A
A
Anton Nikolishin2017-07-21 18:39:32
Computer networks
Anton Nikolishin, 2017-07-21 18:39:32

How to set up mikrotik firewall correctly?

Now I'm trying to figure out how to set up a firewall on mikrotik so that:
1. You can safely back up data from server1 to server2 using Hyper Backup via rsync with ssh over the Internet.
2. It was possible to use Resilio Sync to synchronize data between computers via the Internet.
3. It was possible to access the Internet from computers in the local network.
4. It was possible to download torrents to computers in the local network.
5. It was possible to access the router through Winbox and via https from the local network.
The firewall settings are:
/ip firewall filter
# Enable port scanner analysis
1. add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1w3d chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,! rst,!psh,!ack,!urg
2. add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1w3d chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
3. add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1w3d chain=input comment="FIN/PSH /URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
4. add action=add-src-to-address-list address-list=port_scanners address-list-timeout= 1w3d chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
5. add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1w3d chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
6. add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1w3d chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,! psh,!ack,!urg
7. add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1w3d chain=input comment="Port scanners to list" protocol=tcp psd=21 ,3s,3,1
# Allow Fasttrack
8. add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related
# Allow all established and dependent connections
9. add action=accept chain=input connection-state= established,related
10. add action=accept chain=forward connection-state=established,related
# Allow access to the server via SSH
11. add action=accept chain=forward dst-port=22 in-interface=ether1 protocol=tcp src-address=ip_of_external_server_with_data
12. add action=accept chain=forward dst-port=22 in-interface=ether1 protocol=udp src-address=ip_of_external_server_with_data
# Allow access to the server via RSYNC
13. add action=accept chain=forward dst-port=873 in- interface=ether1 protocol=tcp src-address=ip_of_external_data_server
14. add action=accept chain=forward dst-port=873 in-interface=ether1 protocol=udp src-address=ip_of_external_data_server
# Allow torrent access on comp1
15. add action=accept chain=forward dst-port=11111 in-interface=ether1 protocol=tcp
16. add action=accept chain=forward dst-port=11111 in-interface=ether1 protocol=udp
# Allow torrent access on comp2
17. add action=accept chain=forward dst-port=22222 in-interface=ether1 protocol=tcp
18. add action=accept chain=forward dst-port=22222 in-interface=ether1 protocol=udp
# Allow access for Resilio Sync to comp2
19. add action=accept chain=forward dst-port=33333 in-interface=ether1 protocol=tcp
20. add action=accept chain=forward dst-port=33333 in-interface=ether1 protocol=udp
# Allow ICMP with flood protection
21. add action=accept chain=input in-interface=ether1 limit=50/5s,2:packet protocol=icmp
22. add action=accept chain=forward in-interface=ether1 limit=50/5s,2:packet protocol=icmp
# Internet access permission for local network
23. add action=accept chain=forward src-address=192.168.100.0 /24 in-interface=bridge
# Allow access to the router via Winbox from the local network
24. add action=accept chain=input protocol=tcp in-interface=bridge dst-port=8291
# Allow access to the router via HTTPS from the local network
25 .add action=accept chain=input protocol=tcp in-interface=bridge dst-port=443
# Prevent "broken" and "wrong" packets from transiting
26. add action=drop chain=input connection-state=invalid
27. add action =drop chain=forward connection-state=invalid
# Ban BOGON
28. add action=drop chain=input in-interface=ether1 src-address-list=BOGON
29. add action=drop chain=forward in-interface=ether1 src-address-list=BOGON
# Enable port scanner protection
30. add action=drop chain=input src-address-list=port_scanners
31. add action=drop chain=forward src-address-list=port_scanners
# Deny everything else
32. add chain=input action=drop in-interface=ether1
33. add chain=forward action=drop in-interface=ether1 Everything
seems to work, but I'm afraid to screw it up.
Is everything correct?
Thank you.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
R
Ruslan Fedoseev, 2017-07-21
@aenikolishin

in principle, everything is correct, I would also include upnp. Then port forwarding for torrents and similar software would be done automatically

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question