mirror of
https://github.com/KrystianD/mikrotik_configurator.git
synced 2025-07-31 18:40:30 +02:00
60 lines
2.4 KiB
Plaintext
60 lines
2.4 KiB
Plaintext
:do {
|
|
/ip firewall filter
|
|
remove [find chain=input]
|
|
remove [find chain=forward action!=passthrough]
|
|
remove [find chain=output]
|
|
|
|
remove [find chain=icmp]
|
|
remove [find jump-target="user-input"]
|
|
remove [find jump-target="user-forward"]
|
|
remove [find jump-target="user-output"]
|
|
|
|
remove [find chain="core-icmp"]
|
|
|
|
/ip firewall nat
|
|
remove [find chain=srcnat]
|
|
remove [find chain=dstnat]
|
|
} on-error={}
|
|
|
|
/ip firewall filter
|
|
# INPUT
|
|
add chain=input action=accept comment="accept established,related,untracked" connection-state=established,related,untracked
|
|
add chain=input action=drop comment="drop connection-state=invalid" connection-state=invalid
|
|
add chain=input action=drop comment="drop banned" src-address-list=bans
|
|
add chain=input action=jump comment="check ICMP" jump-target="core-icmp" protocol=icmp
|
|
add chain=input action=accept comment="accept SSH and HTTP (LAN only)" in-interface-list=LAN protocol=tcp dst-port=22,80
|
|
add chain=input action=accept comment="accept WinBox and API (LAN only)" in-interface-list=LAN protocol=tcp dst-port=8291,8728
|
|
|
|
# add chain=input action=accept comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
|
|
|
|
add chain=input action=jump jump-target="user-input" comment="forward to user-input"
|
|
add chain=input action=drop comment="drop all not coming from LAN" in-interface-list=!LAN
|
|
add chain=input action=drop comment="drop all other"
|
|
|
|
# FORWARD
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
add chain=forward action=jump jump-target="user-forward" comment="forward to user-forward"
|
|
add chain=forward action=drop comment="drop all other"
|
|
|
|
# OUTPUT
|
|
add chain=output action=jump jump-target="user-output" comment="forward to user-output"
|
|
|
|
add chain="core-icmp" protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
|
|
add chain="core-icmp" protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
|
|
add chain="core-icmp" protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
|
|
add chain="core-icmp" protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
|
|
add chain="core-icmp" protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
|
|
add chain="core-icmp" protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
|
|
add chain="core-icmp" protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
|
|
add chain="core-icmp" action=drop comment="deny all other types"
|