Laman

Laman

Dmitry on firewalling



Source Firewall ini diambil dari Mikrotik Wiki, saya juga menggunakan metoda dmitry dalam setting firewall di mikrotik, dengan sedikit perubahan disana-sini dengan tidak mengurangi maksud dan tujuannya.



Firewall Dmitry telah mencakup :
1 Components of the filter
2 Protocol classifier
3 Sanity-check (check traffick input / forward)
4 Application-specific filters
5 Restricting services
6 Protecting the router
7 Proxying everything
8 Enable Proxy servers

Bagi yang berminat, source asli dari dmitry ada dibagian bawah ini, silahkan co-pas dan sesuaikan dengan kondisi mikrotik anda (IP dan ethernet) :

Protocol classifier
/ ip firewall mangle
add chain=prerouting protocol=tcp connection-state=new action=jump \
jump-target=tcp-services
add chain=prerouting protocol=udp connection-state=new action=jump \
jump-target=udp-services
add chain=prerouting connection-state=new action=jump \
jump-target=other-services
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=20-21 action=mark-connection new-connection-mark=ftp \
passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 \
dst-port=22 action=mark-connection new-connection-mark=ssh \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=23 action=mark-connection new-connection-mark=telnet \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=25 action=mark-connection new-connection-mark=smtp \
passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 \
action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=53 action=mark-connection new-connection-mark=dns \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=80 action=mark-connection new-connection-mark=http \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=110 action=mark-connection new-connection-mark=pop3 \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=113 action=mark-connection new-connection-mark=auth \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=119 action=mark-connection new-connection-mark=nntp \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=143 action=mark-connection new-connection-mark=imap \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=161-162 action=mark-connection new-connection-mark=snmp \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=443 action=mark-connection new-connection-mark=https \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=465 action=mark-connection new-connection-mark=smtps \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=993 action=mark-connection new-connection-mark=imaps \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=995 action=mark-connection new-connection-mark=pop3s \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=1723 action=mark-connection new-connection-mark=pptp \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=2379 action=mark-connection new-connection-mark=kgs \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=3128 action=mark-connection new-connection-mark=proxy \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=3389 action=mark-connection new-connection-mark=win-ts \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=4242-4243 action=mark-connection new-connection-mark=emule \
passthrough=no
add chain=tcp-services protocol=tcp src-port=4661-4662 \
dst-port=1024-65535 action=mark-connection \
new-connection-mark=overnet passthrough=no
add chain=tcp-services protocol=tcp src-port=4711 \
dst-port=1024-65535 action=mark-connection new-connection-mark=emule \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=5900-5901 action=mark-connection new-connection-mark=vnc \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=6667-6669 action=mark-connection new-connection-mark=irc \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=6881-6889 action=mark-connection \
new-connection-mark=bittorrent passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=8080 action=mark-connection new-connection-mark=http \
passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 \
dst-port=8291 action=mark-connection new-connection-mark=winbox \
passthrough=no
add chain=tcp-services protocol=tcp action=mark-connection \
new-connection-mark=other-tcp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 \
dst-port=53 action=mark-connection new-connection-mark=dns \
passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 \
dst-port=123 action=mark-connection new-connection-mark=ntp \
passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 \
dst-port=1701 action=mark-connection new-connection-mark=l2tp \
passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 \
dst-port=4665 action=mark-connection new-connection-mark=emule \
passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 \
dst-port=4672 action=mark-connection new-connection-mark=emule \
passthrough=no
add chain=udp-services protocol=udp src-port=4672 \
dst-port=1024-65535 action=mark-connection new-connection-mark=emule \
passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 \
dst-port=12053 action=mark-connection new-connection-mark=overnet \
passthrough=no
add chain=udp-services protocol=udp src-port=12053 \
dst-port=1024-65535 action=mark-connection \
new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=36725 \
dst-port=1024-65535 action=mark-connection new-connection-mark=skype \
passthrough=no
add chain=udp-services protocol=udp connection-state=new \
action=mark-connection new-connection-mark=other-udp passthrough=no
add chain=other-services protocol=icmp icmp-options=8:0-255 \
action=mark-connection new-connection-mark=ping passthrough=no
add chain=other-services protocol=gre action=mark-connection \
new-connection-mark=gre passthrough=no
add chain=other-services action=mark-connection \
new-connection-mark=other passthrough=no

Sanity-check
/ip firewall mangle
add chain=prerouting in-interface=Public \
dst-address-list=nat-addr action=mark-packet \
new-packet-mark=nat-traversal \
passthrough=no comment="Detect NAT Traversal"
/ ip firewall filter
add chain=forward in-interface=Local \
out-interface=Local action=accept \
comment="Allow traffic between wired and wireless networks"
add chain=forward action=jump \
jump-target=sanity-check comment="Sanity Check Forward"
add chain=sanity-check packet-mark=nat-traversal \
action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp \
psd=20,3s,3,1 action=add-src-to-address-list \
address-list=blocked-addr address-list-timeout=1d \
comment="Block port scans" disabled=yes
add chain=sanity-check protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp \
src-address-list=blocked-addr action=jump \
jump-target=drop
add chain=sanity-check protocol=tcp \
tcp-flags=rst action=jump jump-target=drop \
comment="Drop TCP RST"
add chain=sanity-check protocol=tcp \
tcp-flags=fin,syn action=jump jump-target=drop \
comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid \
action=jump jump-target=drop \
comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established \
action=accept \
comment="Accepting already established connections"
add chain=sanity-check \
connection-state=related action=accept \
comment="Also accepting related connections"
add chain=sanity-check \
dst-address-type=broadcast,multicast \
action=jump jump-target=drop \
comment="Drop all traffic that goes to multicast or \
broadcast addresses"
add chain=sanity-check in-interface=Local \
dst-address-list=illegal-addr dst-address-type=!local action=jump \
jump-target=drop comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local \
src-address-list=!local-addr action=jump jump-target=drop \
comment="Drop everything that goes from local \
interface but not from local address"
add chain=sanity-check in-interface=Public \
src-address-list=illegal-addr action=jump \
jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check in-interface=Public \
dst-address-list=!local-addr action=jump \
jump-target=drop \
comment="Drop everything that goes from \
public interface but not to local address" disabled=yes
add chain=sanity-check src-address-type=broadcast,multicast \
action=jump jump-target=drop comment="Drop all traffic \
that comes from multicast or broadcast addresses"
 
