簡單的Router防火牆過濾

gfx86674

小弟所架設的firewall filter ,以白名單做架構,有興趣的可嘗試.

首先在/ip firewall address-list建立All-Lan清單:


建立DNS-Server清單:


將下面code一次複製全部,然後一口氣全部貼到命令欄進行匯入.

1. /ip firewall filter
   
2. add action=drop chain=forward comment="\B8T\A5\CEPort" \
   
3.     dst-port=22,23 protocol=tcp src-address-list=!All-Lan
   
4. add chain=input comment="\A4\B9\B3\\\B0\CF\BA\F4\B8\CB\B8m" \
   
5.     src-address=1.1.1.1
   
6. add chain=input src-address-list=All-Lan
   
7. add action=drop chain=input \
   
8.     comment="DoS\A9\DA\B5\B4\AAA\B0\C8\A7\F0\C0\BB" \
   
9.     connection-limit=10,32 protocol=tcp src-port=!80
   
10. add action=drop chain=input comment="\A8\BE\A4\EE\B3Q\B1\BD\BA\CB Port"\
    
11.     protocol=tcp src-address-list="port scanners"
    
12. add action=add-src-to-address-list address-list="port scanners" \
    
13.     address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
    
14. add action=add-src-to-address-list address-list="port scanners" \
    
15.     address-list-timeout=2w chain=input protocol=tcp \
    
16.     tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    
17. add action=add-src-to-address-list address-list="port scanners" \
    
18.     address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
    
19. add action=add-src-to-address-list address-list="port scanners" \
    
20.     address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
    
21. add action=add-src-to-address-list address-list="port scanners" \
    
22.     address-list-timeout=2w chain=input protocol=tcp \
    
23.     tcp-flags=fin,psh,urg,!syn,!rst,!ack
    
24. add action=add-src-to-address-list address-list="port scanners" \
    
25.     address-list-timeout=2w chain=input protocol=tcp \
    
26.     tcp-flags=fin,syn,rst,psh,ack,urg
    
27. add action=add-src-to-address-list address-list="port scanners" \
    
28.     address-list-timeout=2w chain=input protocol=tcp \
    
29.     tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    
30. add chain=input comment="\A4\B9\B3\\VPN" dst-port=1723 protocol=tcp
    
31. add chain=input protocol=gre
    
32. add chain=input dst-port=1194 protocol=tcp
    
33. add chain=input dst-port=443 protocol=tcp
    
34. add chain=input dst-port=1701,500,4500 protocol=udp
    
35. add chain=input protocol=ipencap
    
36. add chain=input protocol=ipsec-esp
    
37. add chain=input protocol=tcp src-port=1723
    
38. add chain=input protocol=tcp src-port=1194
    
39. add action=add-dst-to-address-list address-list=a.test \
    
40.     address-list-timeout=1s chain=output comment="\A4\B9\B3\\ICMP\A6^\C0\B3" \
    
41.     dst-address-list=!All-Lan protocol=icmp
    
42. add chain=input protocol=icmp src-address-list=a.test
    
43. add chain=input comment="\A4\B9\B3\\DNS" src-address-list=DNS-Server
    
44. add chain=input comment="\A4\B9\B3\\ROS-Cloud\A6\F8\AAA\BE\B9" \
    
45.     src-address=81.198.87.240
    
46. add chain=input comment="\A4\B9\B3\\Winbox\B3s\BDu" dst-port=8291,8728 \
    
47.     protocol=tcp
    
48. add chain=input comment="\A4\B9\B3\\\B6l\A5\F3\A6\F8\AAA\BE\B9" protocol=tcp \
    
49.     src-port=25,587
    
50. add chain=input comment="\A4\B9\B3\\WWW\A6\F8\AAA\BE\B9" \
    
51.     protocol=tcp src-port=80,443
    
52. add chain=input comment="\A4\B9\B3\\\AE\C9\B6\A1\A6\F8\AAA\BE\B9" \
    
53.     dst-port=123 protocol=udp src-port=123
    
54. add action=drop chain=input \
    
55.     comment="\A5\E1\B1\F3\A5\BC\A9w\B8q\AA\BA\AB\CA\A5]"

複製代碼

匯入後即下:

web-proxy / pptp /l2tp-ipsec的地方不動,其它vpn您可能使用的port不同,依個人情形做修改即可.

雯雯

回復 1# gfx86674

不簡單了!

cashwu

請問大大 第26項 允許ROS-Cloud伺服器 的來源IP 是？？

gfx86674

回復 3# cashwu
從connection連線記錄查出來的,早期只有一個server,但現在不只了.

現在您只需開放udp port:15252 ,就不會影響您更新cloud的地址了.

cashwu

了解 感謝…

ryan314

感謝分享，小弟受益良多

cashwu

再請問大大cable ip 可否改成in-interface

gfx86674

再請問大大cable ip 可否改成in-interface
cashwu 發表於 2016-7-26 01:27

您可參考小弟在Mobile01發言:
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=490#60976904
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=491#61013170

另外在v6.36後,有更高階防火牆的raw
http://gregsowell.com/?p=5286
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=492#61046512
相信您會很受用

cashwu

感謝大大 真的滿受用的！