/ ip firewall mangle
add chain=prerouting protocol=tcp src-port=1863 action=mark-packet \
new-packet-mark=msn-out passthrough=yes comment="regras de msn" disabled=no
add chain=prerouting protocol=tcp dst-port=1863 action=mark-packet \
new-packet-mark=msn-in passthrough=yes comment="" disabled=no
add chain=output protocol=tcp src-port=3128 content="X-Cache: HIT" \
action=mark-connection new-connection-mark=squid-connection-HIT \
passthrough=yes comment="Cache-squid" disabled=no
add chain=output connection-mark=squid-connection-HIT action=mark-packet \
new-packet-mark=squid-packet-HIT passthrough=no comment="" disabled=no
add chain=prerouting in-interface=bridge1 src-address=10.0.0.0/8 \
action=mark-packet new-packet-mark=test-up passthrough=no comment="UP \
TRAFFIC" disabled=no
add chain=forward src-address=10.0.0.0/8 action=mark-connection \
new-connection-mark=test-conn passthrough=yes comment="CONN-MARK" \
disabled=no
add chain=forward in-interface=Link_internet connection-mark=test-conn \
action=mark-packet new-packet-mark=test-down passthrough=no \
comment="DOWN-DIRECT CONNECTION" disabled=no
add chain=output out-interface=bridge1 dst-address=10.0.0.0/8 \
action=mark-packet new-packet-mark=test-down passthrough=no comment="DOWN \
VIA PROXY" disabled=no
add chain=prerouting content=youtube action=mark-connection \
new-connection-mark=YTB passthrough=yes comment="YOUTUBE" disabled=no
add chain=postrouting content=youtube action=mark-connection \
new-connection-mark=YTB passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=YTB action=mark-packet \
new-packet-mark=youtube passthrough=yes comment="" disabled=no
add chain=postrouting connection-mark=YTB action=mark-packet \
new-packet-mark=youtube passthrough=yes comment="" disabled=no
add chain=forward protocol=icmp action=change-ttl new-ttl=set:30 \
comment="Filtro Tracert / Traceroute" disabled=no
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=p2p_conn passthrough=yes comment="regra de p2p emule \
shareaza etc..." disabled=no
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
new-packet-mark=p2p passthrough=yes comment="" disabled=no
/ ip firewall nat
add chain=srcnat src-address=0.0.0.0/0 dst-address=0.0.0.0/0 action=masquerade \
comment="" disabled=no
add chain=dstnat in-interface=Link_internet src-address=10.0.0.0/8 protocol=tcp \
dst-port=80 action=redirect to-ports=3128 comment="proxy" disabled=no
add chain=srcnat src-address=10.0.0.0/8 action=masquerade comment="masquerade \
hotspot network" disabled=no
add chain=dstnat protocol=tcp dst-port=27015 action=dst-nat \
to-addresses=10.100.1.12 to-ports=27015 comment="regra para libeta porta \
cs" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall filter
add chain=input in-interface=Link_internet protocol=tcp dst-port=3128 \
action=drop comment="bloquear proxy externo" disabled=no
add chain=input src-address=0.0.0.0/0 dst-address=0.0.0.0/0 action=accept \
comment="" disabled=no
add chain=output src-address=0.0.0.0/0 dst-address=0.0.0.0/0 action=accept \
comment="" disabled=no
add chain=forward p2p=all-p2p action=drop comment="CONTROLE DE WAREZ - P2P" \
disabled=no
add chain=forward protocol=udp dst-port=0 action=drop comment="" disabled=no
add chain=forward protocol=tcp dst-port=0 action=drop comment="" disabled=no
add chain=forward action=drop comment="Controle de Acesso de Cliente por \
Horario" disabled=yes
add chain=input action=jump jump-target=virus comment="!!! Check for well-known \
viruses !!!" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" \
disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" \
disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=forward protocol=udp dst-port=0 action=drop comment="WAREZ" \
disabled=no
add chain=forward protocol=udp src-port=0 action=drop comment="" disabled=no
add chain=forward p2p=warez action=drop comment="" disabled=no
add chain=input protocol=udp action=jump jump-target=UDP comment="ICMP" \
disabled=no
/ ip firewall address-list
add list=youtube address=64.15.116.0/24 comment="youtube" disabled=no
add list=youtube address=74.125.9.0/24 comment="" disabled=no
add list=youtube address=208.117.235.0/24 comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes