0% found this document useful (0 votes)

99 views6 pages

Mikrotik Firewall Configuration Guide

This document contains firewall configuration rules for address lists, filters, and chains. It defines rules for common reserved and private IP ranges, as well as rules to detect and block potential threats like SYN floods, port scanning, and spamming. The rules are designed to allow legitimate traffic while protecting the network.

Uploaded by

Pepi To

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

99 views6 pages

Mikrotik Firewall Configuration Guide

Uploaded by

Pepi To

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

/ip firewall address-list

1 add address=[Link]/8
add address=[Link]/8
2

3 disabled=yes list=bogons
4 add address=[Link]/8
5 add address=[Link]/16
add address=[Link]/12
6

7 disabled=yes list=bogons
add address=[Link]/16
8

9 disabled=yes list=bogons
10 add address=[Link]/24
add address=[Link]/24
11

12 add address=[Link]/15
13 add address=[Link]/24
14 add address=[Link]/24
add address=[Link]/4
15

16
add action=add-src-to-address-list address-
17 list=Syn_Flooder address-list-timeout=30m
chain=input \

add action=drop chain=input

18
add action=add-src-to-address-list address-
19 list=Port_Scanner address-list-timeout=1w
chain=input

20 disabled=no protocol=tcp psd=21,3s,3,1

add action=drop chain=input
21
add action=jump chain=input
22

23 add action=drop chain=input\

disabled=yes dst-port=8291 protocol=tcp src-address-

25 list=!support
add action=jump chain=forward
26
add action=drop chain=forward
27
add action=add-src-to-address-list address-
28 list=spammers address-list-timeout=3h chain=forward

add action=drop chain=forward

30 add action=accept chain=input

31 add action=accept chain=input
add action=accept chain=input
32

33 disabled=no
add action=accept chain=input
34
add action=accept chain=input
35
add action=drop chain=input
36

add action=accept chain=ICMP

38
add action=accept chain=ICMP
39
add action=accept chain=ICMP
40

41 add action=accept chain=ICMP

42 add action=drop chain=ICMP
add action=jump chain=output
43

44 /ip firewall filter

add chain=input
45
add chain=input
46

47 add action=drop chain=input

add action=drop chain=input
48
add action=drop chain=input
49
add action=drop chain=input
50
51 /ip firewall filter
add chain=forward
52

53 add action=drop chain=forward

add action=drop chain=forward
54

add action=drop chain=forward

58 /ip firewall filter

add action=drop chain=forward
59
Self-Identification [RFC 3330] disabled=no list=bogons
Private[RFC 1918] - CLASS A # Check if you need this subnet
before enable it\

Loopback [RFC 3330] disabled=no list=bogons

Link Local [RFC 3330] disabled=no list=bogons
Private[RFC 1918] - CLASS B # Check if you need this subnet
before enable it\

Private[RFC 1918] - CLASS C # Check if you need this subnet

before enable it\

Reserved - IANA - TestNet1 disabled=no list=bogons

6to4 Relay Anycast [RFC 3068] disabled=no list=bogons

NIDB Testing disabled=no list=bogons

Reserved - IANA - TestNet2 disabled=no list=bogons
Reserved - IANA - TestNet3 disabled=no list=bogons
MC, Class D, IANA # Check if you need this subnet before
enable it\

Add Syn Flood IP to the list connection-limit=30,32

disabled=no protocol=tcp tcp-flags=syn

Drop to syn flood list disabled=no src-address-

list=Syn_Flooder
Port Scanner Detect\

Drop to port scan list disabled=no src-address-

list=Port_Scanner
Jump for icmp input flow disabled=no jump-target=ICMP
protocol=icmp

Block all access to the winbox - except to support list # DO

NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE
SUPPORT ADDRESS LIST\

Jump for icmp forward flow disabled=no jump-target=ICMP

protocol=icmp
Drop to bogon list disabled=no dst-address-list=bogons

Add Spammers to the list for 3 hours\

Avoid spammers action disabled=no dst-port=25,587

protocol=tcp src-address-list=spammers
Accept DNS - UDP disabled=no port=53 protocol=udp
Accept DNS - TCP disabled=no port=53 protocol=tcp
Accept to established connections connection-
state=established\

Accept to related connections connection-state=related

disabled=no
Full access to SUPPORT address list disabled=no src-address-
list=support
Drop anything else! # DO NOT ENABLE THIS RULE BEFORE
YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED\

