Ip Firewall Filter

add chain=input action=accept comment="CHEQUEAR LINEA A LINEA FALLA WEB-PROXY" \
disabled=yes
add chain=forward action=accept comment="" disabled=yes
add chain=forward protocol=tcp tcp-flags=syn,rst tcp-mss=1400-1536 \
action=accept comment="Disminuye MMS MTU menos cabeceras IP y TCP" \
disabled=yes
add chain=forward action=jump jump-target=drop-p2p comment="Drop P2P " \
disabled=no
add chain=input action=jump jump-target=drop comment="Dropping IP no \
permitidas " disabled=no
add chain=forward action=jump jump-target=drop comment="Dropping NetBios" \
disabled=no
add chain=forward action=jump jump-target=virus comment="jump y drop to VIRUS \
chain" disabled=no
add chain=forward in-interface=Local out-interface=Local action=accept \
comment="Allow traffic between wired and wireless networks" disabled=no
add chain=forward action=jump jump-target=drop comment="Dropping IP no \
permitidas por DML" disabled=no
add chain=forward action=jump jump-target=Limit-Conn comment="Limito \
conexiones TCP" disabled=no
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check" \
disabled=no
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp \
comment="-------- Restric TCP" disabled=no
add chain=forward protocol=udp action=jump jump-target=restrict-udp \
comment="-------- Restric UDP" disabled=no
add chain=forward action=jump jump-target=restrict-ip comment="" disabled=no
add chain=restrict-tcp connection-mark=auth action=reject \
reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=smtp action=jump \
jump-target=smtp-first-reject comment="anti-spam policy" disabled=no
add chain=smtp-first-drop src-address-list=first-smtp \
action=add-src-to-address-list address-list=approved-smtp \
address-list-timeout=0s comment="" disabled=no
add chain=smtp-first-drop src-address-list=approved-smtp action=return \
comment="" disabled=no
add chain=smtp-first-drop action=add-src-to-address-list \
address-list=first-smtp address-list-timeout=0s comment="" disabled=no
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable \
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop \
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop \
add chain=restrict-ip connection-mark=other action=jump jump-target=drop \
add chain=input action=jump jump-target=drop comment="Dropping NetBios" \
disabled=no
add chain=input action=jump jump-target=Limit-Conn comment="Limito conexiones \
TCP" disabled=no
add chain=input action=jump jump-target=drop-p2p comment="Drop P2P " \
disabled=no
add chain=input src-address-type=local dst-address-type=local action=accept \
comment="Allow local traffic \(between router applications\)" disabled=no
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 \
action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity \
checking, so enabling it explicitly before other checks" disabled=no

add chain=input action=jump jump-target=sanity-check comment="Sanity Check" \
disabled=no
add chain=input dst-address-type=!local action=jump jump-target=drop \
comment="Dropping packets not destined to the router itself, including all \
broadcast traffic" disabled=no
add chain=input in-interface=Local action=jump jump-target=local-services \
comment="Allowing some services to be accessible from the local network" \
disabled=no
add chain=input in-interface=Public action=jump jump-target=public-services \
comment="Allowing some services to be accessible from the Internet" \
disabled=no
add chain=input connection-mark=ping limit=5,5 action=accept comment="Alllow \
pings, but at a very limited rate \(5 per sec\)" disabled=no
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept \
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept \
add chain=dhcp dst-address-type=local src-address-list=local-addr \
action=accept comment="" disabled=no
add chain=local-services connection-mark=ssh action=accept comment="SSH \
\(22/TCP\)" disabled=no
add chain=local-services connection-mark=dns action=accept comment="DNS" \
disabled=no
add chain=local-services connection-mark=proxy action=accept comment="HTTP \
Proxy \(3128/TCP\)" disabled=no
add chain=local-services connection-mark=winbox action=accept comment="Winbox \
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \

disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
Dabber.A-B" disabled=no
Dumaru.Y" disabled=no
MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
SubSeven" disabled=no
add chain=Limit-Conn src-address=192.168.0.0/24 protocol=tcp \
connection-limit=80,32 action=drop comment="Limitar a 80 las conexiones \
por clientes GRAL" disabled=no
add chain=drop-p2p protocol=tcp tcp-flags=syn p2p=warez connection-limit=10,32 \
action=drop comment="Limito a 20 conexiones TCP el P2P" disabled=no
add chain=drop-p2p src-address=192.168.0.0/24 p2p=all-p2p action=drop \
comment="Dropear las 24hs." disabled=no
add chain=drop protocol=tcp connection-mark=netbios action=drop comment="Drop \
NetBios" disabled=no
add chain=drop protocol=udp connection-mark=netbios action=drop comment="" \
disabled=no
add chain=drop action=drop comment="MAC que rompio las bolas" disabled=yes
add chain=drop src-address-list=Bloqueo_IPs_no_usados action=drop \
comment="Bloqueo de IPs no usadas" disabled=no
add chain=drop src-address-list=blocked-addr action=drop comment="dropping \
port scanners -- Esto viene de Sanity Check" disabled=no
add chain=public-services src-address=127.0.0.1 dst-address=127.0.0.1 \
action=accept comment="accept localhost" disabled=no
add chain=public-services protocol=tcp dst-port=20-21 action=accept \
comment="FTP \(20-21/TCP\)" disabled=no
add chain=public-services connection-mark=ssh action=accept comment="SSH \
add chain=public-services connection-mark=telnet action=accept comment="TELNET \
add chain=public-services connection-mark=http action=accept \

comment="HTTP,WEBBOX \(80/TCP\)" disabled=no
add chain=public-services connection-mark=winbox action=accept comment="Winbox \
add chain=public-services protocol=udp dst-port=20561 action=accept \
comment="allow MACwinbox " disabled=yes
add chain=public-services src-address=159.148.172.205 protocol=tcp \
dst-port=7828 action=accept comment="..." disabled=yes
add chain=public-services connection-mark=Radmin action=accept comment="RADMIN \
Bandwidth server \(TCP/4899\)" disabled=no
add chain=public-services protocol=udp dst-port=5678 action=accept comment=" \
MT Discovery Protocol" disabled=yes
add chain=public-services connection-mark=l2tp action=accept comment="L2TP \
add chain=public-services connection-mark=pptp action=accept comment="PPTP \
add chain=public-services connection-mark=gre action=accept comment="GRE for \
PPTP and EoIP" disabled=no
add chain=public-services protocol=ipencap action=accept comment="allow IPIP" \
disabled=no
comment="UPnP" disabled=yes
add chain=public-services protocol=tcp dst-port=2828 action=accept \
comment="UPnP" disabled=yes
add chain=public-services protocol=udp dst-port=67-68 action=accept \
comment="allow DHCP" disabled=yes
comment="allow Web Proxy" disabled=yes
comment="allow NTP" disabled=yes
comment="allow SNMP" disabled=yes
comment="allow https for Hotspot" disabled=yes
comment="allow Socks for Hotspot" disabled=yes
comment="allow IPSec connections" disabled=yes
add chain=public-services protocol=ipsec-esp action=accept comment="allow \
IPSec" disabled=no
add chain=public-services protocol=ipsec-ah action=accept comment="allow \
IPSec" disabled=no
comment="Allow BGP" disabled=yes
comment="allow RIP" disabled=yes
add chain=public-services protocol=ospf action=accept comment="allow OSPF" \
disabled=yes
comment="allow BGP" disabled=yes
comment="allow Telephony" disabled=yes
comment="allow Telephony" disabled=yes
add chain=public-services protocol=vrrp action=accept comment="allow VRRP " \
disabled=yes
add chain=drop src-address=10.10.102.200-10.10.102.254 protocol=tcp \

