X86 j4125 4网口小主机折腾笔记五:PVE安装ROS RouterOS
X86 RouterOS 7.18 设置笔记一:基础设置
X86 RouterOS 7.18 设置笔记二:网络基础设置(IPV4)
X86 RouterOS 7.18 设置笔记三:防火墙设置(IPV4)
X86 RouterOS 7.18 设置笔记四:网络设置(IPV6)
X86 RouterOS 7.18 设置笔记五:防火墙设置(IPV6)
X86 RouterOS 7.18 设置笔记六:端口映射(IPv4、IPv6)及回流问题
X86 RouterOS 7.18 设置笔记七:不使用Upnp的映射方法
X86 RouterOS 7.18 设置笔记八:策略路由及DNS劫持
X86 RouterOS 7.18 设置笔记九:上海电信单线复用IPTV设置
X86 RouterOS 7.18 设置笔记十:上海电信IPTV使用msd_lite实现组播转单拨
目录标题
- 实现的目标
- 防火墙设置
- 添加地址列表
- 重定向非DNS列表里的客户端DNS到主路由(可选)
- 添加规则
实现的目标
防火墙设置
添加地址列表
```
/ip firewall address-list add address=192.168.1.1 comment="local moden ipv4" list=local_moden_ipv4
/ip firewall address-list add address=192.168.0.0/24 comment="local LAN ipv4" list=local_LAN_ipv4/ip firewall address-list add address=192.168.0.1 comment="local DNS ipv4" list=local_DNS_ipv4
/ip firewall address-list add address=192.168.0.5 comment="local DNS ipv4" list=local_DNS_ipv4/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4/ip firewall address-list add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
重定向非DNS列表里的客户端DNS到主路由(可选)
/ip firewall nat add action=dst-nat chain=dstnat comment="lanconf: DNS dstnat to DNS Server(UDP)" dst-address-list=!local_DNS_ipv4 dst-port=53 in-interface-list=LAN protocol=udp to-addresses=192.168.0.1 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat comment="lanconf: DNS dstnat to DNS Server(TCP)" dst-address-list=!local_DNS_ipv4 dst-port=53 in-interface-list=LAN protocol=tcp to-addresses=192.168.0.1 to-ports=53
添加规则
#接受已建立的、相关的或未跟踪的入站流量
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 丢弃无效的入站流量
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
# 接受来自 LAN 的 ICMP 流量
/ip firewall filter add action=accept chain=input comment="defconf: accept icmp from lan" in-interface-list=LAN protocol=icmp
# 接受 IGMP 入站流量
/ip firewall filter add action=accept chain=input comment="defconf: accept igmp" protocol=igmp
# 丢弃所有非 LAN 接口进入的流量
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from lan" in-interface-list=!LAN
# 接受进入的 IPsec 策略流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
# 接受出去的 IPsec 策略流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
# 启用 FastTrack 加速已建立的连接
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=no
# 接受转发链中的已建立、相关的或未跟踪的连接的流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 丢弃无效的转发连接
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
# 丢弃所有从 WAN 接口进入且未经过目标地址转换(DNAT)的新连接
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
# 丢弃所有从 Modem 接口进入且未经过目标地址转换(DNAT)的新连接
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from Moden not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=MODEN log=yes log-prefix="[fw_modem-not-dnat]" #访问光猫用
# 丢弃所有从 WAN 接口进入且源地址在 BlockIP 地址列表中的流量
/ip firewall filter add action=drop chain=input comment="block ip" in-interface-list=WAN src-address-list=BlockIP
# 将发送 RST 数据包且目标端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=tcp psd=21,5s,3,1 tcp-flags=rst
# 将发送 SYN 数据包且目标端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=tcp psd=21,5s,3,1 tcp-flags=syn
# 将发送 UDP 数据包且目标端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=udp psd=21,5s,3,1
# 丢弃所有来源地址在 no_forward_ipv4 地址列表中的流量
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
# 丢弃所有目标地址在 no_forward_ipv4 地址列表中的流量
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
)
安全巡检)
)
