Hey guys
I need to setup my mikrotik where I block all traffic, so no funny browsing and what not, but I need to allow rdp connections going out of the network. So network -> MTK -> ISP -> to remote server.
My brain cant function enough to know where to start ha ha. I tried to drop all out going, and locked myself out lol. I am back in, but need some sort of idea where to start.
Thank you
-
-
DirtyHarry
just joined
- Posts: 16
- Joined:
Re: Block and allow traffic flow
My firewall rules are as follows:
/ip firewall filter
add action=drop chain=forward comment="Block VW" disabled=yes layer7-protocol=\
VWClub protocol=tcp src-address=192.168.2.0/24
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
connection-limit=30,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
\_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=\
!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
3h chain=forward comment="Add Spammers to the list for 3 hours" \
connection-limit=30,32 dst-port=25,587 limit=30/1m,0acket protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5acket protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=accept chain=forward comment="Allow Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" dst-port=443 \
layer7-protocol=Facebook protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.68
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.89
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.15
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.68
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=tcp src-address=192.168.2.65
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=accept chain=output disabled=yes dst-port=4949 out-interface=ether8 \
protocol=tcp
add action=accept chain=output disabled=yes dst-port=3389 out-interface=ether8 \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input disabled=yes protocol=udp src-port=53
add action=drop chain=forward disabled=yes
/ip firewall filter
add action=drop chain=forward comment="Block VW" disabled=yes layer7-protocol=\
VWClub protocol=tcp src-address=192.168.2.0/24
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
connection-limit=30,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
\_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=\
!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
3h chain=forward comment="Add Spammers to the list for 3 hours" \
connection-limit=30,32 dst-port=25,587 limit=30/1m,0acket protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5acket protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=accept chain=forward comment="Allow Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" dst-port=443 \
layer7-protocol=Facebook protocol=tcp src-address=192.168.2.65
add action=accept chain=forward comment="Allow youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.65
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.68
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.89
add action=accept chain=forward comment="Allow Facebook" layer7-protocol=\
Facebook protocol=tcp src-address=192.168.2.15
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.68
add action=accept chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=tcp src-address=192.168.2.65
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block youtube" layer7-protocol=Youtube \
protocol=udp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Block Twitter" layer7-protocol=Twitter \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Block Facebook" layer7-protocol=Facebook \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=accept chain=output disabled=yes dst-port=4949 out-interface=ether8 \
protocol=tcp
add action=accept chain=output disabled=yes dst-port=3389 out-interface=ether8 \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input disabled=yes protocol=udp src-port=53
add action=drop chain=forward disabled=yes