time=0s-23h59m,fri,thu,wed,tue,mon action=drop comment="SABADO Y DOMINGO" \
disabled=yes
time=7h30m-20h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="NOCHE" \
disabled=yes
time=6h-23h30m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \
disabled=yes
time=0s-6h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="MANANA" \
disabled=yes
time=11h1m-23h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \
disabled=yes
time=0s-16h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="TARDE" \
disabled=yes
time=21h-23h59m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \
disabled=yes
add chain=drop connection-state=invalid action=drop comment="Dropear \
conexiones invalidas" disabled=no
add chain=drop dst-address-type=broadcast,multicast action=drop \
comment="Bloqueo todo el Multicast y Broadcast" disabled=no
add chain=drop dst-address-list=illegal-addr action=drop comment="Bloqueo todo \
lo que este en Ilegal Address" disabled=no
add chain=drop protocol=tcp tcp-flags=rst action=drop comment="Drop TCP RST" \
disabled=yes
add chain=drop dst-address-type=!local action=drop comment="Dropeo todo los \
paquetes que no van destinados hacia el router inclusive el trafico \
Broadcast " disabled=yes
add chain=local-services connection-mark=Radmin action=accept comment="RADMIN \
Bandwidth server \(TCP/4899\)" disabled=no
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop \
comment="Deny illegal NAT traversal" disabled=no
add chain=sanity-check protocol=tcp connection-limit=3,32 \
src-address-list=blocked-addr action=tarpit comment="Detectar DoS Service" \
disabled=yes
add chain=sanity-check protocol=tcp connection-limit=20,32 \
action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=5s comment="" disabled=yes
add chain=sanity-check protocol=tcp psd=21,3s,3,1 \
address-list-timeout=3s comment="Block port scans" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
address-list-timeout=10s comment="Block TCP Null scan" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
address-list-timeout=10s comment="Block TCP Xmas scan" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
address-list-timeout=10s comment="NMAP FIN Stealth scan" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=syn,rst \
address-list-timeout=10s comment="Drop TCP SYN + RST" disabled=no

add chain=sanity-check protocol=tcp tcp-flags=fin,syn \
address-list-timeout=10s comment="Drop TCP FIN+SYN" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
address-list-timeout=10s comment="ALL/ALL scan" disabled=no
add chain=sanity-check src-address-list=blocked-addr action=jump \
jump-target=drop comment="Drop diferentes metodos de Port Scanners" \
disabled=no
add chain=sanity-check connection-state=invalid action=jump jump-target=drop \
comment="Dropping invalid connections at once" disabled=no
add chain=sanity-check connection-state=established action=accept \
comment="Accepting already established connections" disabled=no
add chain=sanity-check connection-state=related action=accept comment="Also \
accepting related connections" disabled=no
add chain=sanity-check dst-address-type=broadcast,multicast action=jump \
jump-target=drop comment="Drop all traffic that goes to multicast or \
broadcast addresses" disabled=no
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr \
action=jump jump-target=drop comment="Drop illegal destination addresses" \
disabled=no
add chain=sanity-check in-interface=Local src-address-list=!local-addr \
action=jump jump-target=drop comment="Drop everything that goes from local \
interface but not from local address" disabled=no
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump \
jump-target=drop comment="" disabled=no
add chain=sanity-check in-interface=Public src-address-list=illegal-addr \
action=jump jump-target=drop comment="Drop illegal source addresses" \
disabled=no
add chain=sanity-check in-interface=Public dst-address-list=!local-addr \
action=jump jump-target=drop comment="Drop everything that goes from \
public interface but not to local address" disabled=no
add chain=sanity-check src-address-type=broadcast,multicast action=jump \
jump-target=drop comment="Drop all traffic that goes from multicast or \
broadcast addresses" disabled=no
add chain=drop src-mac-address=00:11:3B:02:52:19 action=drop comment="" \
disabled=yes
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Gaobot" disabled=no

Ip Firewall Filter

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ip Firewall Filter

Uploaded by

Copyright:

Available Formats

add chain=input action=accept comment="CHEQUEAR LINEA A LINEA FALLA WEB-PROXY" \

checking, so enabling it explicitly before other checks" disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \

add chain=public-services connection-mark=http action=accept \

add chain=drop src-address=10.10.102.200-10.10.102.254 protocol=tcp \

address-list-timeout=10s comment="Drop TCP SYN + RST" disabled=no

You might also like