Article Title: Official RouterOS firewall script. Linux is a technology channel of the IT lab in China. Includes desktop applications, Linux system management, kernel research, embedded systems, open source, and other basic categories/ip firewall connection tracking
Set enabled = yes tcp-syn-sent-timeout = 1 m tcp-syn-converted ed-timeout = 1 m \
Tcp-established-timeout = 1d tcp-fin-wait-timeout = 10 s \
Tcp-close-wait-timeout = 10 s tcp-last-ack-timeout = 10 s \
Tcp-time-wait-timeout = 10 s tcp-close-timeout = 10 s udp-timeout = 10 s \
Udp-stream-timeout = 3 m icmp-timeout = 10 s generic-timeout = 10 m
/Ip firewall filter
Add chain = input connection-state = established action = accept comment = "accept \
Established connection packets "disabled = no
Add chain = input connection-state = related action = accept comment = "accept related \
Connection packets "disabled = no
Add chain = input connection-state = invalid action = drop comment = "drop invalid \
Packets "disabled = no
Add chain = input protocol = tcp psd = 21,3 s, 3,1 action = drop comment = "detect and \
Drop port scan connections "disabled = no
Add chain = input protocol = tcp connection-limit = 3,32 src-address-list = black_list \
Action = tarpit comment = "suppress DoS attack" disabled = no
Add chain = input protocol = tcp connection-limit = 10, 32 \
Action = add-src-to-address-list = black_list \
Address-list-timeout = 1d comment = "detect DoS attack" disabled = no
Add chain = input dst-address-type =! Local action = drop comment = "drop all that is \
Not to local "disabled = no
Add chain = input src-address-type =! Unicast action = drop comment = "drop all that \
Is not from unicast "disabled = no
Add chain = input protocol = icmp action = jump-target = ICMP comment = "jump \
Chain ICMP "disabled = no
Add chain = input action = jump-target = services comment = "jump to chain \
Services "disabled = no
Add chain = input action = log-prefix = "input" comment = "" disabled = yes
Add chain = input action = drop comment = "drop everything else" disabled = no
Add chain = ICMP protocol = icmp-options = 0: 0-255 limit = 5 action = accept \
Comment = "0: 0 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options = limit = 5, 5 action = accept \
Comment = "3:3 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options = limit = 5, 5 action = accept \
Comment = "3:4 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options =-255 limit = 5 action = accept \
Comment = "8:0 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options =-255 limit = 5 action = accept \
Comment = "11: 0 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp action = drop comment = "Drop everything else "\
Disabled = no
Add chain = services src-address = 127.0.0.1 dst-address = 127.0.0.1 action = accept \
Comment = "accept localhost" disabled = no
Add chain = services protocol = tcp dst-port = 20-21 action = accept comment = "allow \
Ftp "disabled = no
Add chain = services protocol = tcp dst-port = 22 action = accept comment = "allow sftp ,\
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.