Показать страницуСсылки сюдаНаверх Эта страница только для чтения. Вы можете посмотреть её исходный текст, но не можете его изменить. Сообщите администратору, если считаете, что это неправильно. ====== Набор правил для Mikrotik ====== [[billing:howto|Вернуться на уровень выше]] ===== Все правила вводятся в /ip firewall filter ====== Разрешить IP билинга: <code> add action=accept chain=input comment="Allow Billing" disabled=no src-addres="10.10.10.1" </code> Разрешить пинги: <code> add action=accept chain=input comment="Allow Pings" disabled=no protocol=icmp add action=accept chain=forward disabled=no protocol=icmp </code> Защита от DNS флуда или DNS Amplification: Нужно заменить внешний интерфейс(ether1) на ваш <code> add action=accept chain=forward comment="DNS Flood" disabled=no dst-port=53 protocol=udp add action=add-src-to-address-list address-list=dns_flood address-list-timeout=1h chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input disabled=no dst-port=53 in-interface=ether1 protocol=udp src-address-list=dns_flood </code> Блокировать сканеры портов: <code> add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" disabled=no protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list=port_scanners </code> Блокировать invalid сессии: <code> add action=drop chain=input comment="DROP invalid" connection-state=invalid disabled=no </code> Блокировать Telnet брутфорс: <code> add action=drop chain=input comment="DROP Telnet brutforce" disabled=no dst-port=23 protocol=tcp src-address-list=telnet_blacklist add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage3 add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage2 add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage1 add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp </code> Блокировать SSH брутфорс: <code> add action=drop chain=input comment="Drop SSH brutforce" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=30m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp </code> Блокировать SYN флуд: <code> add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="SYN Flood" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn add action=drop chain=input comment="DROP syn flood" disabled=no src-address-list=Syn_Flooder </code> billing/howto/mikrotikfw.txt Последнее изменение: 8 лет назад — vilko