X86 j4125 4網口小主機折騰筆記五:PVE安裝ROS RouterOS
X86 RouterOS 7.18 設置筆記一:基礎設置
X86 RouterOS 7.18 設置筆記二:網絡基礎設置(IPV4)
X86 RouterOS 7.18 設置筆記三:防火墻設置(IPV4)
X86 RouterOS 7.18 設置筆記四:網絡設置(IPV6)
X86 RouterOS 7.18 設置筆記五:防火墻設置(IPV6)
X86 RouterOS 7.18 設置筆記六:端口映射(IPv4、IPv6)及回流問題
X86 RouterOS 7.18 設置筆記七:不使用Upnp的映射方法
X86 RouterOS 7.18 設置筆記八:策略路由及DNS劫持
X86 RouterOS 7.18 設置筆記九:上海電信單線復用IPTV設置
X86 RouterOS 7.18 設置筆記十:上海電信IPTV使用msd_lite實現組播轉單撥
目錄標題
- 實現的目標
- 防火墻設置
- 添加地址列表
- 重定向非DNS列表里的客戶端DNS到主路由(可選)
- 添加規則
實現的目標
防火墻設置
添加地址列表
```
/ip firewall address-list add address=192.168.1.1 comment="local moden ipv4" list=local_moden_ipv4
/ip firewall address-list add address=192.168.0.0/24 comment="local LAN ipv4" list=local_LAN_ipv4/ip firewall address-list add address=192.168.0.1 comment="local DNS ipv4" list=local_DNS_ipv4
/ip firewall address-list add address=192.168.0.5 comment="local DNS ipv4" list=local_DNS_ipv4/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4/ip firewall address-list add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
重定向非DNS列表里的客戶端DNS到主路由(可選)
/ip firewall nat add action=dst-nat chain=dstnat comment="lanconf: DNS dstnat to DNS Server(UDP)" dst-address-list=!local_DNS_ipv4 dst-port=53 in-interface-list=LAN protocol=udp to-addresses=192.168.0.1 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat comment="lanconf: DNS dstnat to DNS Server(TCP)" dst-address-list=!local_DNS_ipv4 dst-port=53 in-interface-list=LAN protocol=tcp to-addresses=192.168.0.1 to-ports=53
添加規則
#接受已建立的、相關的或未跟蹤的入站流量
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 丟棄無效的入站流量
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
# 接受來自 LAN 的 ICMP 流量
/ip firewall filter add action=accept chain=input comment="defconf: accept icmp from lan" in-interface-list=LAN protocol=icmp
# 接受 IGMP 入站流量
/ip firewall filter add action=accept chain=input comment="defconf: accept igmp" protocol=igmp
# 丟棄所有非 LAN 接口進入的流量
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from lan" in-interface-list=!LAN
# 接受進入的 IPsec 策略流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
# 接受出去的 IPsec 策略流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
# 啟用 FastTrack 加速已建立的連接
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=no
# 接受轉發鏈中的已建立、相關的或未跟蹤的連接的流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 丟棄無效的轉發連接
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
# 丟棄所有從 WAN 接口進入且未經過目標地址轉換(DNAT)的新連接
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
# 丟棄所有從 Modem 接口進入且未經過目標地址轉換(DNAT)的新連接
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from Moden not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=MODEN log=yes log-prefix="[fw_modem-not-dnat]" #訪問光貓用
# 丟棄所有從 WAN 接口進入且源地址在 BlockIP 地址列表中的流量
/ip firewall filter add action=drop chain=input comment="block ip" in-interface-list=WAN src-address-list=BlockIP
# 將發送 RST 數據包且目標端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=tcp psd=21,5s,3,1 tcp-flags=rst
# 將發送 SYN 數據包且目標端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=tcp psd=21,5s,3,1 tcp-flags=syn
# 將發送 UDP 數據包且目標端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=udp psd=21,5s,3,1
# 丟棄所有來源地址在 no_forward_ipv4 地址列表中的流量
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
# 丟棄所有目標地址在 no_forward_ipv4 地址列表中的流量
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
)
安全巡檢)
)
