Official RouterOS firewall script

Source: Internet
Author: User
Tags routeros
Article Title: Official RouterOS firewall script. Linux is a technology channel of the IT lab in China. Includes desktop applications, Linux system management, kernel research, embedded systems, open source, and other basic categories/ip firewall connection tracking
Set enabled = yes tcp-syn-sent-timeout = 1 m tcp-syn-converted ed-timeout = 1 m \
Tcp-established-timeout = 1d tcp-fin-wait-timeout = 10 s \
Tcp-close-wait-timeout = 10 s tcp-last-ack-timeout = 10 s \
Tcp-time-wait-timeout = 10 s tcp-close-timeout = 10 s udp-timeout = 10 s \
Udp-stream-timeout = 3 m icmp-timeout = 10 s generic-timeout = 10 m
/Ip firewall filter
Add chain = input connection-state = established action = accept comment = "accept \
Established connection packets "disabled = no
Add chain = input connection-state = related action = accept comment = "accept related \

Connection packets "disabled = no
Add chain = input connection-state = invalid action = drop comment = "drop invalid \
Packets "disabled = no
Add chain = input protocol = tcp psd = 21,3 s, 3,1 action = drop comment = "detect and \
Drop port scan connections "disabled = no
Add chain = input protocol = tcp connection-limit = 3,32 src-address-list = black_list \

Action = tarpit comment = "suppress DoS attack" disabled = no
Add chain = input protocol = tcp connection-limit = 10, 32 \
Action = add-src-to-address-list = black_list \
Address-list-timeout = 1d comment = "detect DoS attack" disabled = no
Add chain = input dst-address-type =! Local action = drop comment = "drop all that is \
Not to local "disabled = no
Add chain = input src-address-type =! Unicast action = drop comment = "drop all that \
Is not from unicast "disabled = no
Add chain = input protocol = icmp action = jump-target = ICMP comment = "jump \
Chain ICMP "disabled = no
Add chain = input action = jump-target = services comment = "jump to chain \
Services "disabled = no
Add chain = input action = log-prefix = "input" comment = "" disabled = yes
Add chain = input action = drop comment = "drop everything else" disabled = no
Add chain = ICMP protocol = icmp-options = 0: 0-255 limit = 5 action = accept \
Comment = "0: 0 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options = limit = 5, 5 action = accept \
Comment = "3:3 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options = limit = 5, 5 action = accept \
Comment = "3:4 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options =-255 limit = 5 action = accept \
Comment = "8:0 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp-options =-255 limit = 5 action = accept \
Comment = "11: 0 and limit for 5pac/s" disabled = no
Add chain = ICMP protocol = icmp action = drop comment = "Drop everything else "\
Disabled = no
Add chain = services src-address = 127.0.0.1 dst-address = 127.0.0.1 action = accept \
Comment = "accept localhost" disabled = no
Add chain = services protocol = tcp dst-port = 20-21 action = accept comment = "allow \
Ftp "disabled = no
Add chain = services protocol = tcp dst-port = 22 action = accept comment = "allow sftp ,\

Ssh "disabled = no
Add chain = services protocol = tcp dst-port = 23 action = accept comment = "allow \
Telnet "disabled = no
Add chain = services protocol = tcp dst-port = 80 action = accept comment = "allow http ,\

Webbox "disabled = no
Add chain = services protocol = tcp dst-port = 8291 action = accept comment = "Allow \
Winbox "disabled = no
Add chain = services protocol = udp dst-port = 20561 action = accept comment = "allow \
MACwinbox "disabled = no
Add chain = services src-address = 159.148.172.205 protocol = tcp dst-port = 7828 \
Action = accept comment = "..." disabled = no
Add chain = services protocols = tcp dst-port = 2000 action = accept comment = "Bandwidth \

Server "disabled = yes
Add chain = services protocol = udp dst-port = 5678 action = accept comment = "MT \
Discovery Protocol "disabled = yes
Add chain = services protocol = tcp dst-port = 53 action = accept comment = "allow DNS \
Request "disabled = yes
Add chain = services protocol = udp dst-port = 53 action = accept comment = "Allow DNS \
Request "disabled = yes
Add chain = services protocol = udp dst-port = 1701 action = accept comment = "allow \
L2TP "disabled = yes
Add chain = services protocol = tcp dst-port = 1723 action = accept comment = "allow \
PPTP "disabled = yes
Add chain = services protocol = gre action = accept comment = "allow PPTP and EoIP "\
Disabled = yes
Add chain = services protocol = ipencap action = accept comment = "allow IPIP "\
Disabled = yes
Add chain = services protocol = udp dst-port = 1900 action = accept comment = "UPnP "\
Disabled = yes
Add chain = services protocol = tcp dst-port = 2828 action = accept comment = "UPnP "\
Disabled = yes
Add chain = services protocol = udp dst-port = 67-68 action = accept comment = "allow \
DHCP "disabled = yes
Add chain = services protocols = tcp dst-port = 8080 action = accept comment = "allow Web \

Proxy "disabled = yes
Add chain = services protocols = tcp dst-port = 123 action = accept comment = "allow NTP "\

Disabled = yes
Add chain = services protocol = tcp dst-port = 161 action = accept comment = "allow \
SNMP "disabled = yes
Add chain = services protocol = tcp dst-port = 443 action = accept comment = "allow \
Https for Hotspot "disabled = yes
Add chain = services protocol = tcp dst-port = 1080 action = accept comment = "allow \
Socks for Hotspot "disabled = yes
Add chain = services protocol = udp dst-port = 500 action = accept comment = "allow \
IPSec connections "disabled = yes
Add chain = services protocol = ipsec-esp action = accept comment = "allow IPSec "\
Disabled = yes
Add chain = services protocol = ipsec-ah action = accept comment = "allow IPSec "\
Disabled = yes
Add chain = services protocols = tcp dst-port = 179 action = accept comment = "Allow BGP "\

Disabled = yes
Add chain = services protocol = udp dst-port = 520-521 action = accept comment = "allow \
RIP "disabled = yes
Add chain = services protocol = ospf action = accept comment = "allow OSPF "\
Disabled = yes
Add chain = services protocol = udp dst-port = 5000-5100 action = accept \
Comment = "allow BGP" disabled = yes
Add chain = services protocol = tcp dst-port = 1720 action = accept comment = "allow \
Telephony "disabled = yes
Add chain = services protocol = udp dst-port = 1719 action = accept comment = "allow \
Telephony "disabled = yes
Add chain = services protocol = vrrp action = accept comment = "allow VRRP "\
Disabled = yes
Add chain = virus protocol = tcp dst-port = 135-139 action = drop comment = "Drop \
Blaster Worm "disabled = no
Add chain = virus protocol = udp dst-port = 135-139 action = drop comment = "Drop \
Messenger Worm "disabled = no
Add chain = virus protocol = tcp dst-port = 445 action = drop comment = "Drop blster \
Worm "disabled = no
Add chain = virus protocol = udp dst-port = 445 action = drop comment = "Drop blster \
Worm "disabled = no
Add chain = virus protocol = tcp dst-port = 593 action = drop comment = "________"\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1024-1030 action = drop comment = "________"\

Disabled = no
Add chain = virus protocol = tcp dst-port = 1080 action = drop comment = "Drop MyDoom "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1214 action = drop comment = "________"\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1363 action = drop comment = "ndm requester "\

Disabled = no
Add chain = virus protocol = tcp dst-port = 1364 action = drop comment = "ndm server "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1368 action = drop comment = "screen cast "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1373 action = drop comment = "hromgrafx "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1377 action = drop comment = "cichlid "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 1433-1434 action = drop comment = "Worm "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 2745 action = drop comment = "Bagle Virus "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 2283 action = drop comment = "Drop Dumaru. Y "\

