Mikrotik router Security of virus and excess ping traffic can use the following firewall script
First, make address-list "ournetwork" which contains the radio IP address, IP LAN and WAN IP or other IP that can be trusted
In the following example is the radio IP address = 10.0.0.0/16, 192.168.2.0/24 = IP LAN and WAN IP = 203.89.24.0/21 and other reliable IP = 202.67.33.7
To make the address-list can use a script like the following example adapted to live your network configuration.
Create the following skrtip using notepad and then copy-paste into the console mikrotik
/ Ip firewall address-list
add list = ournetwork address = 203.89.24.0/21 comment = "Datautama Network"
disabled = no
add list = ournetwork address = 10.0.0.0/16 comment = "Radio IP" disabled = no
add list = ournetwork address = 192.168.2.0/24 comment = "LAN Network" disabled = no
Further copy-paste the following script on mikrotik console
/ Ip firewall filter
add chain = forward connection-state = established action = accept comment = "allow
established connections "disabled = no
add chain = forward connection-state = related action = accept comment = "allow
related connections "disabled = no
add chain = virus protocol = udp dst-port = 135-139 action = drop comment = "Drop
Messenger Worm "disabled = no
add chain = forward connection-state = invalid action = drop comment = "drop invalid
connections "disabled = no
add chain = virus protocol = tcp dst-port = 135-139 action = drop comment = "Drop
Blaster Worm "disabled = no
add chain = virus protocol = tcp dst-port = 1433-1434 action = drop comment = "Worm"
disabled = no
add chain = virus protocol = tcp dst-port = 445 action = drop comment = "Drop Blaster
Worm "disabled = no
add chain = virus protocol = udp dst-port = 445 action = drop comment = "Drop Blaster
Worm "disabled = no
add chain = virus protocol = tcp dst-port = 593 action = drop comment = "________"
disabled = no
add chain = virus protocol = tcp dst-port = 1024-1030 action = drop comment = "________"
disabled = no
add chain = virus protocol = tcp dst-port = 1080 action = drop comment = "Drop MyDoom"
disabled = no
add chain = virus protocol = tcp dst-port = 1214 action = drop comment = "________"
disabled = no
add chain = virus protocol = tcp dst-port = 1363 action = drop comment = "NDM requester"
disabled = no
add chain = virus protocol = tcp dst-port = 1364 action = drop comment = "NDM server"
disabled = no
add chain = virus protocol = tcp dst-port = 1368 action = drop comment = "screen cast"
disabled = no
add chain = virus protocol = tcp dst-port = 1373 action = drop comment = "hromgrafx"
disabled = no
add chain = virus protocol = tcp dst-port = 1377 action = drop comment = "cichlid"
disabled = no
add chain = virus protocol = tcp dst-port = 2745 action = drop comment = "Bagle Virus"
disabled = no
add chain = virus protocol = tcp dst-port = 2283 action = drop comment = "Drop Dumaru.Y"
disabled = no
add chain = virus protocol = tcp dst-port = 2535 action = drop comment = "Drop Beagle"
disabled = no
add chain = virus protocol = tcp dst-port = 2745 action = drop comment = "Drop
Beagle.CK "disabled = no
add chain = virus protocol = tcp dst-port = 3127 action = drop comment = "Drop MyDoom"
disabled = no
add chain = virus protocol = tcp dst-port = 3410 action = drop comment = "Drop Backdoor
OptixPro "disabled = no
add chain = virus protocol = tcp dst-port = 4444 action = drop comment = "Worm"
disabled = no
add chain = virus protocol = udp dst-port = 4444 action = drop comment = "Worm"
disabled = no
add chain = virus protocol = tcp dst-port = 5554 action = drop comment = "Drop Sasser"
disabled = no
add chain = virus protocol = tcp dst-port = 8866 action = drop comment = "Drop Beagle.B"
disabled = no
add chain = virus protocol = tcp dst-port = 9898 action = drop comment = "Drop
Dabber.AB "disabled = no
add chain = virus protocol = tcp dst-port = 10000 action = drop comment = "Drop
Dumaru.Y, preferably on the disabled because it is also often used for vpn or
webmin "disabled = yes
add chain = virus protocol = tcp dst-port = 10 080 action = drop comment = "Drop
MyDoom.B "disabled = no
add chain = virus protocol = tcp dst-port = 12345 action = drop comment = "Drop NetBus"
disabled = no
add chain = virus protocol = tcp dst-port = 17 300 action = drop comment = "Drop Kuang2"
disabled = no
add chain = virus protocol = tcp dst-port = 27 374 action = drop comment = "Drop
SubSeven "disabled = no
add chain = virus protocol = tcp dst-port = 65 506 action = drop comment = "Drop PhatBot,
Agobot, Gaobot "disabled = no
add chain = forward action = jump jump-target = virus comment = "jump to the virus
chain "disabled = no
add chain = input connection-state = established action = accept comment = "Accept
established connections "disabled = no
