49
« kdy: 06. 07. 2021, 10:05:47 »
Ako bolo pisane v predoslom poste.
Chain forward je pravidlo vzdy medzi dvoma interfacmi a plati oboma smermi. Je jedno ci ides s ether1 (WAN) na bridge (LAN) alebo opacne. Pravidlo sa uplatnuje v oboch smeroch.
Chain Input je vzdy na vstupe na mikrotik a opat plati, ze je jedno z akeho portu pristupujes.
Ja osobne som si skombinoval tcp syn flood s DDOS protekciou a pravidla su nejak takto:
add action=jump chain=forward comment="--- DDOS check rules ---" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="-- ignore trafic from our DNS --" protocol=udp src-address-list=DNS
add action=return chain=detect-ddos comment="-- ignore trafic to our DNS --" dst-address-list=DNS protocol=udp
add action=accept chain=detect-ddos limit=15k,15:packet protocol=tcp tcp-flags=syn
add action=drop chain=detect-ddos protocol=tcp tcp-flags=syn
add action=return chain=detect-ddos dst-limit=1500,1500,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=15m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=15m chain=detect-ddos
add action=drop chain=forward comment="--- DDOS check rules ---" dst-address-list=ddosed src-address-list=ddoser
Dolezite je spravit si vynimku na DNS servere, ktore pouzivas. Aby ti odpovede na ne a z nich
zbytocne nezahadzovalo. Kazdy spravny dns ma ochranu voci floodu ci ddosu zapnutu.
Ak chces toto riesit na inpute staci si pridat jump pravidlo z inputu...
add action=jump chain=input connection-state=new jump-target=detect-ddos
Ako priklad uvazdam firewal z return pravidlami. Return pravidlo funguje nasledovne:
/ip firewall filter
add action=accept chain=input comment="--- Allow related, established connections ---" connection-state=established,related,untracked
add action=drop chain=input comment="--- Drop invalid connections ---" connection-state=invalid
add action=jump chain=input comment="--- Ping flood checker ---" icmp-options=8:0-255 jump-target=ICMP protocol=icmp
add action=accept chain=input comment="--- Allow DNS from LAN only ---" dst-port=53 protocol=udp src-address-list=DNS
add action=accept chain=input comment="--- Allow winbox from address list Monit ---" dst-port=22,8728 protocol=tcp src-address-list=Monit
add action=jump chain=input comment="--- Allow VPN protocols ---" jump-target=Input-VPN
add action=accept chain=input comment="--- UDP BTest with addresslist Btest ---" dst-port=2000-3000 protocol=udp src-address-list=BTest
add action=accept chain=input comment="--- TCP BTest with addresslist Btest ---" dst-port=2000 protocol=tcp src-address-list=BTest
add action=add-src-to-address-list address-list=portscan address-list-timeout=2d chain=input comment="--- Portscan Rules ---" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input comment="--- Portscan Rules ---" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="--- Drop all unallowed input traffic ---" src-address-list=!Monit
add action=accept chain=Input-VPN comment="--- VPN protocols ---" dst-port=500,1194,1701,4500 protocol=udp
add action=accept chain=Input-VPN dst-port=1194,1723 protocol=tcp
add action=accept chain=Input-VPN protocol=ipsec-esp
add action=accept chain=Input-VPN protocol=ipsec-ah
add action=accept chain=Input-VPN protocol=gre
add action=return chain=Input-VPN comment="--- VPN protocols ---"
add action=accept chain=ICMP comment="--- ICMP flood check ---" limit=15k,150:packet protocol=icmp
add action=drop chain=ICMP protocol=icmp
add action=return chain=ICMP comment="--- ICMP flood check ---"
Paket prechadza pravidlami az pride po jump, tam odskoci do noveho chainu, kde sa robia dalsie overenia.
Ak paket prejde celym chainom, tak sa vrati spat za jump pravidlo a pokracuje dalej cez firewall..