initial commit

example/0_0-initial.rsc

@@ -0,0 +1,42 @@
+/system identity set name="MT"
+
+/interface bridge
+add name="bridge"
+
+/interface ethernet
+set [ find default-name=sfp1 ] disabled=yes
+
+/interface list
+add name=LAN
+add name=WAN
+
+/ip address
+add address=192.168.1.1/24 interface="bridge"
+
+/interface list member
+add interface="bridge" list=LAN
+
+/interface bridge port
+add bridge="bridge" interface=ether2
+add bridge="bridge" interface=ether3
+add bridge="bridge" interface=ether4
+add bridge="bridge" interface=ether5
+add bridge="bridge" interface=ether6
+add bridge="bridge" interface=ether7
+add bridge="bridge" interface=ether8
+add bridge="bridge" interface=ether9
+add bridge="bridge" interface=ether10
+
+/user set admin password="{{ admin_pass }}"
+
+#######################
+# SSH
+#######################
+{{ load_file("host-keys/ssh_host_private_key_dsa", "ssh_host_private_key_dsa.txt") }}
+{{ load_file("host-keys/ssh_host_private_key_rsa", "ssh_host_private_key_rsa.txt") }}
+/ip ssh import-host-key private-key-file=ssh_host_private_key_dsa.txt
+/ip ssh import-host-key private-key-file=ssh_host_private_key_rsa.txt
+
+{{ load_file("~/.ssh/id_rsa.pub", "pcl_id_rsa.pub.txt") }}
+/user ssh-keys import user=admin public-key-file=pcl_id_rsa.pub.txt
+

example/0_1-security.rsc

@@ -0,0 +1 @@
+{% include 'security.rsc' %}

example/0_2-firewall.rsc

@@ -0,0 +1 @@
+{% include 'firewall_router.rsc' %}

example/1-logging.rsc

@@ -0,0 +1,11 @@
+/system logging action remove [find default=no]
+/system logging remove [find default=no]
+
+/system logging action
+add name=pc2 remote=192.168.1.2 remote-port=1514 target=remote
+
+/system logging
+add action=pc2 prefix=MT topics=critical
+add action=pc2 prefix=MT topics=error
+add action=pc2 prefix=MT topics=warning
+add action=pc2 prefix=MT topics=info

example/2-ntp.rsc

@@ -0,0 +1,13 @@
+/system ntp client
+set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=162.159.200.1
+
+/system ntp server
+set enabled=yes
+
+/ip firewall filter
+add chain="user-input" action=jump jump-target="user-input-ntp" comment="NTP rules"
+add chain="user-input-ntp" \
+    action=accept \
+    in-interface-list=LAN protocol=udp dst-port=123 \
+    comment="accept NTP (LAN)"
+{{ rollback_delete_chain("user-input-ntp") }}

example/3-port-forwarding.rsc

@@ -0,0 +1,7 @@
+/ip firewall nat
+add chain="user-dstnat" action=jump jump-target="user-dstnat-port-forwarding" comment="port forwarding"
+
+add chain="user-dstnat-port-forwarding" action=dst-nat comment="port forwarding -> HTTP" dst-port=80,443 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.2
+add chain="user-dstnat-port-forwarding" action=dst-nat comment="port forwarding -> SSH"  dst-port=1234   in-interface-list=WAN   protocol=tcp to-addresses=192.168.1.2 to-ports=22322
+
+{{ rollback_delete_chain("user-dstnat-port-forwarding") }}

example/README.md

@@ -0,0 +1,6 @@
+# Important notes
+
+* These example files are provided **ONLY** as an example of project structure.
+  Although it contains a lot of solutions from my configuration files,
+  it is not meant to be used as an example Mikrotik configuration,
+* Example generated SSH keys **SHOULD NOT** be used in your project.