add chain = input connection-state = related action = accept comment = "Accept related
connections "disabled = no
add chain = input connection-state = invalid action = drop comment = "Drop invalid
connections "disabled = no
add chain = input protocol = udp action = accept comment = "UDP" disabled = no
add chain = input protocol = icmp limit = 50/5s, 2 action = accept comment = "Allow
limited pings "disabled = no
add chain = input protocol = icmp action = drop comment = "Drop excess pings"
disabled = no
add chain = input protocol = tcp dst-port = 21 src-address-list = ournetwork
action = accept comment = "FTP" disabled = no
add chain = input protocol = tcp dst-port = 22 src-address-list = ournetwork
action = accept comment = "SSH for secure shell" disabled = no
add chain = input protocol = tcp dst-port = 23 src-address-list = ournetwork
action = accept comment = "Telnet" disabled = no
add chain = input protocol = tcp dst-port = 80 src-address-list = ournetwork
action = accept comment = "Web" disabled = no
add chain = input protocol = tcp dst-port = 8291 src-address-list = ournetwork
action = accept comment = "Winbox" disabled = no
add chain = input protocol = tcp dst-port = 1723 action = accept comment = "pptp-server"
disabled = no
add chain = input src-address-list = ournetwork action = accept comment = "From
Datautama network "disabled = no
add chain = input action = log log-prefix = "DROP INPUT" comment = "Log everything
else "disabled = no
add chain = input action = drop comment = "Drop everything else" disabled = no
The effect of the script above is:
A. Mikrotik router is only accessible FTP, SSH, Web and Winbox from that defined in the IP address-list "ournetwork" so it can not be accessed from any place.
2. Ports are often used in the block so that the traffic virus virus can not pass up, but keep in mind if there are users who have difficulty accessing a particular service should be checked at the chain = "virus" is the port that takes a user is blocked by the firewall.
3. Packet is limited to avoid excess ping ping.
In addition to consider is: should create a new user and password with the full group and then disable the admin user, this is to minimize the risk of your mikrotik hack people.
Good luck.
First, make address-list "ournetwork" which contains the radio IP address, IP LAN and WAN IP or other IP that can be trusted
In the following example is the radio IP address = 10.0.0.0/16, 192.168.2.0/24 = IP LAN and WAN IP = 203.89.24.0/21 and other reliable IP = 202.67.33.7
To make the address-list can use a script like the following example adapted to live your network configuration.
Create the following skrtip using notepad and then copy-paste into the console mikrotik
/ Ip firewall address-list
add list = ournetwork address = 203.89.24.0/21 comment = "Datautama Network"
disabled = no
add list = ournetwork address = 10.0.0.0/16 comment = "Radio IP" disabled = no
add list = ournetwork address = 192.168.2.0/24 comment = "LAN Network" disabled = no
Further copy-paste the following script on mikrotik console
/ Ip firewall filter
add chain = forward connection-state = established action = accept comment = "allow
established connections "disabled = no
add chain = forward connection-state = related action = accept comment = "allow
related connections "disabled = no
add chain = virus protocol = udp dst-port = 135-139 action = drop comment = "Drop
Messenger Worm "disabled = no
add chain = forward connection-state = invalid action = drop comment = "drop invalid
connections "disabled = no
add chain = virus protocol = tcp dst-port = 135-139 action = drop comment = "Drop
Blaster Worm "disabled = no
add chain = virus protocol = tcp dst-port = 1433-1434 action = drop comment = "Worm"
disabled = no
add chain = virus protocol = tcp dst-port = 445 action = drop comment = "Drop Blaster
Worm "disabled = no
add chain = virus protocol = udp dst-port = 445 action = drop comment = "Drop Blaster
Worm "disabled = no
add chain = virus protocol = tcp dst-port = 593 action = drop comment = "________"
disabled = no
add chain = virus protocol = tcp dst-port = 1024-1030 action = drop comment = "________"
disabled = no
add chain = virus protocol = tcp dst-port = 1080 action = drop comment = "Drop MyDoom"
disabled = no
add chain = virus protocol = tcp dst-port = 1214 action = drop comment = "________"
disabled = no
add chain = virus protocol = tcp dst-port = 1363 action = drop comment = "NDM requester"
disabled = no
add chain = virus protocol = tcp dst-port = 1364 action = drop comment = "NDM server"
disabled = no
add chain = virus protocol = tcp dst-port = 1368 action = drop comment = "screen cast"
disabled = no
add chain = virus protocol = tcp dst-port = 1373 action = drop comment = "hromgrafx"
disabled = no
add chain = virus protocol = tcp dst-port = 1377 action = drop comment = "cichlid"
