ROS防火墙

收集但未整理的，请自行编辑，勿直接使用！

Remember that firewall rules are processed in the order they appear on the list! After a rule matches the packet, no more rules are processed for it

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

/ ip firewall filter

add chain=input connection-state=established comment="Accept established connections"

add chain=input connection-state=related comment="Accept related connections"

add chain=input connection-state=invalid action=drop comment="Drop invalid connections"

add chain=input protocol=udp action=accept comment="UDP" disabled=no

add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"

add chain=input protocol=icmp action=drop comment="Drop excess pings"

add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"

add chain=input protocol=tcp dst-port=8291 comment="winbox"

# Edit these rules to reflect your actual IP addresses! #

add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network"

add chain=input src-address=<?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.0.0.0/8 comment="From our private LAN"

# End of Edit #

add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"

add chain=input action=drop comment="Drop everything else"

 

Allows only 10 FTP login incorrect answers per minute

 

/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

 

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

/ip firewall filter

 

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
 
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
 
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
 
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
 
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

 

 

These rules form the ‘ ICMP ’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you .

 

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no

转载于:https://blog.51cto.com/itcnjd/61690