example/common/firewall_router.rsc

@@ -0,0 +1,83 @@
+:do {
+	/ip firewall filter
+	remove [find chain=input]
+	remove [find chain=forward action!=passthrough]
+	remove [find chain=output]
+
+	remove [find chain=icmp]
+	remove [find jump-target="user-input"]
+	remove [find jump-target="user-forward"]
+	remove [find jump-target="user-output"]
+
+	remove [find chain="core-icmp"]
+
+	/ip firewall nat
+	remove [find chain=srcnat]
+	remove [find chain=dstnat]
+} on-error={}
+
+/ip firewall filter
+# INPUT
+add chain=input action=accept comment="accept established,related,untracked" connection-state=established,related,untracked
+add chain=input action=drop   comment="drop connection-state=invalid"        connection-state=invalid
+add chain=input action=drop   comment="drop banned" src-address-list=bans
+add chain=input action=jump   comment="check ICMP" jump-target="core-icmp"   protocol=icmp
+add chain=input action=accept comment="accept SSH and HTTP (LAN only)"   in-interface-list=LAN protocol=tcp  dst-port=22,80
+add chain=input action=accept comment="accept WinBox and API (LAN only)" in-interface-list=LAN protocol=tcp  dst-port=8291,8728
+add chain=input action=accept comment="accept DNS and DHCP (LAN only)"   in-interface-list=LAN protocol=udp  dst-port=53,67,68
+# add chain=input action=accept comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
+
+add chain=input action=jump jump-target="user-input" comment="forward to user-input"
+add chain=input action=drop   comment="drop all not coming from LAN" in-interface-list=!LAN
+add chain=input action=drop   comment="drop all other"
+
+# FORWARD
+add chain=forward action=fasttrack-connection comment="fasttrack"              connection-state=established,related
+add chain=forward action=accept comment="accept established,related,untracked" connection-state=established,related,untracked
+add chain=forward action=drop   comment="drop connection-state=invalid"        connection-state=invalid
+add chain=forward action=drop   comment="drop banned" src-address-list=bans
+add chain=forward action=jump   comment="check ICMP" jump-target="core-icmp" src-address-list=lan in-interface-list=LAN protocol=icmp
+add chain=forward action=accept comment="accept DSTNATed from WAN to LAN"      connection-state=new     in-interface-list=WAN out-interface-list=LAN dst-address-list=lan connection-nat-state=dstnat
+add chain=forward action=accept comment="accept all from LAN to WAN"           connection-state=new     in-interface-list=LAN src-address-list=lan out-interface-list=WAN
+add chain=forward action=accept comment="accept all between LAN interfaces"    connection-state=new     in-interface-list=LAN src-address-list=lan out-interface-list=LAN dst-address-list=lan
+# add chain=forward action=accept comment="accept in ipsec policy" ipsec-policy=in,ipsec
+# add chain=forward action=accept comment="accept out ipsec policy" ipsec-policy=out,ipsec
+
+add chain=forward action=jump jump-target="user-forward" comment="forward to user-forward"
+add chain=forward action=drop                            comment="drop all other"
+
+# OUTPUT
+add chain=output action=jump jump-target="user-output" comment="forward to user-output"
+
+add chain="core-icmp" protocol=icmp icmp-options=0:0  action=accept comment="echo reply"
+add chain="core-icmp" protocol=icmp icmp-options=3:0  action=accept comment="net unreachable"
+add chain="core-icmp" protocol=icmp icmp-options=3:1  action=accept comment="host unreachable"
+add chain="core-icmp" protocol=icmp icmp-options=3:4  action=accept comment="host unreachable fragmentation required"
+add chain="core-icmp" protocol=icmp icmp-options=8:0  action=accept comment="allow echo request"
+add chain="core-icmp" protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
+add chain="core-icmp" protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
+add chain="core-icmp" action=drop                                   comment="deny all other types"
+
+/ip firewall nat
+add chain=srcnat action=masquerade comment="masquerade to WAN" ipsec-policy=out,none out-interface-list=WAN
+
+add chain=srcnat action=jump jump-target="user-srcnat" comment="forward to user-srcnat"
+add chain=dstnat action=jump jump-target="user-dstnat" comment="forward to user-dstnat"
+
+# Address lists
+/ip firewall address-list
+add list=bogons address=0.0.0.0/8       comment="Self-Identification [RFC 3330]"
+add list=bogons address=127.0.0.0/8     comment="Loopback [RFC 3330]"
+add list=bogons address=10.0.0.0/8      comment="Private[RFC 1918] - CLASS A" disabled=no
+add list=bogons address=172.16.0.0/12   comment="Private[RFC 1918] - CLASS B" disabled=no
+add list=bogons address=192.168.0.0/16  comment="Private[RFC 1918] - CLASS C" disabled=yes
+add list=bogons address=169.254.0.0/16  comment="Link Local [RFC 3330]"
+add list=bogons address=192.88.99.0/24  comment="6to4 Relay Anycast [RFC 3068]"
+add list=bogons address=198.18.0.0/15   comment="NIDB Testing"
+add list=bogons address=192.0.2.0/24    comment="Reserved - IANA - TestNet1"
+add list=bogons address=198.51.100.0/24 comment="Reserved - IANA - TestNet2"
+add list=bogons address=203.0.113.0/24  comment="Reserved - IANA - TestNet3"
+add list=bogons address=224.0.0.0/4     comment="MC, Class D, IANA"           disabled=no
+{% call register_cleanup() %}
+/ip firewall address-list remove [find list=bogons]
+{% endcall %}