Echo request - Avoiding Ping Flood, adjust the limit as

needed disabled=no icmp-options=8:0 limit=2,5
protocol=icmp

Echo reply disabled=no icmp-options=0:0 protocol=icmp

Time Exceeded disabled=no icmp-options=11:0

protocol=icmp
Destination unreachable disabled=no icmp-options=3:0-1
protocol=icmp
PMTUD disabled=no icmp-options=3:4 protocol=icmp
Drop to the other ICMPs disabled=no protocol=icmp
Jump for icmp output disabled=no jump-target=ICMP
protocol=icmp

Accept established and related packets connection-

state=established,related
Accept all connections from local network in-interface=LAN

Drop invalid packets connection-state=invalid

Drop all packets which are not destined to routes IP address
dst-address-type=!local
Drop all packets which does not have unicast source IP
address src-address-type=!unicast
Drop all packets from public internet which should not exist
in public network in-interface=WAN src-address-
list=NotPublic
Accept established and related packets connection-
state=established,related
Drop invalid packets connection-state=invalid
Drop new connections from internet which are not dst-
natted connection-nat-state=!dstnat connection-state=new
in-interface=WAN

Drop all packets from public internet which should not exist
in public network in-interface=WAN src-address-
list=NotPublic

Drop all packets from local network to internet which should

not exist in public network dst-address-list=NotPublic in-
interface=LAN

Drop all packets in local network which does not have local
network address in-interface=LAN src-address=!
[Link]/24

