CH Consultora Informatica

Firewall

**************** Basic Firewall - Syn Flood - Port Scan - Dos Attack - 3 golpes 22-23-8291 - Permitir L2TP - PPTP ************************

/ip firewall filter

add action=drop chain=Basic_Firewall comment="Basic Firewall" \

connection-state=invalid

add action=accept chain=Basic_Firewall connection-state=established,related

add action=jump chain=input jump-target=Basic_Firewall

add action=jump chain=forward jump-target=Basic_Firewall

add action=add-src-to-address-list address-list=Syn_Flooder \

address-list-timeout=30m chain=input comment="Add Syn Flood Detect" \

connection-limit=30,32 protocol=tcp tcp-flags=syn

add action=drop chain=input src-address-list=Syn_Flooder

add action=add-src-to-address-list address-list=Port_scan \

address-list-timeout=12w6d chain=input comment="Port scan detection" \

protocol=tcp psd=21,3s,3,1

add action=drop chain=input src-address-list=Port_scan

add action=add-src-to-address-list address-list=DDoS_Blacklist \

address-list-timeout=12w6d chain=input comment="Dos attack detect" \

connection-limit=10,32 log=yes protocol=tcp

add action=tarpit chain=input connection-limit=3,32 protocol=tcp \

src-address-list=Black_list

add action=drop chain=input comment="DNS Relay Attack Drop" connection-state=\

new dst-port=53 protocol=udp

add action=drop chain=input connection-state=new dst-port=53 protocol=tcp

add action=reject chain=output comment="Outbound - Block L2TP without IPsec" \

ipsec-policy=out,none port=1701 protocol=udp reject-with=\

icmp-admin-prohibited

add action=accept chain=input comment="Winbox acces from WAN" dst-port=8291 \

log=yes protocol=tcp

add action=accept chain=input comment="Allow VPN - PPTP Server" dst-port=1723 \

protocol=tcp

add action=accept chain=input protocol=gre

add action=accept chain=input comment="Allow VPN - L2TP Server" dst-port=1701 \

protocol=udp

/ip firewall filter

add action=drop chain=input connection-state=new src-address-list=blacklist

add action=add-src-to-address-list address-list=blacklist address-list-timeout=4w2d5m chain=input connection-state=new dst-port= 22,23,8291 protocol=tcp src-address-list="tercer intento"

add action=add-src-to-address-list address-list="tercer intento" address-list-timeout=5m chain=input connection-state=new dst-port= 22,23,8291 protocol=tcp src-address-list="segundo intento"

add action=add-src-to-address-list address-list="segundo intento" address-list-timeout=5m chain=input connection-state=new dst-port= 22,23,8291 protocol=tcp src-address-list="primer intento"

add action=add-src-to-address-list address-list="primer intento" address-list-timeout=5m chain=input connection-state=new dst-port= 22,23,8291 protocol=tcp