example/common/firewall_switch.rsc

@@ -0,0 +1,59 @@
+:do {
+	/ip firewall filter
+	remove [find chain=input]
+	remove [find chain=forward action!=passthrough]
+	remove [find chain=output]
+
+	remove [find chain=icmp]
+	remove [find jump-target="user-input"]
+	remove [find jump-target="user-forward"]
+	remove [find jump-target="user-output"]
+
+	remove [find chain="core-icmp"]
+
+	/ip firewall nat
+	remove [find chain=srcnat]
+	remove [find chain=dstnat]
+} on-error={}
+
+/ip firewall filter
+# INPUT
+add chain=input action=accept comment="accept established,related,untracked" connection-state=established,related,untracked
+add chain=input action=drop   comment="drop connection-state=invalid"        connection-state=invalid
+add chain=input action=drop   comment="drop banned" src-address-list=bans
+add chain=input action=jump   comment="check ICMP" jump-target="core-icmp"   protocol=icmp
+add chain=input action=accept comment="accept SSH and HTTP (LAN only)"   in-interface-list=LAN protocol=tcp  dst-port=22,80
+add chain=input action=accept comment="accept WinBox and API (LAN only)" in-interface-list=LAN protocol=tcp  dst-port=8291,8728
+
+# add chain=input action=accept comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
+
+add chain=input action=jump jump-target="user-input" comment="forward to user-input"
+add chain=input action=drop   comment="drop all not coming from LAN" in-interface-list=!LAN
+add chain=input action=drop   comment="drop all other"
+
+# FORWARD
+
+
+
+
+
+
+
+
+
+
+
+add chain=forward action=jump jump-target="user-forward" comment="forward to user-forward"
+add chain=forward action=drop                            comment="drop all other"
+
+# OUTPUT
+add chain=output action=jump jump-target="user-output" comment="forward to user-output"
+
+add chain="core-icmp" protocol=icmp icmp-options=0:0  action=accept comment="echo reply"
+add chain="core-icmp" protocol=icmp icmp-options=3:0  action=accept comment="net unreachable"
+add chain="core-icmp" protocol=icmp icmp-options=3:1  action=accept comment="host unreachable"
+add chain="core-icmp" protocol=icmp icmp-options=3:4  action=accept comment="host unreachable fragmentation required"
+add chain="core-icmp" protocol=icmp icmp-options=8:0  action=accept comment="allow echo request"
+add chain="core-icmp" protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
+add chain="core-icmp" protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
+add chain="core-icmp" action=drop                                   comment="deny all other types"

