mikrotik rb750 - basic firewall & security
DESCRIPTION
MikroTik RB750 - Basic Firewall & SecurityTRANSCRIPT
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Sunday, 13 February 2011 01:59
MikroTik RB750 - Basic Firewall & Security
RB750/750G Basic Firewall & Security
Documentation links:
From MikroTik: http://wiki.mikrotik.com/wiki/Manual:IP/FirewallFrom Users: http://wiki.mikrotik.com/wiki/Firewall
I'm not familiar with MikroTik and Linux command, honestly I'm totally lost by reading those wiki documentation!So basically I just follow the links & guides below, copy & paste to setup:
Basic Example: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examplesBruteforce login prevention: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH%29Drop port scanners: http://wiki.mikrotik.com/wiki/Drop_port_scanners
I can't tell whether it's really working fine or sufficient enough for general usage purposes, please note you use itat your own risk!Appreciate those MikroTik guru or anyone who is familiar in this aspect can advise/comment to further improvethis article and help beginner like me, kindly email : [email protected] Credit will definitely go to whoever contribute to improve this article, many thanks in advance!
Before starting any new setting, ALWAYS backup the current good setting first.Go to Files and click Backup option:
MAIN MENU
Home
TM-UNIFI RELATED
About TM-UniFi
Replacement Option Summary
My Setup
MikroTik
MikroTik RB250GS
MikroTik RB750 / 750G
Hard Reset (Factory Default)
Setup for UniFi
Basic Firewall & Security
Port Forward
QoS
Upgrade Version
Auto Time Update (NTP)
Setup File
Vlans Trunking
WebProxy
TP-Link
ASUS
DD-WRT for UniFi
DD-WRT RELATED
About DD-WRT
Setup Walk Through
TP-Link
Buffalo
ASUS
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Notice it will backup a file with date & time as follow:
OPENWRT RELATED
About OpenWrt
TL-WR1043ND Ver1.8 [UniFi
Ready!]
TL-WR941ND Ver3.2 [UniFi
Ready!]
TL-MR3420 Ver1.2 [UniFi -
Vlan.500]
TL-WR740N Ver4.2 [UniFi -
Vlan.500]
TOMATO RELATED
About Tomato
Buffalo WHR-HP-G54
GPS
Garmin
China Made GPS
GADGETS
In-Car DVR (Dual Camera)
TP-Link Portable Routers
Mobile Phone
D-Link DNS-320 [NAS]
HDMI Switch
HDMI Splitter
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
You may also want to copy the backup file to your computer should the router crash and you need to restore the last good setting.Select the backup file, click the Copy button:
Go to your computer folder, click Paste and the file will be copied:
HDMI Extender
Universal Remote Control - Learn
& Store Permanently
OpenBox S9 HD
DreamBox DM500-S
Laptop Universal Charger (90W)
INFORMATION
SoPhone Vs iPhone4 [HK eZone
20Jan2011]
TP-Link PA-211 HomePlug AV
(3rd Generation) [by HK eZone
20Jan2011]
HomePlug - 9 Products
Comparison (Chinese)
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Make sure the backup file is copied to computer folder
Default setting does not has any admin password, it's always advisable to create own admin password to access the router.Go to System --> Password
Enter own admin password
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Since I only use WinBox to configure the router locally and I do not wish to connect or run any other services, therefore I choose to disableall the following services.You may choose and decide which services to enable/disable according to your requirement.
Go to IP --> Services
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Select those services and click Disable button
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Make sure it's disabled as follows:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Next go to IP --> Firewall
Choose Service Ports tab, select those services and click Disable
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Make sure it's disabled as follows:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
The next step is to setup basic firewall rules.
Please note this setup is continue from the UniFi setup article and is based on the assumption that:
Default network segment: 192.168.88.0/24Internet interface: UniFi-Internet
You may need to change the above value according to your actual setup.
For first time setup, it's easier to use Terminal and enter codes.Click New Terminal and it will show you the command entry screen:
To setup firewall rule & filter, type "/ip firewall filter" and hit enter
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Select & copy those codes (from the list below after this section), please do it one portion at a time, DO NOT select all at onego!!
then Paste those codes at the terminal:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Re-confirm the number of entries and make sure there is no error (in red colours)
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
ALWAYS hit enter and make sure return to "[admin@MikroTik] /ip firewall filter>" :
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Close the Terminal window once confirmed. Now we need to check whether those codes entered are properly listed.Go to IP --> Firewall
Noticed the additional firewall rules are now added:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Select the first 4 default rules, click Disable since we are creating own rules.
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Make sure it's disabled as follows:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Proceed to continue enter those codes by following the same steps above, portion by portion, to complete thefirewall rules setup.
Once it's completed, you may see the connection statistic like this:
You may need to continue revise & enhance the rules according to your needs.Once confirmed, again, ALWAYS make another backup and copy it to your computer!
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Codes - Firewall Rules
Note: Enter "/ip firewall filter" at Terminal window before copy & paste the following codes
Allow only needed icmp codes in icmp chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable" add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" add chain=icmp action=drop comment="deny all other types"
Bruteforce login prevention
Allows only 10 FTP login incorrect answers per minute:
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1madd chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts:
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=noadd chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Drop port scanners
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2wcomment="Port scanners to list " disabled=no
Various combinations of TCP flags can also indicate port scanner activity:
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2wcomment="SYN/FIN scan"add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2wcomment="SYN/RST scan"add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
Drop those IPs in both Input & Forward chains:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=noadd chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Router protection :
add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections" add chain=input connection-state=established action=accept \ comment="Allow Established connections" add chain=input src-address=192.168.88.0/24 action=accept \ in-interface=!UniFi-Internet add chain=input action=drop comment="Drop everything else"
Customer protection (forward chain - traffic passing through the router):
add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections" add chain=forward connection-state=established action=accept \ comment="allow already established connections" add chain=forward connection-state=related action=accept \ comment="allow related connections"
Block Bogon IP addresses:
add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses" add chain=forward dst-address=0.0.0.0/8 action=drop add chain=forward src-address=127.0.0.0/8 action=drop add chain=forward dst-address=127.0.0.0/8 action=drop add chain=forward src-address=224.0.0.0/3 action=drop add chain=forward dst-address=224.0.0.0/3 action=drop
Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 μμ]
Last Updated on Monday, 28 February 2011 23:43
add chain=forward protocol=udp action=jump jump-target=udp add chain=forward protocol=icmp action=jump jump-target=icmp
Create TCP chain and deny some TCP ports in it (revise port numbers as needed):
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Create UDP chain and deny some UDP ports in it (revise port numbers as needed):
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"