************************ mangle ********************************************

/ip firewall mangle

add action=mark-connection chain=prerouting comment=******ICMP****** \

new-connection-mark=ICMP_C passthrough=yes protocol=icmp

add action=mark-packet chain=prerouting connection-mark=ICMP_C \

new-packet-mark=ICMP_F passthrough=no

add action=mark-connection chain=prerouting comment=Http_tcp \

new-connection-mark=HTTP_C_tcp passthrough=yes protocol=tcp src-port=80

add action=mark-packet chain=prerouting connection-mark=HTTP_C_tcp \

new-packet-mark=HTTP_F_tcp packet-mark="" passthrough=no

add action=mark-connection chain=prerouting comment=Http_udp \

new-connection-mark=HTTP_C_upd passthrough=yes protocol=udp src-port=80

add action=mark-packet chain=prerouting connection-mark=HTTP_C_upd \

new-packet-mark=HTTP_F_udp packet-mark="" passthrough=no

add action=mark-connection chain=prerouting comment=Https_tcp \

new-connection-mark=HTTPS_C_tpc passthrough=yes protocol=tcp src-port=443

add action=mark-packet chain=prerouting connection-mark=HTTPS_C_tpc \

new-packet-mark=HTTPS_F_tpc packet-mark="" passthrough=no

add action=mark-connection chain=prerouting comment=Https_udp \

new-connection-mark=HTTPS_C_udp passthrough=yes protocol=udp src-port=443

add action=mark-packet chain=prerouting connection-mark=HTTPS_C_udp \

new-packet-mark=HTTPS_F_udp packet-mark="" passthrough=no

add action=mark-connection chain=prerouting comment=DNS_tcp connection-mark=\

"" new-connection-mark=DNS_C_tcp packet-mark="" passthrough=yes protocol=\

tcp src-port=53

add action=mark-packet chain=prerouting connection-mark=DNS_tcp \

new-packet-mark=DNS_F_tcp passthrough=no

add action=mark-connection chain=prerouting comment=DNS_udp connection-mark=\

"" new-connection-mark=DNS_C_udp packet-mark="" passthrough=yes protocol=\

udp src-port=53

add action=mark-packet chain=prerouting connection-mark=DNS_udp \

new-packet-mark=DNS_F_udp passthrough=no

add action=mark-connection chain=prerouting comment=VPN dst-port=1701 \

new-connection-mark=VPN_C passthrough=yes protocol=udp

add action=mark-packet chain=prerouting connection-mark=VPN_C \

new-packet-mark=VPN_F passthrough=no

add action=mark-connection chain=prerouting comment=Voip dst-port=5060,5061 \

new-connection-mark=Voip_C passthrough=yes protocol=udp

add action=mark-packet chain=prerouting connection-mark=Voip_C \

new-packet-mark=Voip_F passthrough=yes

add action=mark-connection chain=prerouting comment="Resto trafico" \

new-connection-mark=Otro_C passthrough=yes

add action=mark-packet chain=prerouting connection-mark=Otro_C \

new-packet-mark=Otro_F passthrough=no

*******************bloqueo Whatsapp ******************************

/system scheduler

add comment="Whatsapp Blocker" interval=2m name="Whatsapp Blocker" on-event="#\

\_Use DNS Entrys and add Address to the Firewall Address-list #\r\

\n:foreach i in=[/ip dns cache all find where (name~\"whatsapp\") && (type\

=\"A\") ] do={\r\

\n :local tmpAddress [/ip dns cache get \$i address];\r\

\ndelay delay-time=10ms\r\

\n# prevent script from using all cpu time #\r\

\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \

\"\") do={ \r\

\n :local cacheName [/ip dns cache get \$i name] ;\r\

\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\

\n /ip firewall address-list add address=\$tmpAddress list=Whatsapp co\

mment=\$cacheName;\r\

\n}\r\

\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \

start-time=startup

/ip firewall filter

add chain=forward action=drop dst-address-list=Whatsapp disabled=no comment="Whatsapp Blocker"

************************ virus ********************************************

/ip firewall filter add chain=forward action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no

/ip firewall filter add chain=input action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no

/ip firewall filter add chain=virus dst-port=135-139 protocol=tcp action=drop comment="Drop Blaster Worm" disabled=no

/ip firewall filter add chain=virus dst-port=135-139 protocol=udp action=drop comment="Drop Messenger Worm" disabled=no

/ip firewall filter add chain=virus dst-port=445 protocol=tcp action=drop comment="Drop Blaster Worm" disabled=no

/ip firewall filter add chain=virus dst-port=445 protocol=udp action=drop comment="Drop Blaster Worm" disabled=no

/ip firewall filter add chain=virus dst-port=593 protocol=tcp action=drop comment="________" disabled=no

/ip firewall filter add chain=virus dst-port=1024-1030 protocol=tcp action=drop comment="________" disabled=no

/ip firewall filter add chain=virus dst-port=1080 protocol=tcp action=drop comment="Drop MyDoom" disabled=no

/ip firewall filter add chain=virus dst-port=1214 protocol=tcp action=drop comment="________" disabled=no

/ip firewall filter add chain=virus dst-port=1363 protocol=tcp action=drop comment="ndm requester" disabled=no

/ip firewall filter add chain=virus dst-port=1364 protocol=tcp action=drop comment="ndm server" disabled=no

/ip firewall filter add chain=virus dst-port=1368 protocol=tcp action=drop comment="screen cast" disabled=no

/ip firewall filter add chain=virus dst-port=1373 protocol=tcp action=drop comment="hromgrafx" disabled=no

/ip firewall filter add chain=virus dst-port=1377 protocol=tcp action=drop comment="cichlid" disabled=no

/ip firewall filter add chain=virus dst-port=1433-1434 protocol=tcp action=drop comment="Worm" disabled=no

/ip firewall filter add chain=virus dst-port=2745 protocol=tcp action=drop comment="Bagle Virus" disabled=no

/ip firewall filter add chain=virus dst-port=2283 protocol=tcp action=drop comment="Drop Dumaru.Y" disabled=no

/ip firewall filter add chain=virus dst-port=2535 protocol=tcp action=drop comment="Drop Beagle" disabled=no

/ip firewall filter add chain=virus dst-port=2745 protocol=tcp action=drop comment="Drop Beagle.C-K" disabled=no

/ip firewall filter add chain=virus dst-port=3127-3128 protocol=tcp action=drop comment="Drop MyDoom" disabled=no

/ip firewall filter add chain=virus dst-port=3410 protocol=tcp action=drop comment="Drop Backdoor OptixPro" disabled=no

/ip firewall filter add chain=virus dst-port=4444 protocol=tcp action=drop comment="Worm" disabled=no

/ip firewall filter add chain=virus dst-port=4444 protocol=udp action=drop comment="Worm" disabled=no

/ip firewall filter add chain=virus dst-port=5554 protocol=tcp action=drop comment="Drop Sasser" disabled=no

/ip firewall filter add chain=virus dst-port=8866 protocol=tcp action=drop comment="Drop Beagle.B" disabled=no

/ip firewall filter add chain=virus dst-port=9898 protocol=tcp action=drop comment="Drop Dabber.A-B" disabled=no

/ip firewall filter add chain=virus dst-port=10000 protocol=tcp action=drop comment="Drop Dumaru.Y" disabled=no

/ip firewall filter add chain=virus dst-port=10080 protocol=tcp action=drop comment="Drop MyDoom.B" disabled=no

/ip firewall filter add chain=virus dst-port=12345 protocol=tcp action=drop comment="Drop NetBus" disabled=no

/ip firewall filter add chain=virus dst-port=17300 protocol=tcp action=drop comment="Drop Kuang2" disabled=no

/ip firewall filter add chain=virus dst-port=27374 protocol=tcp action=drop comment="Drop SubSeven" disabled=no

/ip firewall filter add chain=virus dst-port=65506 protocol=tcp action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no