example/common/security.rsc

@@ -0,0 +1,24 @@
+{ :local ver [/system resource get version]; :global vermajor [:pick $ver 0 [:find $ver "."]] }
+
+/ip neighbor discovery-settings set discover-interface-list=none
+
+/ip ipsec policy set 0 disabled=yes
+
+:if ($vermajor = 7) do={ /ipv6 settings set disable-ipv6=yes }
+:if ($vermajor = 6) do={ /system package disable ipv6 }
+
+/tool mac-server set allowed-interface-list=none
+/tool mac-server mac-winbox set allowed-interface-list=none
+/tool mac-server ping set enabled=no
+
+/ip service set api     disabled=yes
+/ip service set api-ssl disabled=yes
+/ip service set ftp     disabled=yes
+/ip service set telnet  disabled=yes
+/ip service set winbox  disabled=no
+
+/tool bandwidth-server set enabled=no
+
+/ip ssh set strong-crypto=yes host-key-size=4096 forwarding-enabled=both always-allow-password-login=yes
+
+/ip settings set rp-filter={{ rp_filter | default("strict") }} secure-redirects=no tcp-syncookies=yes

example/config.yml

@@ -0,0 +1,9 @@
+has_flash: false
+
+host: 192.168.1.1
+
+include_dirs:
+  - common/
+
+variables:
+  admin_pass: "pass"

example/host-keys/ssh_host_private_key_dsa

@@ -0,0 +1,9 @@
+-----BEGIN PRIVATE KEY-----
+MIIBSgIBADCCASsGByqGSM44BAEwggEeAoGBAI3m06Sl+2TgMzx9an3BRwuMD56J
+VrrWrTlVdcNYaxgquiv3osjFHs+kEAn8jY+pPFKCM9lpfoTj8FT0qPkKtsZ+LcB9
+YrxS4bsW8LGvnQScpZcrqFze4Ec0AF+7vYhP9pBHESlxlgEsOIDZvBsVErS/U7WM
+wgnIgrY0e/i2GaJZAhUAi0LIo6w4dKsjKCMN/j6X5/1YKAkCgYA8Hr5VfkCNYbMf
+J7amr+SilmkBLuQUn0+pV4FvGdPCa9EY0gxCP+0N82aintU7HfqOqE9pdtwFrbXU
++/GyXJIuNME3y4JAvdFkJ18vAUVM0+7rGQ22BxdwrkBT3DUXV+9xjkYAh+6mpWOf
+S6Iyga1TE3nNlHtaP6KgBS7tdlcBxwQWAhRurYPs9TMeP1mlge45J3hbBO4Jbg==
+-----END PRIVATE KEY-----

example/host-keys/ssh_host_private_key_dsa.pub

@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAI3m06Sl+2TgMzx9an3BRwuMD56JVrrWrTlVdcNYaxgquiv3osjFHs+kEAn8jY+pPFKCM9lpfoTj8FT0qPkKtsZ+LcB9YrxS4bsW8LGvnQScpZcrqFze4Ec0AF+7vYhP9pBHESlxlgEsOIDZvBsVErS/U7WMwgnIgrY0e/i2GaJZAAAAFQCLQsijrDh0qyMoIw3+Ppfn/VgoCQAAAIA8Hr5VfkCNYbMfJ7amr+SilmkBLuQUn0+pV4FvGdPCa9EY0gxCP+0N82aintU7HfqOqE9pdtwFrbXU+/GyXJIuNME3y4JAvdFkJ18vAUVM0+7rGQ22BxdwrkBT3DUXV+9xjkYAh+6mpWOfS6Iyga1TE3nNlHtaP6KgBS7tdlcBxwAAAIBFHqQTevlpTRONMZ40oxL4/DOz8If1ja7WTx4hH3HXWtvDEZii57FDv/xpUkCpP0dqp4NcaPWxZ5XH8+mdKR3zPxD8L+1S4NnleoPFtSMQU5v/Zcq7R79FGC0kaocjQN/a2XQOzifaeXx0nSD49l36bpkkMXYCBH0/l9HOD3xRkg== krystiand@PCL

