Fri, Mar 29, 2024

RB750/750G Basic Firewall & Security

 

Documentation links:

From MikroTik: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall
From Users: http://wiki.mikrotik.com/wiki/Firewall

I'm not familiar with MikroTik and Linux command, honestly I'm totally lost by reading those wiki documentation! So basically I just follow the links & guides below, copy & paste to setup:

Basic Example:  http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples
Bruteforce login prevention:  http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH%29
Drop port scanners:  http://wiki.mikrotik.com/wiki/Drop_port_scanners

 

I can't tell whether it's really working fine or sufficient enough for general usage purposes, please note you use it at your own risk!
Appreciate those MikroTik guru or anyone who is familiar in this aspect can advise/comment to further improve this article and help beginner like me, kindly email : This email address is being protected from spambots. You need JavaScript enabled to view it.
Credit will definitely go to whoever contribute to improve this article, many thanks in advance!

 


 

Before starting any new setting, ALWAYS backup the current good setting first.
Go to Files and click Backup option:

Notice it will backup a file with date & time as follow:

You may also want to copy the backup file to your computer should the router crash and you need to restore the last good setting.
Select the backup file, click the Copy button:

Go to your computer folder, click Paste and the file will be copied:

Make sure the backup file is copied to computer folder

 

Default setting does not has any admin password, it's always advisable to create own admin password to access the router.
Go to System --> Password

Enter own admin password

 

Since I only use WinBox to configure the router locally and I do not wish to connect or run any other services, therefore I choose to disable all the following services.
You may choose and decide which services to enable/disable according to your requirement.

Go to IP --> Services

Select those services and click Disable button

Make sure it's disabled as follows:

Next go to IP --> Firewall

Choose Service Ports tab, select those services and click Disable

Make sure it's disabled as follows:

 

 


 

The next step is to setup basic firewall rules.

Please note this setup is continue from the UniFi setup article and is based on the assumption that:

Default network segment: 192.168.88.0/24
Internet interface: UniFi-Internet

You may need to change the above value according to your actual setup.

For first time setup, it's easier to use Terminal and enter codes.
Click New Terminal and it will show you the command entry screen:

To setup firewall rule & filter, type "/ip firewall filter" and hit enter

 

Select & copy those codes (from the list below after this section), please do it one portion at a time, DO NOT select all at one go!!

 

then Paste those codes at the terminal:

 

Re-confirm the number of entries and make sure there is no error (in red colours)

ALWAYS hit enter and make sure return to "[admin@MikroTik] /ip firewall filter>" :

Close the Terminal window once confirmed. Now we need to check whether those codes entered are properly listed.
Go to IP --> Firewall

Noticed the additional firewall rules are now added:

 

Select the first 4 default rules, click Disable since we are creating own rules.

Make sure it's disabled as follows:

 

Proceed to continue enter those codes by following the same steps above, portion by portion, to complete the firewall rules setup.

Once it's completed, you may see the connection statistic like this:

 

You may need to continue revise & enhance the rules according to your needs.
Once confirmed, again, ALWAYS make another backup and copy it to your computer!

 

 

 


 

Codes - Firewall Rules

Note: Enter "/ip firewall filter" at Terminal window before copy & paste the following codes

 

Allow only needed icmp codes in icmp chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" 
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" 
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable" 
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" 
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" 
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" 
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" 
add chain=icmp action=drop comment="deny all other types"

 

Bruteforce login prevention

Allows only 10 FTP login incorrect answers per minute:

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h

Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts:

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no


Drop port scanners

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity:

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

Drop those IPs in both Input & Forward chains:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

 

Router protection :

add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections" 
add chain=input connection-state=established action=accept \ comment="Allow Established connections" 
add chain=input src-address=192.168.88.0/24 action=accept \ in-interface=!UniFi-Internet
add chain=input action=drop comment="Drop everything else"


Customer protection (forward chain - traffic passing through the router):

add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections" 
add chain=forward connection-state=established action=accept \ comment="allow already established connections" 
add chain=forward connection-state=related action=accept \ comment="allow related connections"

Block Bogon IP addresses:

add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop 
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

Make jumps to new chains:

add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp 
add chain=forward protocol=icmp action=jump jump-target=icmp

Create TCP chain and deny some TCP ports in it (revise port numbers as needed):

add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" 
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" 
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny  BackOriffice" 
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Create UDP chain and deny some UDP ports in it  (revise port numbers as needed):

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" 
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" 
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" 
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" 
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" 
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"