disabled = no
add chain = virus protocol = tcp dst-port = 2745 action = drop comment = "Bagle Virus"
disabled = no
add chain = virus protocol = tcp dst-port = 2283 action = drop comment = "Drop Dumaru.Y"
disabled = no
add chain = virus protocol = tcp dst-port = 2535 action = drop comment = "Drop Beagle"
disabled = no
add chain = virus protocol = tcp dst-port = 2745 action = drop comment = "Drop
Beagle.CK "disabled = no
add chain = virus protocol = tcp dst-port = 3127 action = drop comment = "Drop MyDoom"
disabled = no
add chain = virus protocol = tcp dst-port = 3410 action = drop comment = "Drop Backdoor
OptixPro "disabled = no
add chain = virus protocol = tcp dst-port = 4444 action = drop comment = "Worm"
disabled = no
add chain = virus protocol = udp dst-port = 4444 action = drop comment = "Worm"
disabled = no
add chain = virus protocol = tcp dst-port = 5554 action = drop comment = "Drop Sasser"
disabled = no
add chain = virus protocol = tcp dst-port = 8866 action = drop comment = "Drop Beagle.B"
disabled = no
add chain = virus protocol = tcp dst-port = 9898 action = drop comment = "Drop
Dabber.AB "disabled = no
add chain = virus protocol = tcp dst-port = 10000 action = drop comment = "Drop
Dumaru.Y, preferably on the disabled because it is also often used for vpn or
webmin "disabled = yes
add chain = virus protocol = tcp dst-port = 10 080 action = drop comment = "Drop
MyDoom.B "disabled = no
add chain = virus protocol = tcp dst-port = 12345 action = drop comment = "Drop NetBus"
disabled = no
add chain = virus protocol = tcp dst-port = 17 300 action = drop comment = "Drop Kuang2"
disabled = no
add chain = virus protocol = tcp dst-port = 27 374 action = drop comment = "Drop
SubSeven "disabled = no
add chain = virus protocol = tcp dst-port = 65 506 action = drop comment = "Drop PhatBot,
Agobot, Gaobot "disabled = no
add chain = forward action = jump jump-target = virus comment = "jump to the virus
chain "disabled = no
add chain = input connection-state = established action = accept comment = "Accept
established connections "disabled = no
add chain = input connection-state = related action = accept comment = "Accept related
connections "disabled = no
add chain = input connection-state = invalid action = drop comment = "Drop invalid
connections "disabled = no
add chain = input protocol = udp action = accept comment = "UDP" disabled = no
add chain = input protocol = icmp limit = 50/5s, 2 action = accept comment = "Allow
limited pings "disabled = no
add chain = input protocol = icmp action = drop comment = "Drop excess pings"
disabled = no
add chain = input protocol = tcp dst-port = 21 src-address-list = ournetwork
action = accept comment = "FTP" disabled = no
add chain = input protocol = tcp dst-port = 22 src-address-list = ournetwork
action = accept comment = "SSH for secure shell" disabled = no
add chain = input protocol = tcp dst-port = 23 src-address-list = ournetwork
action = accept comment = "Telnet" disabled = no
add chain = input protocol = tcp dst-port = 80 src-address-list = ournetwork
action = accept comment = "Web" disabled = no
add chain = input protocol = tcp dst-port = 8291 src-address-list = ournetwork
action = accept comment = "Winbox" disabled = no
add chain = input protocol = tcp dst-port = 1723 action = accept comment = "pptp-server"
disabled = no
add chain = input src-address-list = ournetwork action = accept comment = "From
Datautama network "disabled = no
add chain = input action = log log-prefix = "DROP INPUT" comment = "Log everything
else "disabled = no
add chain = input action = drop comment = "Drop everything else" disabled = no
The effect of the script above is:
A. Mikrotik router is only accessible FTP, SSH, Web and Winbox from that defined in the IP address-list "ournetwork" so it can not be accessed from any place.
2. Ports are often used in the block so that the traffic virus virus can not pass up, but keep in mind if there are users who have difficulty accessing a particular service should be checked at the chain = "virus" is the port that takes a user is blocked by the firewall.
3. Packet is limited to avoid excess ping ping.
In addition to consider is: should create a new user and password with the full group and then disable the admin user, this is to minimize the risk of your mikrotik hack people.
Good luck.
Posted by Unknown on Kamis, 09 Februari 2012 - Rating: 4.5
Title : Firewall settings for Mikrotik Router
Description : Mikrotik router Security of virus and excess ping traffic can use the following firewall script First, make address-list "ournetwor...
Description : Mikrotik router Security of virus and excess ping traffic can use the following firewall script First, make address-list "ournetwor...
0 Response to "Firewall settings for Mikrotik Router"
Posting Komentar