Mikrotik Firewall

We know some of you won’t do it unless you’re spoon-fed the information.

Setting up ACLs on the services is insufficient. You must do it at the firewall level.

It’s just something thrown together and likely contains errors and omissions. Read through it and understand it before you just copypasta. You’ll have to read because you’ll have to change IP blocks, interfaces, port numbers, etc. If you don’t use any of the VPNs, remove that particular VPN.

Note that you’ll need the web interface open to accept SSTP. The web server has had exploits before, so maybe you don’t want to just leave 443 open to the world. Maybe you don’t use this and instead add the IP to the whitelist if static or use port-knocking if dynamic.

There’s a port-knocking sequence in there as well. TCP 9000, TCP 32000, and then TCP 6000. Each needs to be hit within 10s of the last to open up the firewall for 10h. Check out this post of Greg’s helps you figure out how to build an application to manage port knocking on the client’s side (and a pre-built one). http://gregsowell.com/?p=2020

There’s still the FTP\SSH brute-force scripts in there as a last line of defense in case something in your management networks gets compromised. I’d appreciate some commentary on how to capture Winbox, telnet, IPSEC, OpenVPN, etc. brute force attacks as well so we can protect those whitelisted networks\services as much as possible. Unlike brute-force detection you may have done before where the goal was to block and not alert due to the amount of traffic, you’ll want to keep your eyes on anything that makes it through this part of the config because it will be a device you trust that’s compromised.

/interface list
add name=OSPF
/interface list member
add interface=ether1 list=OSPF
/ip firewall address-list
add address= comment=”Private Management IPs” list=Whitelist
add address=MMM.NNN.OOO.PPP/27 comment=”Public Management IPs” list=Whitelist
add address=AAA.BBB.CCC.DDD comment=Other-edge-router list=BGP
add address= comment=United-IX list=BGP
add address= comment=”Midwest-IX Indy” list=BGP
add address= comment=QRator list=BGP
add address=EEE.FFF.GGG.HHH comment=Upstream-v4 list=BGP
add address=III.JJJ.KKK.LLL comment=Client list=BGP
add address= comment=FULLBOGONS-CYMRU-1-v4 list=BGP
add address= comment=FULLBOGONS-CYMRU-2-v4 list=BGP
/ip firewall filter
add action=accept chain=input comment=”Accept Established and Related” connection-state=established,related
add action=accept chain=input comment=”Accept BGP Address List” src-address-list=BGP dst-port=179
add action=accept chain=input comment=”Accept ICMP” protocol=icmp
add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22,23 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=”drop ftp brute forcers” dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=input comment=”Accept Whitelist” src-address-list=Whitelist
add action=accept chain=input comment=OSPF in-interface-list=OSPF protocol=ospf
add action=accept chain=input comment=”OpenVPN” disabled=no dst-port=1194 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp comment=”allow L2TP VPN (ipsec-esp)”
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp comment=”allow L2TP VPN (500,4500,1701/udp)”
add chain=input protocol=tcp dst-port=443 action=accept comment=”Allow SSTP”
add action=add-src-to-address-list address-list=”port:9000″ address-list-timeout=10s chain=input dst-port=9000 protocol=tcp
add action=add-src-to-address-list address-list=”port:32000″ address-list-timeout=10s chain=input dst-port=32000 protocol=tcp src-address-list=”port:9000″
add action=add-src-to-address-list address-list=”Whitelist” address-list-timeout=10h chain=input dst-port=6000 protocol=tcp src-address-list=”port:32000″
add action=accept chain=output content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=”530 Login incorrect” protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,23 protocol=tcp
add action=drop chain=input comment=”Deny All”