Pular para conteúdo

Image title

Firewall Básico no Mikrotik

Este script possui regras básicas para proteger seu roteador e evitar algum tráfego de encaminhamento desnecessário.

Preste atenção a todos os comentários antes de aplicar cada regra DROP.

Primeiro precisamos criar nossa LISTA DE ENDEREÇOS com todos os IPs que usaremos mais vezes:

Abaixo, você precisa alterar x.x.x.x/x para sua sub-rede técnica. Esta sub-rede terá acesso total ao roteador

address list
1
2
3
4
/ip firewall address-list
add address=x.x.x.x/x disabled=no list=suporte
add address=192.168.88.0/24 list=IPs-Permitidos-AcessoWeb
add address=172.16.0.0/25 list=Servidores-monitoramento
address list
/ip firewall address-list

add address=0.0.0.0/8 comment="Auto identificação [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Privado[RFC 1918] - CLASS A # Verifique se voce precisa desta sub-rede antes de ativa-la"\disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Privado[RFC 1918] - CLASS B # Verifique se voce precisa desta sub-rede antes de ativa-la"disabled=yes list=bogons
add address=192.168.0.0/16 comment="Privado[RFC 1918] - CLASS C # Verifique se voce precisa desta sub-rede antes de ativa-la"disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reservado - IANA - TestNet1" disabled=no list=bogons
add address=192.88.99.0/24 comment="Anycast de retransmissão 6to4 [RFC 3068]" disabled=no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reservado - IANA - TestNet2" disabled=no list=bogons
add address=203.0.113.0/24 comment="Reservado - IANA - TestNet3" disabled=no list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Verifique se voce precisa desta sub-rede antes de ativa-la"disabled=yes list=bogons

Agora temos proteção contra: SynFlood, ICMP Flood, Port Scan, Email Spam e muito mais. Para mais informações, leia os comentários:

address list
/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \ comment="Adicionar Syn Flood IP à lista" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop IPs da lista Syn_Flooder" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Deteccao de Scanner de Porta"\ disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop IPs da lista Port_Scanner" disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input\ comment="Bloqueie todo o acesso ao winbox - exceto o que estiver na lista suporte # NAO HABILITE ESTA REGRA ANTES DE ADICIONAR SUA SUB-REDE NA LISTA DE ENDERECOS do suporte"\ disabled=yes dst-port=8291 protocol=tcp src-address-list=!suporte
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop IPs da lista Bogons" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Adicione Spammers a lista por 3 horas"\ connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Evite a acao dos spammers" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Aceitar DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Aceitar DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Aceitar conexoes estabelecidas" connection-state=established\ disabled=no
add action=accept chain=input comment="Aceitar conexoes relacionadas" connection-state=related disabled=no
add action=accept chain=input comment="Acesso total a lista de IPs de suporte" disabled=no src-address-list=suporte
add action=drop chain=input comment="Drop qualquer outra coisa! # NAO HABILITE ESTA REGRA ANTES DE TER CERTEZA QUE CRIOU TODAS AS REGRAS DE ACEITACAO QUE VOCE PRECISA"\ disabled=yes
add action=accept chain=ICMP comment="Solicitacaoo de eco - Evitando Ping Flood, ajuste o limite conforme necessario" disabled=no icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Resposta de eco" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Tempo Excedido" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destino inalcancavel" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop outros ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp

add action=drop chain=input comment="CONNECTION INVALID" connection-state=invalid disabled=yes in-interface=ether1
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=1w chain=input comment="DETECTION PORT SCANNER" disabled=yes protocol=tcp psd=21,3s,3,1
add action=accept chain=input comment="WINBOX ACEPT" disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment=Mac-Winbox disabled=yes dst-port=20561 in-interface=bridge protocol=udp
add action=accept chain=input comment=L2TP+IPSEC disabled=yes dst-port=1701,4500,500 protocol=udp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=input disabled=yes protocol=ipsec-ah
add action=accept chain=input comment="DHCPv4 & DHCPv6" disabled=yes dst-port=67,68,546,547 protocol=udp
add action=accept chain=input comment=IPs-Permitidos-AcessoWeb disabled=yes dst-port=80 protocol=tcp src-address-list=IPs-Permitidos-AcessoWeb
add action=accept chain=input comment=NTP disabled=yes dst-port=123 protocol=tcp
add action=accept chain=input comment=SNMP disabled=yes dst-port=161 protocol=udp src-address-list=Servidores-monitoramento
add action=accept chain=input comment=LDP disabled=yes dst-port=646 protocol=tcp
add action=accept chain=input comment=LDP disabled=yes dst-port=646 protocol=udp
add action=accept chain=input comment=MNDP disabled=yes dst-port=5678 in-interface=bridge protocol=udp
add action=jump chain=input comment="ICMP CONTROL - CHAIN ICMP" disabled=yes in-interface=pppoe-out1 jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="ECHO REPLY" disabled=yes icmp-options=0:0-255 limit=1,10:packet protocol=icmp
add action=accept chain=ICMP comment="ECHO REQUEST" disabled=yes icmp-options=8:0-255 limit=2,10:packet protocol=icmp
add action=accept chain=ICMP comment=TTL disabled=yes icmp-options=11:0-255 limit=1,10:packet protocol=icmp
add action=accept chain=ICMP comment="TTL EXCED" disabled=yes icmp-options=3:0-255 limit=1,10:packet protocol=icmp
add action=drop chain=forward comment="DROP ICMP RESTANTE" disabled=yes protocol=icmp
add action=fasttrack-connection chain=forward comment="FAST TRACK (DESATIVAR CASO USE O SIMPLE QUEUE)" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related disabled=yes
add action=drop chain=input disabled=yes
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
ip firewall nat
1
2
3
/ip firewall nat

add action=masquerade chain=srcnat out-interface=pppoe-out1
ip firewall raw
1
2
3
/ip firewall raw

add action=drop chain=prerouting disabled=yes src-address-list=PORTSCAN