Disabled = no
Add chain = virus protocol = tcp dst-port = 2535 action = drop comment = "Drop Beagle "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 2745 action = drop comment = "Drop \
Beagle. C-K "disabled = no
Add chain = virus protocol = tcp dst-port = 3127-3128 action = drop comment = "Drop \
MyDoom "disabled = no
Add chain = virus protocol = tcp dst-port = 3410 action = drop comment = "Drop Backdoor \
OptixPro "disabled = no
Add chain = virus protocol = tcp dst-port = 4444 action = drop comment = "Worm "\
Disabled = no
Add chain = virus protocols = udp dst-port = 4444 action = drop comment = "Worm "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 5554 action = drop comment = "Drop Sasser "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 8866 action = drop comment = "Drop Beagle. B "\

Disabled = no
Add chain = virus protocol = tcp dst-port = 9898 action = drop comment = "Drop \
Dabber. A-B "disabled = no
Add chain = virus protocol = tcp dst-port = 10000 action = drop comment = "Drop \
Dumaru. Y "disabled = no
Add chain = virus protocol = tcp dst-port = 10080 action = drop comment = "Drop \
MyDoom. B "disabled = no
Add chain = virus protocol = tcp dst-port = 12345 action = drop comment = "Drop NetBus "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 17300 action = drop comment = "Drop Kuang2 "\
Disabled = no
Add chain = virus protocol = tcp dst-port = 27374 action = drop comment = "Drop \
SubSeven "disabled = no
Add chain = virus protocol = tcp dst-port = 65506 action = drop comment = "Drop PhatBot ,\

Gaobot "disabled = no
Add chain = forward connection-state = established action = accept comment = "accept \
Established packets "disabled = no
Add chain = forward connection-state = related action = accept comment = "accept \
Related packets "disabled = no
Add chain = forward connection-state = invalid action = drop comment = "drop invalid \
Packets "disabled = no
Add chain = forward src-address-type =! Unicast action = drop comment = "drop all that \

Is not from unicast "disabled = no
Add chain = forward in-interface = internet src-address-list = not_in_internet \
Action = drop comment = "drop data from bogon IP's" disabled = no
Add chain = forward in-interface =! Internet dst-address-list = not_in_internet \
Action = drop comment = "drop data to bogon IP's" disabled = no
Add chain = forward protocol = icmp action = jump-target = ICMP comment = "jump \
Chain ICMP "disabled = no
Add chain = forward action = jump-target = virus comment = "jump to virus chain "\
Disabled = no
Add chain = forward action = accept comment = "Accept everything else" disabled = no
Add chain = output connection-state = invalid action = drop comment = "drop invalid \
Packets "disabled = no
Add chain = output connection-state = related action = accept comment = "accept \
Related packets "disabled = no
Add chain = output connection-state = established action = accept comment = "accept \
Established packets "disabled = no
Add chain = output action = drop comment = "Drop all connections from this router "\
Disabled = no
/Ip firewall address-list
Add list = not_in_internet address = 0.0.0.0/8 comment = "" disabled = no
Add list = not_in_internet address = 172.16.0.0/12 comment = "" disabled = no
Add list = not_in_internet address = 192.168.0.0/16 comment = "" disabled = no
Add list = not_in_internet address = 10.0.0.0/8 comment = "" disabled = no
Add list = not_in_internet address = 169.254.0.0/16 comment = "" disabled = no
Add list = not_in_internet address = 127.0.0.0/8 comment = "" disabled = no
Add list = not_in_internet address = 224.0.0.0/3 comment = "" disabled = no
/Ip firewall service-port
Set ftp ports = 21 disabled = no
Set tftp ports = 69 disabled = no
Set irc ports = 6667 disabled = no
Set h323 disabled = yes
Set quake3 disabled = no
Set mms disabled = no
Set gre disabled = yes
Set pptp disabled = yes
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.