Firewall на две сети

Обсуждение ПО и его настройки
Ответить
-13-
Сообщения: 124
Зарегистрирован: 18 мар 2021, 12:45

Добрый час, форумчане!

Собрал firewall на две подсети, обычную и гостевую(доступ только в интернет).
Хотелось бы критики, профи себя не считаю, собирал по разным источника из интернета.
Может себе кто что заберет :hi_hi_hi: .

Код: Выделить всё

/ip firewall filter
add action=add-src-to-address-list address-list=TrapAddress \
    address-list-timeout=1w chain=input comment=\
    "#1 TopFirewallRule - Trap for port scanning" in-interface-list=WAN \
    protocol=tcp psd=10,10s,3,1
add action=add-src-to-address-list address-list=TrapAddress \
    address-list-timeout=1w chain=input comment=\
    "#2 TopFirewallRule - Trap for TCP traffic" connection-nat-state=!dstnat \
    dst-port=5000,5001,5060,5061,4569,3389,22,23,389,445 in-interface-list=\
    WAN protocol=tcp src-address-list=!NotTrapsIP
add action=add-src-to-address-list address-list=TrapAddress \
    address-list-timeout=1w chain=input comment=\
    "#3 TopFirewallRule - Trap for UDP traffic" connection-nat-state=!dstnat \
    dst-port=5000,5001,5060,4569,53,161 in-interface-list=WAN protocol=tcp \
    src-address-list=!NotTrapsIP
add action=add-src-to-address-list address-list=TrapAddress \
    address-list-timeout=1w chain=input comment=\
    "#4 TopFirewallRule - Trap for L2TP without IPsec" dst-port=1701 \
    in-interface-list=WAN ipsec-policy=in,none protocol=udp
add action=add-src-to-address-list address-list=DDoS-BlackList \
    address-list-timeout=3h chain=forward comment=\
    "#5 TopFirewallRule - DDoS detected from single IP" connection-limit=\
    20,32 connection-nat-state=dstnat in-interface-list=WAN
add action=add-src-to-address-list address-list=DDoS-BlackList \
    address-list-timeout=3h chain=forward comment=\
    "#6 TopFirewallRule - DDoS detected from 24 subnet" connection-limit=\
    100,24 connection-nat-state=dstnat in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="0.1.1 - Fasttrack Estab\
    lished and Related connections, access only WAN (for LAN_guest)" \
    connection-state=established,related in-interface-list=LAN_guest \
    log-prefix=LAN_guest out-interface-list=WAN
add action=fasttrack-connection chain=forward comment="0.1.2 - Fasttrack Estab\
    lished and Related connections, access only WAN (for LAN_guest)" \
    connection-state=established,related in-interface-list=WAN log-prefix=\
    LAN_guest out-interface-list=LAN_guest
add action=accept chain=forward comment=\
    "0.1.3 - AdGuard DNS (udp), access only WAN (for LAN_guest)" dst-address=\
    x.x.x.x dst-port=53 in-interface-list=LAN_guest protocol=udp
add action=accept chain=forward comment=\
    "0.1.4 - AdGuard DNS (tcp), access only WAN (for LAN_guest)" dst-address=\
    x.x.x.x dst-port=53 in-interface-list=LAN_guest protocol=tcp
add action=accept chain=forward comment="\? TEST: Fasttrack Established and Re\
    lated connections, access only WAN (for LAN_guest)" connection-state=\
    established,related in-interface-list=LAN_guest log-prefix=LAN_guest \
    out-interface-list=WAN
add action=drop chain=forward comment=\
    "0.1.6 - Forward invalid drop, access only WAN (for LAN_guest)" \
    connection-state=invalid in-interface-list=LAN_guest
add action=drop chain=forward comment=\
    "0.1.7 - Forward all drop, access only WAN (for LAN_guest)" \
    in-interface-list=LAN_guest out-interface-list=!WAN
add action=accept chain=input comment=\
    "0.1.8  - Input DNS (udp), access only WAN (for LAN_guest)" \
    connection-state="" dst-port=53 in-interface-list=LAN_guest log-prefix=\
    DNS protocol=udp
add action=accept chain=input comment=\
    "0.1.9 - Input DNS (tcp), access only WAN (for LAN_guest)" \
    connection-state="" dst-port=53 in-interface-list=LAN_guest log-prefix=\
    DNS protocol=tcp
add action=drop chain=input comment=\
    "0.1.10 - Input all drop, access only WAN (for LAN_guest)" \
    in-interface-list=LAN_guest
add action=accept chain=forward comment="0.2.1 - Access list only LAN" \
    dst-address-list=Access_to_WithOut-WAN src-address-list=WithOut-WAN
add action=accept chain=forward comment="0.2.2 - Access list only LAN" \
    dst-address-list=WithOut-WAN src-address-list=Access_to_WithOut-WAN
add action=drop chain=forward comment="0.2.3 - Access list only LAN" \
    src-address-list=WithOut-WAN
add action=fasttrack-connection chain=forward comment=\
    "1.0.1 - Fasttrack Established and Related connections (for LAN_main)" \