Drop new connections from internet which are not dst-

natted connection-nat-state=!dstnat connection-state=new
in-interface=WAN

IP Firewall Address List Configuration
No ratings yet
IP Firewall Address List Configuration
3 pages
IFG Firewall
No ratings yet
IFG Firewall
3 pages
Regras Firewall
No ratings yet
Regras Firewall
2 pages
Firewall FBasic Examples
No ratings yet
Firewall FBasic Examples
3 pages
DHCP Alerts & Firewall Rules Log
No ratings yet
DHCP Alerts & Firewall Rules Log
3 pages
Network Configuration Script
No ratings yet
Network Configuration Script
8 pages
Anti-Netcut Firewall Rules
No ratings yet
Anti-Netcut Firewall Rules
3 pages
Ecmp Load Balancing Failover With Proxy and DNS
No ratings yet
Ecmp Load Balancing Failover With Proxy and DNS
4 pages
Firewall MK
No ratings yet
Firewall MK
3 pages
6to4 Firewall Configuration Guide
No ratings yet
6to4 Firewall Configuration Guide
7 pages
Basic Firewall Script for IP Protection
No ratings yet
Basic Firewall Script for IP Protection
3 pages
Copia RB 2011 Rita ... Mikrotik
No ratings yet
Copia RB 2011 Rita ... Mikrotik
9 pages
Comprehensive Firewall Setup Guide
No ratings yet
Comprehensive Firewall Setup Guide
10 pages
Ip Firewall filter-MIKROTIK BLOQUEO DE VULNERABILIDADES
No ratings yet
Ip Firewall filter-MIKROTIK BLOQUEO DE VULNERABILIDADES
1 page
Firewall Avanzado v6
No ratings yet
Firewall Avanzado v6
1 page
Tecnomet Internet PPPoE Configuration Guide
No ratings yet
Tecnomet Internet PPPoE Configuration Guide
5 pages
Regras Forward
No ratings yet
Regras Forward
1 page
MikroTik Firewall Filter Rules Guide
No ratings yet
MikroTik Firewall Filter Rules Guide
4 pages
Firewall
No ratings yet
Firewall
4 pages
Mikrotik Firewall Mangle Configuration
No ratings yet
Mikrotik Firewall Mangle Configuration
3 pages
Iptables: Linux Firewall Guide
No ratings yet
Iptables: Linux Firewall Guide
31 pages
Filter
No ratings yet
Filter
2 pages
Firewall Rules for Bogon IPs & Security
No ratings yet
Firewall Rules for Bogon IPs & Security
4 pages
Firewall Filters: Las Reglas Más Básicas Que Debe Tener Un RB Mikrotik
No ratings yet
Firewall Filters: Las Reglas Más Básicas Que Debe Tener Un RB Mikrotik
3 pages
4.4.1.2 - Configure Ip Acls To Mitigate Attacks: Topology
No ratings yet
4.4.1.2 - Configure Ip Acls To Mitigate Attacks: Topology
85 pages
MikroTik Firewall Script Guide
No ratings yet
MikroTik Firewall Script Guide
2 pages
IPTables/Netfilter Guide & Commands
No ratings yet
IPTables/Netfilter Guide & Commands
6 pages
QOS Segment
No ratings yet
QOS Segment
11 pages
Port Flooding Mikrotik
No ratings yet
Port Flooding Mikrotik
3 pages
QOS
No ratings yet
QOS
2 pages
Script Configuracion rB2011
No ratings yet
Script Configuracion rB2011
5 pages
اهم اسكربتات الميكروتك
No ratings yet
اهم اسكربتات الميكروتك
13 pages
Firewall
No ratings yet
Firewall
4 pages
#1: Displaying The Status of Your Firewall: Type The Following Command As Root
No ratings yet
#1: Displaying The Status of Your Firewall: Type The Following Command As Root
19 pages
Mikrotik Firewall Mangle Rules
No ratings yet
Mikrotik Firewall Mangle Rules
2 pages
Mikrotik Firewall P2P Blocking Guide
No ratings yet
Mikrotik Firewall P2P Blocking Guide
2 pages
Filter Rule
No ratings yet
Filter Rule
2 pages
Multicast MK
No ratings yet
Multicast MK
1 page
RouterOS Setup Guide for Admins
No ratings yet
RouterOS Setup Guide for Admins
7 pages
333333333
No ratings yet
333333333
2 pages
Network Traffic Management Guide
No ratings yet
Network Traffic Management Guide
2 pages
4.4.1.2 Packet Tracer - Configure IP ACLs To Mitigate Attacks - Instructor
No ratings yet
4.4.1.2 Packet Tracer - Configure IP ACLs To Mitigate Attacks - Instructor
17 pages
Seting Basic Mikrotik Firewall
No ratings yet
Seting Basic Mikrotik Firewall
3 pages
Configuring Squid Router for Gaming
No ratings yet
Configuring Squid Router for Gaming
10 pages
Script Ccr2116 Borne
No ratings yet
Script Ccr2116 Borne
4 pages
Balanceo 4 Lineas PPPOE
No ratings yet
Balanceo 4 Lineas PPPOE
2 pages
PCQ Prueba
No ratings yet
PCQ Prueba
1 page
FreeBSD Firewall Configuration
No ratings yet
FreeBSD Firewall Configuration
7 pages
Setting Mikrotik Untuk Warnet DG Feature Web-Proxy Nya
No ratings yet
Setting Mikrotik Untuk Warnet DG Feature Web-Proxy Nya
10 pages
Router Challenge 195
No ratings yet
Router Challenge 195
28 pages
Load Balancing for Poinblank Game
100% (1)
Load Balancing for Poinblank Game
11 pages
Block Brute Force Attack in Mikro
No ratings yet
Block Brute Force Attack in Mikro
5 pages
Simple and Powerfull Firewall Filter
No ratings yet
Simple and Powerfull Firewall Filter
4 pages
9.1.3 Packet Tracer - Identify MAC and IP Addresses
No ratings yet
9.1.3 Packet Tracer - Identify MAC and IP Addresses
3 pages
Understanding DNS Records and Zones
No ratings yet
Understanding DNS Records and Zones
18 pages
Cisco ASR 9000 Series 40 and 56 Gigabit Ethernet Line Cards: Product Overview
No ratings yet
Cisco ASR 9000 Series 40 and 56 Gigabit Ethernet Line Cards: Product Overview
6 pages
3com 4250T 3C17302
No ratings yet
3com 4250T 3C17302
3 pages
Textos
No ratings yet
Textos
110 pages
350-401 Dumps Implementing and Operating Cisco Enterprise Network Core Technologies
No ratings yet
350-401 Dumps Implementing and Operating Cisco Enterprise Network Core Technologies
11 pages
Nokia Beacon 1 Setup and Provisioning Guide
No ratings yet
Nokia Beacon 1 Setup and Provisioning Guide
14 pages
Regles Snort3
No ratings yet
Regles Snort3
2 pages
Assignment 4 Tavishi Jain 21BDS0113: A. Configuring Static NAT Using CLI in Cisco Packet Tracer
No ratings yet
Assignment 4 Tavishi Jain 21BDS0113: A. Configuring Static NAT Using CLI in Cisco Packet Tracer
46 pages
1.3 Computer Networks, Connections and Protocols
No ratings yet
1.3 Computer Networks, Connections and Protocols
16 pages
Router User Management Guide
No ratings yet
Router User Management Guide
47 pages
5G NR Protocols Overview and Functions
No ratings yet
5G NR Protocols Overview and Functions
17 pages
10G UDP - IP Protocol Stack IP Core User Guide
No ratings yet
10G UDP - IP Protocol Stack IP Core User Guide
2 pages
7 CN - Question Bank
No ratings yet
7 CN - Question Bank
4 pages
Nmap Guide: Beginner to Advanced Techniques
No ratings yet
Nmap Guide: Beginner to Advanced Techniques
13 pages
Model Paper of Programmer 6 (P1)
No ratings yet
Model Paper of Programmer 6 (P1)
12 pages
Azure Firewall
No ratings yet
Azure Firewall
283 pages
Catalyst SD-WAN Dual Router High Availability With NGFW
No ratings yet
Catalyst SD-WAN Dual Router High Availability With NGFW
7 pages
Unit - 6 (Application Layer)
No ratings yet
Unit - 6 (Application Layer)
98 pages
GPRS: Features and Architecture Guide
No ratings yet
GPRS: Features and Architecture Guide
18 pages
Rici-4E1, Rici-4T1, Rici-8E1, Rici-8T1: Fast Ethernet Over Four or Eight E1 or T1 Ntus
No ratings yet
Rici-4E1, Rici-4T1, Rici-8E1, Rici-8T1: Fast Ethernet Over Four or Eight E1 or T1 Ntus
1 page
GC 2024 09 20
No ratings yet
GC 2024 09 20
20 pages
Wifi
100% (1)
Wifi
40 pages
Exchange 2010 Understand
No ratings yet
Exchange 2010 Understand
493 pages
Dell Networking Small Business Reference Architecture
No ratings yet
Dell Networking Small Business Reference Architecture
41 pages
1RZ18MCA14-Harshith Kumar K
No ratings yet
1RZ18MCA14-Harshith Kumar K
15 pages
Arista EOS Central L2EVPN MPLS
No ratings yet
Arista EOS Central L2EVPN MPLS
20 pages
Os10 RN 10 5 6 7
No ratings yet
Os10 RN 10 5 6 7
15 pages
Configure VLANs and Router Settings
No ratings yet
Configure VLANs and Router Settings
9 pages
BCSU and PCU: Functions and Interfaces
No ratings yet
BCSU and PCU: Functions and Interfaces
2 pages

