Этот сайт лучше всего просматривать в современном браузере с включённым JavaScript.

MikroTik - Базовая защита роутера

MTv

Набор правил firewall и системных настроек для базовой защиты RouterOS.

Ссылки по теме:

User-access:

Access username:

/user/add name=MTv group=full password="**********" comment="winbox-management"

Access password:

/user/set admin password="**********"
/user/disable admin

Access by IP address:

/user/set MTv address=ip-address

Services:

/ip/service/disable api,api-ssl,ftp,ssh,telnet,www,www-ssl
/ip/service/set winbox address=ip-address

MAC-access:

MAC-Telnet:

/tool/mac-server/set allowed-interface-list=none

MAC-Winbox:

/tool/mac-server/mac-winbox/set allowed-interface-list=none

MAC-Ping:

/tool/mac-server/ping/set enabled=no

Neighbor Discovery:

/ip/neighbor/discovery-settings/set discover-interface-list=none lldp-med-net-policy-vlan=disabled lldp-mac-phy-config=no lldp-max-frame-size=no lldp-poe-power=no protocol=mndp mode=tx-and-rx

Bandwidth server:

/tool/bandwidth-server/set enabled=no

Other clients services:

/ip/proxy/set enabled=no
/ip/socks/set enabled=no
/ip/upnp/set enabled=no
/ip/cloud/set ddns-enabled=no update-time=no

More Secure SSH access:

/ip/ssh/set forwarding-enabled=no always-allow-password-login=no strong-crypto=yes allow-none-crypto=no host-key-type=ed25519
/ip/ssh/regenerate-host-key

Secure RoMON:

/tool/romon/set enabled=no secrets="mysecret"
/tool/romon/port add comment="Forbid ISP" disabled=no forbid=yes interface=ether1

IPv6:

Neighbor Discovery:

/ipv6/nd/set [find] disabled=yes

Settings:

/ipv6/settings/set disable-ipv6=yes forward=no accept-redirects=no accept-router-advertisements=no

SMB: Disable Auto-Create Share:

/ip/smb/set enabled=no interfaces=bridge1
/ip/smb/shares/disable pub
/ip/smb/users/disable guest

RP Filter: (RFC3704)

Если не используется ассиметричная маршрутизация то strict, наче loose.

strict - каждый входящий пакет проверяется на соответствие FIB, и если интерфейс не является лучшим обратным путем, проверка пакета завершится неудачно.
loose - адрес источника каждого входящего пакета также проверяется на соответствие FIB, и если адрес источника недоступен через какой-либо интерфейс, проверка пакета завершится неудачно.

/ip/settings/set rp-filter=strict tcp-syncookies=yes

Firewall Connection-Tracking:

/ip/firewall/connection/tracking/set loose-tcp-tracking=yes tcp-established-timeout=10m udp-timeout=30s

Firewall Service ports:

/ip/firewall/service-port/disable ftp,h323,irc,pptp,rtsp,sip,tftp

DNS Cache:

/ip/dns/set cache-max-ttl=30m

System Clock:

/system/clock/set time-zone-autodetect=no

DHCP-Server:

/ip/dhcp-server/config/set store-leases-disk=never

Watchdog:

/system/watchdog/set watchdog-timer=no automatic-supout=no

IPv4 firewall (interface+address lists + psd):

/ip/firewall/filter/
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment=Invalid connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=add-src-to-address-list address-list=port_scan address-list-timeout=4w chain=input comment="PSD to List" in-interface-list=ISP protocol=tcp psd=12,3m,3,2
add action=add-src-to-address-list address-list=port_scan address-list-timeout=4w chain=input in-interface-list=ISP protocol=udp psd=12,3m,3,2
add action=accept chain=input comment="ICMP 8:0" icmp-options=8:0 in-interface-list=ISP limit=1,3:packet packet-size=0-100 protocol=icmp
add action=drop chain=input comment=ISP in-interface-list=ISP
-
add action=accept chain=input comment="Input protection GW" protocol=icmp
add action=accept chain=input comment="dns, ntp, neighbor, mac-winbox | dhcp-s(67), 137,138,139(netbios-ns-dgm-ssn)" dst-port=53,123,5678,20561 protocol=udp
add action=accept chain=input comment="ssh, winbox" dst-address-list=mik_on dst-port=22,8291 protocol=tcp src-address-list=mik_to
add action=drop chain=input comment="Drop all not allowed"
-
add action=jump chain=forward comment=JUMP_VLANx in-interface-list=VLANx jump-target=VLANx-ISP out-interface-list=ISP
add action=jump chain=forward comment=JUMP_ISP in-interface-list=ISP jump-target=ISP-ALL
-
add action=accept chain=ISP-ALL comment="DNAT con state ISP -> ALL" connection-nat-state=dstnat connection-state=new src-address-list=!bogon_net
add action=drop chain=ISP-ALL
-
add action=accept chain=VLANx-ISP comment="VLANx -> ISP" protocol=tcp src-address-list=!no_isp
add action=accept chain=VLANx-ISP protocol=udp src-address-list=!no_isp
add action=accept chain=VLANx-ISP protocol=icmp src-address-list=!no_isp
add action=reject chain=VLANx-ISP reject-with=icmp-net-prohibited
-
add action=drop chain=forward comment="Drop all not allowed"

/ip/firewall/address-list/
add address=0.0.0.0/8 comment=RFC6890 list=bogon_net
add address=172.16.0.0/12 comment=RFC6890 list=bogon_net
add address=192.168.0.0/16 comment=RFC6890 list=bogon_net
add address=10.0.0.0/8 comment=RFC6890 list=bogon_net
add address=169.254.0.0/16 comment=RFC6890 list=bogon_net
add address=127.0.0.0/8 comment=RFC6890 list=bogon_net
add address=224.0.0.0/4 comment=Multicast list=bogon_net
add address=198.18.0.0/15 comment=RFC6890 list=bogon_net
add address=192.0.0.0/24 comment=RFC6890 list=bogon_net
add address=192.0.2.0/24 comment=RFC6890 list=bogon_net
add address=198.51.100.0/24 comment=RFC6890 list=bogon_net
add address=203.0.113.0/24 comment=RFC6890 list=bogon_net
add address=100.64.0.0/10 comment=RFC6890 list=bogon_net
add address=240.0.0.0/4 comment=RFC6890 list=bogon_net
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=bogon_net

Do not route in ISP:

/ip/route/
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=0.0.0.0/8
add blackhole comment="do not route in isp (blackhole) | disabled for ikev2" disabled=no dst-address=172.16.0.0/12
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=192.168.0.0/16
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=10.0.0.0/8
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=169.254.0.0/16
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=127.0.0.0/8
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=224.0.0.0/4
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=198.18.0.0/15
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=192.0.0.0/24
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=192.0.2.0/24
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=198.51.100.0/24
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=203.0.113.0/24
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=100.64.0.0/10
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=240.0.0.0/4
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=192.88.99.0/24
add blackhole comment="do not route in isp (blackhole)" disabled=no dst-address=255.255.255.255/32