    connection-state=established,related in-interface-list=LAN_main \
    log-prefix=LAN_main out-interface-list=WAN
add action=fasttrack-connection chain=forward comment=\
    "1.0.2 - Fasttrack Established and Related connections (for LAN_main)" \
    connection-state=established,related in-interface-list=WAN log-prefix=\
    LAN_main out-interface-list=LAN_main
add action=accept chain=forward comment=\
    "1.1.1 - Forward Established and Related connections" connection-state=\
    established,related log-prefix="fwd main"
add action=drop chain=forward comment="1.1.2 - Forward invalid drop" \
    connection-state=invalid
add action=accept chain=input comment=\
    "1.2.1 - Input Established and Related connections" connection-state=\
    established,related
add action=drop chain=input comment="1.2.2 - Input invalid drop" \
    connection-state=invalid
add action=reject chain=input comment="1.3.1 - Input Ping reject" \
    icmp-options=8:0 in-interface-list=WAN protocol=icmp reject-with=\
    icmp-network-unreachable
add action=drop chain=forward comment="1.4.1 - Forward not-dsnat drop" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=tarpit chain=input comment="2.0.1 - DDoS Protect" \
    connection-limit=3,32 protocol=tcp src-address-list=DDoS-BlackList
add action=jump chain=forward comment="3.0.1 - DDoS Protect - SYN Flood" \
    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input comment="3.0.2 - DDoS Protect - SYN Flood" \
    connection-state=new in-interface-list=WAN jump-target=SYN-Protect \
    protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect comment=\
    "3.1.1 - DDoS Protect - SYN Flood" connection-state=new limit=\
    200,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="3.2.1 - DDoS Protect - SYN Flood" \
    connection-state=new protocol=tcp tcp-flags=syn
add action=reject chain=input comment="4.0.1 - WinBox-BlackList IP reject" \
    dst-port=8291 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=WinBox-BlackList
add action=accept chain=output comment="4.1.1 - WinBox login 3 try" content=\
    "invalid user name or password" dst-limit=1/1m,1,dst-address/10m \
    out-interface-list=WAN protocol=tcp src-port=8291
add action=add-dst-to-address-list address-list=WinBox-BlackList \
    address-list-timeout=1w chain=output comment=\
    "4.1.2 - Put IP in address-list, list=WinBox-BlackList" content=\
    "invalid user name or password" out-interface-list=WAN protocol=tcp \
    src-port=8291
add action=accept chain=input comment="4.2.1 - WinBox WAN Access" disabled=\
    yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=reject chain=input comment="5.0.1 - L2TP-BlackList IP reject" \
    connection-state=new dst-port=1701,500,4500 protocol=udp reject-with=\
    icmp-network-unreachable src-address-list=L2TP-BlackList
add action=accept chain=output comment="5.1.1 - L2TP login 3 try" content=\
    "M=bad" dst-limit=1/1m,1,dst-address/10m protocol=udp src-port=\
    1701,500,4500
add action=add-dst-to-address-list address-list=L2TP-BlackList \
    address-list-timeout=1w chain=output comment=\
    "5.1.2 - Put IP in address-list, list=L2TP-BlackList" content="M=bad" \
    protocol=udp src-port=1701,500,4500
add action=accept chain=input comment="5.2.1 - Accept L2TP only with IPsec" \
    dst-port=1701 in-interface-list=WAN ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="5.2.2 - Drop L2TP without IPsec" \
    dst-port=1701 in-interface-list=WAN ipsec-policy=in,none protocol=udp
add action=accept chain=input comment="5.2.3 - Accept L2TP" dst-port=500,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="\? 6.1 - Access L2TP Tunnel Data" \
    disabled=yes in-interface-list=L2TP
add action=drop chain=input comment="7.0.1 - Drop what not Allowed" \
    in-interface-list=WAN


/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN


/ip firewall raw
add action=add-src-to-address-list address-list=TrapAddress \
    address-list-timeout=1w chain=prerouting comment=\
    "1.0.1 - Recursive TrapAddress IP" src-address-list=TrapAddress
add action=drop chain=prerouting comment=\
    "1.1.1 - Drop TrapAddress IP prerouting" src-address-list=TrapAddress


Вернуться к началу
-13-
Сообщения: 124
Зарегистрирован: 18 мар 2021, 12:45

может кто подскажет, почему то ipsec не работает forward? в connections с маркером ipsec только соединение между клиентом и сервером


Вернуться к началу
Ответить

Вернуться в «MikroTik RouterOS»