Here is an example of how to protect your MikroTik router from the most common attacks today. This example is taken from the MikroTik Wiki and is only an example. You should thoroughly test this configuration before deploying in a live environment.
Lets say our private network is 192.168.1.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.
/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=192.168.1.0/24 action=accept in-interface=!ether1 add chain=input action=drop comment="Drop everything else"
To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
Block "bogon" IP Addresses:
add chain=forward src-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp comment="make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp comment="make jumps to new chains"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="make jumps to new chains"
Create TCP chain and deny some TCP ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Deny UDP ports in UDP chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Allow only needed ICMP codes in ICMP chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Lets say our private network is 192.168.1.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.
/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=192.168.1.0/24 action=accept in-interface=!ether1 add chain=input action=drop comment="Drop everything else"
To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
Block "bogon" IP Addresses:
add chain=forward src-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp comment="make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp comment="make jumps to new chains"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="make jumps to new chains"
Create TCP chain and deny some TCP ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Deny UDP ports in UDP chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Allow only needed ICMP codes in ICMP chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Finish
May be useful
Regards
Merah Putih Segoroasat
Thanks
Tidak ada komentar :
Posting Komentar