List Address
/ ip firewall address-list
add list=illegal-addr address=0.0.0.0/8 \
comment="illegal addresses"
add list=illegal-addr address=127.0.0.0/8
add list=illegal-addr address=224.0.0.0/3
add list=illegal-addr address=10.0.0.0/8
add list=illegal-addr address=172.16.0.0/12
add list=illegal-addr address=192.168.0.0/16
add list=local-addr address=172.31.255.0/29 \
comment="my local network"
add list=nat-addr address=172.31.255.0/29 \
comment="my src-nated local network hosts"
illegal-addr = ip bogon yang di nantinya akan di drop
local-addr = ip lokal
nat-addr = ip neighborhood yang terhubung ke ip lokal
 

Application-specific filters

/ ip firewall filter
add chain=forward protocol=tcp action=jump \
jump-target=restrict-tcp
add chain=forward protocol=udp action=jump \
jump-target=restrict-udp
add chain=forward action=jump jump-target=restrict-ip
add chain=restrict-tcp connection-mark=auth \
action=reject
add chain=restrict-tcp connection-mark=smtp \
action=jump jump-target=smtp-first-drop \
comment="anti-spam policy"
add chain=smtp-first-drop src-address-list=first-smtp \
action=add-src-to-address-list address-list=approved-smtp
add chain=smtp-first-drop src-address-list=approved-smtp \
action=return
add chain=smtp-first-drop action=add-src-to-address-list \
address-list=first-smtp
add chain=smtp-first-drop action=reject \
reject-with=icmp-network-unreachable

Restricting services
/ ip firewall filter
add chain=restrict-tcp connection-mark=other-tcp \
action=jump jump-target=drop
add chain=restrict-udp connection-mark=other-udp \
action=jump jump-target=drop
add chain=restrict-ip connection-mark=other \
action=jump jump-target=drop


Protecting the router
/ ip firewall filter
add chain=input src-address-type=local \
dst-address-type=local action=accept \
comment="Allow local traffic (between router applications)"
add chain=input in-interface=Local protocol=udp \
src-port=68 dst-port=67 action=jump jump-target=dhcp \
comment="DHCP protocol would not pass sanity checking, \
so enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check \
comment="Sanity Check"
add chain=input dst-address-type=!local action=jump \
jump-target=drop comment="Dropping packets not \
destined to the router itself, including all broadcast traffic"
add chain=input connection-mark=ping limit=5,5 \
action=accept comment="Allow pings, but at a very \
limited rate (5 packets per sec)"
add chain=input in-interface=Local action=jump \
jump-target=local-services comment="Allowing some \
services to be accessible from the local network"
add chain=input in-interface=Public action=jump \
jump-target=public-services comment="Allowing some \
services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 \
dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 \
dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr \
dst-address-type=local action=accept
add chain=local-services connection-mark=ssh \
action=accept comment="SSH (22/TCP)"
add chain=local-services connection-mark=dns \
action=accept comment="DNS"
add chain=local-services connection-mark=proxy \
action=accept comment="HTTP Proxy (3128/TCP)"
add chain=local-services connection-mark=winbox \
action=accept comment="Winbox (8291/TCP)" disabled=no
add chain=local-services action=log \
comment="Log & Drop Other Local Services"
add chain=local-services action=drop \
disabled=yes
add chain=public-services connection-mark=ssh \
action=accept comment="SSH (22/TCP)"
add chain=public-services connection-mark=pptp \
action=accept comment="PPTP (1723/TCP)"
add chain=public-services connection-mark=winbox \
action=accept comment="Winbox (8291/TCP)" disabled=no
add chain=public-services connection-mark=gre \
action=accept comment="GRE for PPTP"
add chain=public-services action=log \
comment="Log & Drop Other Public Services"
add chain=public-services action=drop disabled=yes

Proxying everything
/ ip firewall nat
add chain=dstnat in-interface=Local connection-mark=dns \
action=redirect comment="Transparent DNS Cache"
add chain=dstnat in-interface=Local \
connection-mark=http protocol=tcp action=redirect \
to-ports=3128 comment="Transparent Web Cache"
add chain=dstnat in-interface=Local connection-mark=ntp\
action=redirect comment="Transparent proxy for NTP requests"


Enable Proxy servers
/system ntp server
set enabled=yes broadcast=no multicast=no \
manycast=no
/system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx \
secondary-ntp=0.0.0.0
/ip proxy
set enabled=yes port=3128 parent-proxy=0.0.0.0:1 \
maximal-client-connections=1000 \
maximal-server-connections=1000
/ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 \
allow-remote-requests=yes cache-size=2048KiB \
cache-max-ttl=1w
* xxx.xxx.xxx.xxx"> ip NTP server anda
* yyy.yyy.yyy.yyy"> ip dns server anda

Sumber : wiki.mikrotik.com

Salam Codet.

Tidak ada komentar:

Posting Komentar