example/host-keys/ssh_host_private_key_rsa

@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/wIBADANBgkqhkiG9w0BAQEFAASCBukwggblAgEAAoIBgQDzut9yM/svAKF9
+3i6/E7HxknDdKdRZDS4vYjaBkiEg+bKI4abH/PeDN039ojunHS71rhoOzaU0CU3c
+H5r/yf0G7t3yTjZ+HAtwdX+jZUGITFErETteAcYrwb/aF5oxP6K92vh5EfyjywAd
+9l4n/ZYjox3b/2Uvn7C42+altSfEOkXRtsTfo9GnkkRYGFPyC+U3RN3GXP24Gm7W
+2ZDRmg1hrUkVaNGqxz+oyCyUFevspjRyXDMmnhwG8Jl687/Jld4OOmhD++Mv8qUX
+xaVOrF5aey9HPZvJCIktepFNPVXdx1f0zpmq7UU8dkghK90/4kxoGFe5Tt9Kxh4s
+9jAKdRRhCinTXZJ6u+vrDB30Fv5tRvbwa1eF5R12jTavLSDvKjT4aMBXDvXLO6B+
+dkvEgdrFMraP/iuWN9Efcv4zH/z8UYE510ou2H+FwjRBSrqROzn2waNsY1nLHoDh
+cP3crx6yHAAsa7xxUSt5qht2aJqFy0PnCI41j+qpCE+VaT6XpO0CAwEAAQKCAYEA
+hkMdMAYeiqfoTjQEwFGTJqYq8kpGpb+y/3s012+uPEIQ7YKQo35gwrHGjr+96LMU
+2VXNGPaD2QR/FZF7iwi0EAupy/712caNLqgrZdEzpmeUFwtpDsIfbp9Olk+GKzcI
+6Vkko10bNQdwyxCakaEKAhurKTOpg/COI2dPyVzfySLorzvle+T8azkR2Q2dwKp4
+3FddbBZx1ecJw+UZ97zLPlF8/wQ867zS/qE2nWTuD/EG1zCfJNjYS6Jiie6Yae3Z
+z/vNaL42NGTmgs8CpNZvgDtDWY4PhXE3b5BcciKiGsVeW5t6i7iD65jTq9kL3jMJ
+r9nXC/ocqStW+8XesgQijdvOdaU3UVe1TfaMmT3TgBf3VISeZ0kCvycolpQljQkP
+UIgPtt2sbuRwvRQDwxkNCmtHEgHqyM5N4baIRZnoItZ9hHsVIq8n72PYpqk7MIke
+QWCauclHbIqi7lgXDLipshjNrcHsIOZqr3x1aLHKlZ7EVU3XDrHxdiXoLIpIYgTp
+AoHBAPq6krKd5jAe5B1eM3pBmygg6NZoFFCj0L7CFf0Glzp22H+G+Pt8+UW5L+AW
+sBJKY38M2/1h7uc1uM6Rpr3hE0Ic9eEbrpI/YQsTpQ+mdWLg/ZYUWTXnPrYfUAaG
+VU5QdqeqQS84kI7KaSP0Hs02OyQM7BVFEUmlmyj26iqc6gr20bf1V8HPOR4C5ZlK
+kKBVZN8dqBjbYkD7Gz3lkmM4as/SNP1BsOSYFdooKPTJapEv4Fk3EoHEBjlTS0UY
+DgLPRwKBwQD42qHJDGuvk8zzKRNvZ6d68fDcS6wQP96Iu1/wQCGpQq0z1LIB224v
+LYj/JTRGQ4NnNi3Y/ZHtbXqMfhMp3mna73EA/qy8bgeYFTcadLpaJdGN/b1CmAO1
+ez+Ge1c6WkXT487S4JGmdgMqxDOGPp4doqOY6Ny60Ik2FpPXQasVGkvtqW8sPIZG
+/QNU85I8xP7P+Pz3+Mpp40xGP3cR0sigeuS8fbhPOc24h+IajWwesJAgrA3jEoDr
+mxqecVkcjCsCgcEAlNF2zyPfhAJh3XiTT2ZvZIMcEF7YaADDnuXuTS/DRUVTPWZs
+lEDaZ+MCIpz0xvZ2VevZC208cum1Fo7nDF7yolQ0MPfQRyftPrjbSQ3BMP5gJdtQ
+FCl8VHcDdcv4CDLEKsJoTFHjo41KmLeGLMGamsw8uGc1WqQ8EzVzSfW3COj1E55B
+B10rBsArbTAP5cqpw7CDnLVifTVONw/zModDBrU7FHMQPq5ykfkyThDa+vAS1oFU
+r8cc9puU2p7reglzAoHBAJ2uOtEfc6Re7IAuyMfQUAjRAKM1t6LcNW9B+vpKSInt
+W735yYjvtxNhsOqqckMLSFm/tLFHio18zyfyQsZGzaASE/JjbKRAu8MbvjyfNe0l
+BXEJFED7/W2i2I+n249338LxF/36mY92O29/vn4TczCn+y1Kb4JX3HlPOQIt8+99
+KBtBPtYyy4pziwbrBwBGeobg57lgBTGu+oeQcyvx+XnmJMVii8R3heilARl9/sI7
+cjehjXMSKGohb25xt9sk3QKBwHHpzCekB+00eeuo3vniIkcshqP3LZiBeQganuF0
+W/1ML+Ew/sZCsWL9GErbP1D0o+oZbNv61dIEMbVLSZFBulghz047THFeYfSD2BW4
+qUB1zOlIwMbFirrf5SuIcwE2W+0SboWD48xRxtE1cwSgDU/PY5DPuzZSHDopATa5
+aNtzlI80LV5+t9IYkVBdzsYHk7RNKN8JBDqIrsb+byiGKG2ATjiFHlxq2lCNrqc1
+k438geLC6lhQaxj0UMS1/PvURQ==
+-----END PRIVATE KEY-----

