Набор правил для Mikrotik
Все правила вводятся в /ip firewall filter
Разрешить IP билинга:
add action=accept chain=input comment="Allow Billing" disabled=no src-addres="10.10.10.1"
Разрешить пинги:
add action=accept chain=input comment="Allow Pings" disabled=no protocol=icmp add action=accept chain=forward disabled=no protocol=icmp
Защита от DNS флуда или DNS Amplification: Нужно заменить внешний интерфейс(ether1) на ваш
add action=accept chain=forward comment="DNS Flood" disabled=no dst-port=53 protocol=udp add action=add-src-to-address-list address-list=dns_flood address-list-timeout=1h chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp src-address-list=dns_flood
Блокировать сканеры портов:
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" disabled=no protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list=port_scanners
Блокировать invalid сессии:
add action=drop chain=input comment="DROP invalid" connection-state=invalid disabled=no
Блокировать Telnet брутфорс:
add action=drop chain=input comment="DROP Telnet brutforce" disabled=no dst-port=23 protocol=tcp src-address-list=telnet_blacklist add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage3 add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage2 add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage1 add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp
Блокировать SSH брутфорс:
add action=drop chain=input comment="Drop SSH brutforce" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
Блокировать SYN флуд:
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="SYN Flood" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn add action=drop chain=input comment="DROP syn flood" disabled=no src-address-list=Syn_Flooder