RouterBoard Mikrotik 751G-2HnD firmware 2.39 RouterOS 5.18.
Minecraft online game server Gamai.Ru.
100 Megabits upload/download channel.

Minecraft uses ports 25565 TCP/UDP.

Last router D-Link DIR-300 had this protection rules in configuration:

iptables -A INPUT -p tcp -m tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
iptables -A INPUT-p udp --dport 25565 -m connlimit --iplimit-above 15 -j REJECT

Please help convert this rules (or more effective) to Mikrotik. I have read official manual but dont't want to risk. Mikrotik 751G-2HnD is my first Mikrotik router.

Thanks to all helpers.
I can give remote access to router.

Something like:

/ip firewall filter
add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=input protocol=udp dst-port=25565 connection-limit=15/32 action=reject

Can there be a syntax error?

add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5/32 action=drop

expected , (line 1 column 92)

Can there be a syntax error?

add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5/32 action=drop

expected , (line 1 column 92)

You need to start by entering the firewall menu, you missed first part of the command:

/ip firewall filter

there should be connection-limit=5,32

Thaks to everybody. Rules have been accepted.
Are this rules enough to protect Minecraft server?

These rules protect your ROUTER from many connections per second. There are some other ways to protect the router, but also your original rules did not protect your Minecraft server, only the router. If you want to prevent also multiple connections to Minecraft server, add the same set of rules again, but this time change from input to forward

Please answer detailed. I'm noob in Mikrotik yet. But protection of Minecraft server is very important.

What are the specific rules (or commands in terminal) I need to accept?

Please answer detailed. I'm noob in Mikrotik yet. But protection of Minecraft server is very important.

What are the specific rules (or commands in terminal) I need to accept?

I am simply pointing out that your DLINK rules were also not protecting your minecraft server.

Adding also these rules should help (copy and paste them):

So summary I need this rules? To protect Router and Minecradt server. Yes?

/ip firewall filter
add chain=forward protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=forward protocol=udp dst-port=25565 connection-limit=15,32 action=reject
add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=input protocol=udp dst-port=25565 connection-limit=15,32 action=reject

Actually better like this:

/ip firewall filter
add chain=forward protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=forward protocol=udp dst-port=25565 connection-limit=15,32 action=drop
add chain=input connection-limit=15,32 action=drop

These rules only protect against DOS (denial of service, multiple connections at once). There are many other rules you could add, depending on what you wish to be protected against.

May i ask you have you already had ddos attacks?

Can you tell me anything about the previous attacks, I would be surprised if the cpu on the router can handle a large ddos attack,
I dont know personaly with mikrotik, i've just seen some tuff routers go splat in the past.

please give feedback

My router D-Link DIR-300 DD-WRT 300Mhz CPU had been under atack in past. But that was DOS (not DDOS) atacks. Packet flooding.

Protection rules were useful to prevent this tipe of attack.

Okay, then must be either simple ping flood
Or unspoofed syn flood <--pointless i would think, but it might consume a bit of the resources maybe..

I personaly dont consider a dos very bad, I cant think how a dos would be capable of consuming your bandwidth AND OR
resources.

but of coarse I guess the minecraft server may be more sensitive to this.

I would like to know wath is the NAT rule(s) I must do. I tried to add a rule : chain : dstnat, protocol : 6 (tcp), dst port : 25565, in interface : ether 1, action : dstnat, to address : my local pc address, to port : 25565. It did not works. I can't connect to my server using my wan ip and the 25565 port. I'm little bit noob too and I would like some help please. Thanks.