Header Ads

Firewall Filter Mikrotik Terbaik

Selamat Tahun Baru 2013 tentunya kami ucapkan kepada pada pembaca serta seluruh Client Keluarga Besar IFANET LOVER'S di seluruh Indonesia.

Diawal tahun ini, kami akan memberikan Tips dan Trik untuk mengamankan Jaringan Mikrotik anda khususnya yang menggunakan Mikrotik untuk keperluan Hotspot atau Jaringan Internet RTRWNET tentunya.
Hasil yang kami tulis adalah Settingan Firewall Filter Mikrotik Terbaik, karena sudah kami uji coba kehandalannya selama 3 tahun dan melalui tahapan2 uji coba lainnya.
Oke...langsung saja anda lihat script Filter Firewall untuk pengamanan Mikrotik Router segala jenis ( RB750, RB450, RB1000,RB1200 dan lain sebagainya.

/ip firewall filter >enter

Allow icmp chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" 
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" 
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable" 
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" 
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" 
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" 
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" 
add chain=icmp action=drop comment="deny all other types"


add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h


add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no

Drop port scanners

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity:
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

Drop those IPs in both Input & Forward chains:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Router protection :

add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections" 
add chain=input connection-state=established action=accept \ comment="Allow Established connections" 
add chain=input src-address=192.168.88.0/24 action=accept \ in-interface=!UniFi-Internet
add chain=input action=drop comment="Drop everything else"


Customer protection (forward chain - traffic passing through the router):

add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections" 
add chain=forward connection-state=established action=accept \ comment="allow already established connections" 
add chain=forward connection-state=related action=accept \ comment="allow related connections"

Block Bogon IP addresses:

add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop 
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

Make jumps to new chains:

add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp 
add chain=forward protocol=icmp action=jump jump-target=icmp

Create TCP chain and deny some TCP ports in it (revise port numbers as needed):

add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" 
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" 
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny  BackOriffice" 
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Create UDP chain and deny some UDP ports in it  (revise port numbers as needed):

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" 
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" 
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" 
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" 
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" 
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Diberdayakan oleh Blogger.