Uploaded by

Uploaded by

/ip firewall address-list

add action=drop chain=input

20 disabled=no protocol=tcp psd=21,3s,3,1

23 add action=drop chain=input\

disabled=yes dst-port=8291 protocol=tcp src-address-

add action=drop chain=forward

30 add action=accept chain=input

add action=accept chain=ICMP

add action=accept chain=ICMP

41 add action=accept chain=ICMP

44 /ip firewall filter

47 add action=drop chain=input

53 add action=drop chain=forward

add action=drop chain=forward

add action=drop chain=forward

add action=drop chain=forward

58 /ip firewall filter

Loopback [RFC 3330] disabled=no list=bogons

Private[RFC 1918] - CLASS C # Check if you need this subnet

Reserved - IANA - TestNet1 disabled=no list=bogons

NIDB Testing disabled=no list=bogons

Add Syn Flood IP to the list connection-limit=30,32

Drop to syn flood list disabled=no src-address-

Drop to port scan list disabled=no src-address-

Block all access to the winbox - except to support list # DO

Jump for icmp forward flow disabled=no jump-target=ICMP

Add Spammers to the list for 3 hours\

Avoid spammers action disabled=no dst-port=25,587

Accept to related connections connection-state=related

Echo request - Avoiding Ping Flood, adjust the limit as

Echo reply disabled=no icmp-options=0:0 protocol=icmp

Time Exceeded disabled=no icmp-options=11:0

Accept established and related packets connection-

Drop invalid packets connection-state=invalid

Drop all packets from local network to internet which should

Drop new connections from internet which are not dst-

You might also like