====== Набор правил для Mikrotik ======

[[billing:howto|Вернуться на уровень выше]]

===== Все правила вводятся в /ip firewall filter ======

Разрешить IP билинга:
<code>
add action=accept chain=input comment="Allow Billing" disabled=no src-addres="10.10.10.1"
</code>

Разрешить пинги:
<code>
add action=accept chain=input comment="Allow Pings" disabled=no protocol=icmp
add action=accept chain=forward disabled=no protocol=icmp
</code>

Защита от DNS флуда или DNS Amplification:
Нужно заменить внешний интерфейс(ether1) на ваш
<code>
add action=accept chain=forward comment="DNS Flood" disabled=no dst-port=53 protocol=udp
add action=add-src-to-address-list address-list=dns_flood address-list-timeout=1h chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp src-address-list=dns_flood
</code>

Блокировать сканеры портов:
<code>
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list=port_scanners
</code>

Блокировать invalid сессии:
<code>
add action=drop chain=input comment="DROP invalid" connection-state=invalid disabled=no
</code>

Блокировать Telnet брутфорс:
<code>
add action=drop chain=input comment="DROP Telnet brutforce" disabled=no dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp
</code>

Блокировать SSH брутфорс:
<code>
add action=drop chain=input comment="Drop SSH brutforce" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
</code>

Блокировать SYN флуд:
<code>
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="SYN Flood" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="DROP syn flood" disabled=no src-address-list=Syn_Flooder
</code>