example/host-keys/ssh_host_private_key_rsa.pub

@@ -0,0 +1,11 @@
+-----BEGIN PUBLIC KEY-----
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA87rfcjP7LwChfd4uvxOx
+8ZJw3SnUWQ0uL2I2gZIhIPmyiOGmx/z3gzdN/aI7px0u9a4aDs2lNAlN3B+a/8n9
+Bu7d8k42fhwLcHV/o2VBiExRKxE7XgHGK8G/2heaMT+ivdr4eRH8o8sAHfZeJ/2W
+I6Md2/9lL5+wuNvmpbUnxDpF0bbE36PRp5JEWBhT8gvlN0Tdxlz9uBpu1tmQ0ZoN
+Ya1JFWjRqsc/qMgslBXr7KY0clwzJp4cBvCZevO/yZXeDjpoQ/vjL/KlF8WlTqxe
+WnsvRz2byQiJLXqRTT1V3cdX9M6Zqu1FPHZIISvdP+JMaBhXuU7fSsYeLPYwCnUU
+YQop012Servr6wwd9Bb+bUb28GtXheUddo02ry0g7yo0+GjAVw71yzugfnZLxIHa
+xTK2j/4rljfRH3L+Mx/8/FGBOddKLth/hcI0QUq6kTs59sGjbGNZyx6A4XD93K8e
+shwALGu8cVEreaobdmiahctD5wiONY/qqQhPlWk+l6TtAgMBAAE=
+-----END PUBLIC KEY-----