Skip to content
Jul 27 / Greg

Mikrotik Border Router Firewall Script

Here’s an older version of my firewall script that I’m making public. This is compiled from some wiki/forum/personal experience.

It blocks spoofed traffic inbound, has some portknock rules included, SMTP spam blocking, some ICMP rate-limiting, blocks some port scans and DOS attacks.

In the below script replace X.X.X.X, Y.Y.Y.Y, and Z.Z.Z.Z with your own values. Port knocking starts at line 34 and continues to 42, so if you would like to disable it those are your lines to adjust. You will most likely want to adjust the port and protocols on the port knock if you choose to use it 🙂

Github file is here:

This is by no means a complete list, but it should be a good start. If you guys want to make any updates, feel free to make a pull request on the repo.


leave a comment
  1. Bobby / Aug 7 2012

    This is awesome, thank you so much.

  2. Greg / Aug 7 2012


    NP sir. Help improve the script, let me know what you want to see added…or for that matter, what good stuff did you add?

  3. Bobby / Aug 7 2012

    Ah, it’s dangerous to assume I would have anything worthwhile to add but I do have a couple of questions.
    Why is line 28 disabled by default and is there a need for a catch-all “drop all input to ether1” rule like the default mt configs have?

  4. Greg / Aug 7 2012


    Everyone has something to add 😉

    Line 28 is disabled because it is on the forward chain. Since this is affecting potential customers inside I left it disabled for the user’s discretion. If you wanted to change the rule to accept and enable it; this would give you an idea if it is being hit or not. I personally have it enabled, I just didn’t want to default it on.

    Since I didn’t take into account all services one might want allowed I didn’t add a deny any at the end. I could, however, add a list of allowed services then place in the deny any.

  5. Hector / May 18 2013

    Hi Greg, I am using this to block bit torrent downloads, it’s working fine but I want to let 1 IP to download from torrent, when I put this rule:
    add action=accept chain=forward comment=”p2p for this IP” disabled=no p2p=all-p2p src-address=
    before this one:
    add action=drop chain=forward comment=”block connection of p2p” disabled=no p2p=all-p2p
    it keeps blocking the torrent, I don’t understand why.
    Also I am using NAT Masquerade:
    /ip firewall nat
    add action=masquerade chain=srcnat comment=”Masquerade outside” disabled=no \
    out-interface=Public src-address=
    add action=redirect chain=dstnat comment=”Transparent proxy” disabled=no \
    dst-port=80 protocol=tcp to-ports=8080

    Waiting your help.
    Thank you in advance.

  6. Hector / May 18 2013

    Hi Greg, another question, could I use the dst-port for several ports at once?, like this:
    ;;; Allowing SMTP to GoDaddy E-Mail Server
    chain=forward action=accept protocol=tcp src-address= dst-address= dst-port=25,80,3535

  7. Greg / May 19 2013

    You can use an address-list to specify your exempt clients. Then use that list in the accept rule. You could alternately use it in the drop list and use the ! box to indicate NOT the list.

    If you are using an allow firewall rule be sure to drag and drop it above the drop rule.

Leave a Comment