Skip to content
Jul 27 / Greg

Mikrotik Border Router Firewall Script

Here’s an older version of my firewall script that I’m making public. This is compiled from some wiki/forum/personal experience.

It blocks spoofed traffic inbound, has some portknock rules included, SMTP spam blocking, some ICMP rate-limiting, blocks some port scans and DOS attacks.

In the below script replace X.X.X.X, Y.Y.Y.Y, and Z.Z.Z.Z with your own values. Port knocking starts at line 34 and continues to 42, so if you would like to disable it those are your lines to adjust. You will most likely want to adjust the port and protocols on the port knock if you choose to use it 🙂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
/ip firewall address-list
#rfc 1918, loopback, and multicast
add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918
add address=127.0.0.1 comment="" disabled=no list=rfc-1918
add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918
add address=172.16.0.0/20 comment="" disabled=no list=rfc-1918
add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918
add address=172.16.0.0/12 comment="" disabled=no list=rfc-1918
add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918
add address=224.0.0.0/4 comment="" disabled=no list=rfc-1918
add address=240.0.0.0/4 comment="" disabled=no list=rfc-1918
 
#my public addressing
add address=X.X.X.X comment="" disabled=no list=public-add
 
#my private addressing
add address=S.S.S.S/SS comment="" disabled=no list=internal-nets
 
#any port knock exclusions
add address=Y.Y.Y.Y comment="" disabled=no list=port-knock-3
 
#any SMTP exclusions
add address=Z.Z.Z.Z comment="" disabled=no list=smtp-bypass
 
/ip firewall filter
#match more than 5 pings in 5 seconds.  Then drop the traffic inbound and forward.
add action=accept chain=input comment="start of greg rules up to 5 pings in 5 seconds" disabled=no limit=5,5 protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input comment="add all other icmp input into icmp-attack address list." \
    disabled=no protocol=icmp
add action=drop chain=input comment="drop excessive icmp traffic for 12 hours" disabled=no src-address-list=icmp-attack protocol=icmp
add action=drop chain=forward comment="drop excessive icmp traffic for 12 hours" disabled=yes src-address-list=icmp-attack protocol=icmp
#drop 1918 inbound
add action=drop chain=forward comment="block rfc 1918 and multicast inbound" disabled=no in-interface=ether1 src-address-list=rfc-1918
add action=drop chain=forward comment="block our addressing inbound - spoofed" disabled=no in-interface=ether1 src-address-list=public-add
add action=drop chain=input comment="block rfc 1918 and multicast inbound" disabled=no in-interface=ether1 src-address-list=rfc-1918
add action=drop chain=input comment="block our addressing inbound - spoofed" disabled=no in-interface=ether1 src-address-list=public-add
#start port knocking
add action=add-src-to-address-list address-list=port-knock-1 address-list-timeout=15s chain=input comment="port knock step 1 - udp 444" disabled=no \
    dst-port=444 protocol=udp
add action=add-src-to-address-list address-list=port-knock-2 address-list-timeout=15s chain=input comment="port knock step 2 - udp 117" disabled=no \
    dst-port=117 protocol=udp src-address-list=port-knock-1
add action=add-src-to-address-list address-list=port-knock-3 address-list-timeout=5h chain=input comment="port knock step 3 - tcp 600 - final" disabled=no \
    dst-port=600 protocol=tcp src-address-list=port-knock-2
add action=accept chain=input comment="allow winbox in via port knock" disabled=no dst-port=8291 protocol=tcp src-address-list=port-knock-3
add action=drop chain=input comment="allow winbox in via port knock" disabled=no dst-port=8291 protocol=tcp
#port scans and DOS
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="add port scannes to port-scan list" disabled=no \
    in-interface=ether1 protocol=tcp psd=21,3s,3,1 src-address-list=!internal-nets
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=tarpit chain=input comment="tarpit port-scan address list to router" disabled=no protocol=tcp src-address-list=port-scan
add action=drop chain=input comment="drop port-scan address list to our router" disabled=no src-address-list=port-scan
add action=drop chain=forward comment="drop port-scan address list to our infrastructure" disabled=no src-address-list=port-scan
add action=drop chain=forward comment="drop windows ports" disabled=no port=135-139 protocol=tcp
add action=accept chain=forward comment="allow smtp-bypass list to create multiple sessions" disabled=no dst-port=25 protocol=tcp src-address-list=smtp-bypass
add action=drop chain=forward comment="drop smtp traffic marked as spam" disabled=no dst-port=25 protocol=tcp src-address-list=spam-block
add action=add-src-to-address-list address-list=spam-block address-list-timeout=2h chain=forward comment=\
    "more than 5 smtp connections out as spam.  add to address list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp \
    src-address-list=rfc-1918
add action=accept chain=input comment="allow 80 and 8080 from portknock" disabled=no dst-port=80,8080 protocol=tcp src-address-list=port-knock-3
add action=drop chain=input comment="block 80 and 8080 from everyone else" disabled=no dst-port=80,8080 protocol=tcp

This is by no means a complete list, but it should be a good start. If you guys want to toss some new rules in, just let me know.

7 Comments

leave a comment
  1. Bobby / Aug 7 2012

    This is awesome, thank you so much.

  2. Greg / Aug 7 2012

    @Bobby,

    NP sir. Help improve the script, let me know what you want to see added…or for that matter, what good stuff did you add?

  3. Bobby / Aug 7 2012

    Ah, it’s dangerous to assume I would have anything worthwhile to add but I do have a couple of questions.
    Why is line 28 disabled by default and is there a need for a catch-all “drop all input to ether1” rule like the default mt configs have?

  4. Greg / Aug 7 2012

    @Bobby,

    Everyone has something to add 😉

    Line 28 is disabled because it is on the forward chain. Since this is affecting potential customers inside I left it disabled for the user’s discretion. If you wanted to change the rule to accept and enable it; this would give you an idea if it is being hit or not. I personally have it enabled, I just didn’t want to default it on.

    Since I didn’t take into account all services one might want allowed I didn’t add a deny any at the end. I could, however, add a list of allowed services then place in the deny any.

  5. Hector / May 18 2013

    Hi Greg, I am using this to block bit torrent downloads, it’s working fine but I want to let 1 IP to download from torrent, when I put this rule:
    add action=accept chain=forward comment=”p2p for this IP” disabled=no p2p=all-p2p src-address=192.168.0.15
    before this one:
    add action=drop chain=forward comment=”block connection of p2p” disabled=no p2p=all-p2p
    it keeps blocking the torrent, I don’t understand why.
    Also I am using NAT Masquerade:
    /ip firewall nat
    add action=masquerade chain=srcnat comment=”Masquerade outside” disabled=no \
    out-interface=Public src-address=192.168.0.0/23
    add action=redirect chain=dstnat comment=”Transparent proxy” disabled=no \
    dst-port=80 protocol=tcp to-ports=8080

    Waiting your help.
    Thank you in advance.

  6. Hector / May 18 2013

    Hi Greg, another question, could I use the dst-port for several ports at once?, like this:
    ;;; Allowing SMTP to GoDaddy E-Mail Server
    chain=forward action=accept protocol=tcp src-address=192.168.0.0/23 dst-address=68.178.252.101 dst-port=25,80,3535

  7. Greg / May 19 2013

    @Hector
    You can use an address-list to specify your exempt clients. Then use that list in the accept rule. You could alternately use it in the drop list and use the ! box to indicate NOT the list.

    If you are using an allow firewall rule be sure to drag and drop it above the drop rule.

Leave a Comment

*