標題:
簡單的Router防火牆過濾
[打印本頁]
作者:
gfx86674
時間:
2015-8-22 00:30
標題:
簡單的Router防火牆過濾
本帖最後由 gfx86674 於 2015-8-22 00:47 編輯
小弟所架設的firewall filter ,以白名單做架構,有興趣的可嘗試.
首先在/ip firewall address-list建立
All-Lan
清單:
[attach]3695[/attach]
建立
DNS-Server
清單:
[attach]3696[/attach]
將下面code
一次複製全部,然後一口氣全部貼到命令欄
進行匯入.
/ip firewall filter
add action=drop chain=forward comment="\B8T\A5\CEPort" \
dst-port=22,23 protocol=tcp src-address-list=!All-Lan
add chain=input comment="\A4\B9\B3\\\B0\CF\BA\F4\B8\CB\B8m" \
src-address=1.1.1.1
add chain=input src-address-list=All-Lan
add action=drop chain=input \
comment="DoS\A9\DA\B5\B4\AAA\B0\C8\A7\F0\C0\BB" \
connection-limit=10,32 protocol=tcp src-port=!80
add action=drop chain=input comment="\A8\BE\A4\EE\B3Q\B1\BD\BA\CB Port"\
protocol=tcp src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=input comment="\A4\B9\B3\\VPN" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input dst-port=1194 protocol=tcp
add chain=input dst-port=443 protocol=tcp
add chain=input dst-port=1701,500,4500 protocol=udp
add chain=input protocol=ipencap
add chain=input protocol=ipsec-esp
add chain=input protocol=tcp src-port=1723
add chain=input protocol=tcp src-port=1194
add action=add-dst-to-address-list address-list=a.test \
address-list-timeout=1s chain=output comment="\A4\B9\B3\\ICMP\A6^\C0\B3" \
dst-address-list=!All-Lan protocol=icmp
add chain=input protocol=icmp src-address-list=a.test
add chain=input comment="\A4\B9\B3\\DNS" src-address-list=DNS-Server
add chain=input comment="\A4\B9\B3\\ROS-Cloud\A6\F8\AAA\BE\B9" \
src-address=81.198.87.240
add chain=input comment="\A4\B9\B3\\Winbox\B3s\BDu" dst-port=8291,8728 \
protocol=tcp
add chain=input comment="\A4\B9\B3\\\B6l\A5\F3\A6\F8\AAA\BE\B9" protocol=tcp \
src-port=25,587
add chain=input comment="\A4\B9\B3\\WWW\A6\F8\AAA\BE\B9" \
protocol=tcp src-port=80,443
add chain=input comment="\A4\B9\B3\\\AE\C9\B6\A1\A6\F8\AAA\BE\B9" \
dst-port=123 protocol=udp src-port=123
add action=drop chain=input \
comment="\A5\E1\B1\F3\A5\BC\A9w\B8q\AA\BA\AB\CA\A5]"
複製代碼
匯入後即下:
[attach]3697[/attach]
web-proxy / pptp /l2tp-ipsec的地方不動,其它vpn您可能使用的port不同,依個人情形做修改即可.
作者:
雯雯
時間:
2015-8-22 09:48
回復
1#
gfx86674
不簡單了!
作者:
cashwu
時間:
2016-7-5 11:44
請問大大 第26項 允許ROS-Cloud伺服器 的來源IP 是??
作者:
gfx86674
時間:
2016-7-6 00:58
回復
3#
cashwu
從connection連線記錄查出來的,早期只有一個server,但現在不只了.
現在您只需開放udp port:15252 ,就不會影響您更新cloud的地址了.
作者:
cashwu
時間:
2016-7-7 23:52
了解 感謝…
作者:
ryan314
時間:
2016-7-15 16:11
感謝分享,小弟受益良多
作者:
cashwu
時間:
2016-7-26 01:27
再請問大大cable ip 可否改成in-interface
作者:
gfx86674
時間:
2016-7-27 15:42
再請問大大cable ip 可否改成in-interface
cashwu 發表於 2016-7-26 01:27
您可參考小弟在Mobile01發言:
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=490#60976904
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=491#61013170
另外在v6.36後,有更高階防火牆的raw
http://gregsowell.com/?p=5286
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=492#61046512
相信您會很受用
作者:
cashwu
時間:
2016-8-2 23:44
感謝大大 真的滿受用的!
歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/)
Powered by Discuz! 7.2
