec-esp src-address-list=ipsec-allow
 +add chain=input in-interface=eth0-WAN protocol=ipsec-ah src-address-list=ipsec-allow
 +add chain=input comment="IPSec IKE" dst-port=500 protocol=udp src-address-list=ipsec-allow
 +add chain=input comment="Allow SSH" connection-state=new dst-port=22,8291 protocol=tcp src-address-list=ssh-allow
 +add chain=input comment="Allow LAN interface" in-interface=eth1-LAN
 +add action=drop chain=input comment="Drop everything else"
 +add chain=forward comment="=== FORWARD RULES ===" connection-state=established
 +add chain=forward connection-state=related
 +add chain=forward comment="RFC1918 --> !RFC1918" dst-address-list=!RFC1918 src-address-list=RFC1918
 +add chain=forward comment="RFC1918 <--> RFC1918" dst-address-list=RFC1918 src-address-list=RFC1918
 +add chain=forward dst-address=192.168.69.40 dst-port=61413-61420 protocol=tcp
 +add chain=forward dst-address=192.168.69.40 dst-port=61413-61420 protocol=udp
 +add action=log chain=forward comment="DROP EVERYTHING ON FORWARD" log-prefix="DROP FORWARD>"
 +add action=drop chain=forward
 +
 +/ip firewall nat
 +add action=masquerade chain=srcnat dst-address=!192.168.0.0/16 src-address=192.168.69.32/27 to-addresses=<outside-public-IP>
 +add action=src-nat chain=srcnat dst-address=192.168.69.0/24 src-address=<outside-public-IP> to-addresses=192.168.69.33
 +add action=dst-nat chain=dstnat dst-port=61413-61420 protocol=udp to-addresses=192.168.69.40 to-ports=61413-61420
 +add action=dst-nat chain=dstnat dst-port=61413-61420 protocol=tcp to-addresses=192.168.69.40 to-ports=61413-61420
 +</code>
  
mikrotik/simple-firewall.txt ยท Last modified: 2015/08/24 12:42 by a
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready