Regra Mangle

**eniak** · 15-06-2007, 17:49

OLA A TODOS COLOCO AS MINHAS REGRAS AQUI AO PESSOAL QUE QUEIRE DEIXAR SEU SERVE UM POUCO MAIS EFICIENTE

[eniak@MikroTik] ip firewall mangle>
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Ajuste de Bloqueio SSH e Telnet
chain=prerouting protocol=tcp dst-port=20-23
action=add-src-to-address-list address-list=drop_port_22_23
address-list-timeout=0s

1 ;;; Marca Todo Trafego p2p
chain=prerouting src-address=10.10.10.0/24 p2p=all-p2p
action=mark-connection new-connection-mark=p2p_conn passthrough=yes

2 chain=prerouting connection-mark=p2p_conn action=mark-packet
new-packet-mark=allp2p passthrough=yes

3 ;;; HTTP
chain=prerouting protocol=tcp dst-port=80 action=mark-connection
new-connection-mark=http-down passthrough=yes

4 chain=prerouting connection-mark=http-down action=mark-packet
new-packet-mark=HTTP passthrough=yes

5 ;;; SSL
chain=prerouting protocol=tcp dst-port=443 action=mark-connection
new-connection-mark=443_conn passthrough=yes

6 chain=prerouting connection-mark=443_conn action=mark-packet
new-packet-mark=HTTP passthrough=yes

7 ;;; MSN-IN
chain=prerouting protocol=tcp dst-port=1863 action=mark-connection
new-connection-mark=msn_in passthrough=yes

8 chain=prerouting connection-mark=msn_in action=mark-packet
new-packet-mark=MSN_IN passthrough=yes

9 ;;; MSN-OUT
chain=prerouting protocol=tcp src-port=1863 action=mark-connection
new-connection-mark=msn_out passthrough=yes

10 chain=prerouting connection-mark=msn_out action=mark-packet
new-packet-mark=MSN_OUT passthrough=yes

11 ;;; VOIP-IN
chain=prerouting protocol=udp dst-port=5060 action=mark-connection
new-connection-mark=voip_in passthrough=yes

12 chain=prerouting connection-mark=voip_in action=mark-packet
new-packet-mark=VOIP_IN passthrough=yes

13 ;;; VOIP-OUT
chain=prerouting protocol=udp src-port=5060 action=mark-connection
new-connection-mark=voip_out passthrough=yes

14 ;;; Protocol classifier
chain=prerouting protocol=tcp connection-state=new action=jump
jump-target=tcp-services

15 chain=prerouting protocol=udp connection-state=new action=jump
jump-target=udp-services

16 chain=prerouting connection-state=new action=jump
jump-target=other-services

17 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21
action=mark-connection new-connection-mark=ftp passthrough=no

18 chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22
action=mark-connection new-connection-mark=ssh passthrough=no

19 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23
action=mark-connection new-connection-mark=telnet passthrough=no

20 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25
action=mark-connection new-connection-mark=smtp passthrough=no

21 chain=tcp-services protocol=tcp src-port=53 dst-port=53
action=mark-connection new-connection-mark=dns passthrough=no

22 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53
action=mark-connection new-connection-mark=dns passthrough=no

23 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80
action=mark-connection new-connection-mark=http passthrough=no

24 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110
action=mark-connection new-connection-mark=pop3 passthrough=no

25 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113
action=mark-connection new-connection-mark=auth passthrough=no

26 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119
action=mark-connection new-connection-mark=nntp passthrough=no

27 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143
action=mark-connection new-connection-mark=imap passthrough=no

28 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162
action=mark-connection new-connection-mark=snmp passthrough=no

29 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443
action=mark-connection new-connection-mark=https passthrough=no

30 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465
action=mark-connection new-connection-mark=smtps passthrough=no

31 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993
action=mark-connection new-connection-mark=imaps passthrough=no

32 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995
action=mark-connection new-connection-mark=pop3s passthrough=no

33 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723
action=mark-connection new-connection-mark=pptp passthrough=no

34 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379
action=mark-connection new-connection-mark=kgs passthrough=no

35 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3126
action=mark-connection new-connection-mark=proxy passthrough=no

36 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3987
action=mark-connection new-connection-mark=win-ts passthrough=no

37 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243
action=mark-connection new-connection-mark=emule passthrough=no

38 chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535
action=mark-connection new-connection-mark=overnet passthrough=no

39 chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535
action=mark-connection new-connection-mark=emule passthrough=no

40 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901
action=mark-connection new-connection-mark=vnc passthrough=no

41 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669
action=mark-connection new-connection-mark=irc passthrough=no

42 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889
action=mark-connection new-connection-mark=bittorrent passthrough=no

43 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080
action=mark-connection new-connection-mark=http passthrough=no

44 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291
action=mark-connection new-connection-mark=winbox passthrough=no

45 chain=tcp-services protocol=tcp action=mark-connection
new-connection-mark=other-tcp passthrough=no

46 chain=udp-services protocol=udp src-port=1024-65535 dst-port=53
action=mark-connection new-connection-mark=dns passthrough=no

47 chain=udp-services protocol=udp src-port=1024-65535 dst-port=123
action=mark-connection new-connection-mark=ntp passthrough=no

48 chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701
action=mark-connection new-connection-mark=l2tp passthrough=no

49 chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665
action=mark-connection new-connection-mark=emule passthrough=no

50 chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672
action=mark-connection new-connection-mark=emule passthrough=no

51 chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535
action=mark-connection new-connection-mark=emule passthrough=no

52 chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053
action=mark-connection new-connection-mark=overnet passthrough=no

53 chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535
action=mark-connection new-connection-mark=overnet passthrough=no

54 chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535
action=mark-connection new-connection-mark=skype passthrough=no

55 chain=udp-services protocol=udp connection-state=new
action=mark-connection new-connection-mark=other-udp passthrough=no

56 chain=other-services protocol=icmp icmp-options=8:0-255
action=mark-connection new-connection-mark=ping passthrough=no

57 chain=other-services protocol=gre action=mark-connection
new-connection-mark=gre passthrough=no

58 chain=other-services action=mark-connection new-connection-mark=other
passthrough=no

59 chain=prerouting in-interface=wlan1 action=mark-packet
new-packet-mark=nat-traversal passthrough=no

TA MARCANDO TUDO CERTO

**eniak** · 15-06-2007, 18:09

SIMPLES QUEUE

name="REGRA P2P DONW" dst-address=10.10.10.0/24 interface=all parent=none direction=both priority=8
queue=P2P_UP/P2P_DONW limit-at=0/0 max-limit=128000/256000 total-queue=default-small

QUEUE TREE

0 name="P2P-Down" parent=global-in packet-mark=allp2p limit-at=250000 queue=P2P_DONW priority=7 max-limit=250000
burst-limit=0 burst-threshold=0 burst-time=0s

1 name="P2P-UP" parent=global-out packet-mark=allp2p limit-at=250000 queue=P2P_UP priority=7 max-limit=250000
burst-limit=0 burst-threshold=0 burst-time=0s

2 name="msn-in" parent=global-in packet-mark=MSN_IN limit-at=1024000 queue=MSN-IN priority=1 max-limit=3072000
burst-limit=0 burst-threshold=0 burst-time=0s

3 name="msn-out" parent=global-out packet-mark=MSN_OUT limit-at=1024000 queue=MSN-OUT priority=1 max-limit=3072000
burst-limit=0 burst-threshold=0 burst-time=0s

4 name="http_down" parent=global-in packet-mark=HTTP limit-at=500000 queue=HTTP_DONW priority=2 max-limit=500000
burst-limit=0 burst-threshold=0 burst-time=0s

5 name="voip-in" parent=global-in packet-mark=VOIP_IN limit-at=1024000 queue=default priority=8 max-limit=1024000
burst-limit=0 burst-threshold=0 burst-time=0s

6 name="voip-out" parent=global-out packet-mark=VOIP_OUT limit-at=1024000 queue=default priority=8 max-limit=1024000
burst-limit=0 burst-threshold=0 burst-time=0s

QUEUES TYPES

5 name="P2P_DONW" kind=pcq pcq-rate=250000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

6 name="P2P_UP" kind=pcq pcq-rate=250000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000

7 name="HTTP_DONW" kind=sfq sfq-perturb=5 sfq-allot=1514

8 name="MSN-IN" kind=sfq sfq-perturb=5 sfq-allot=2000

9 name="MSN-OUT" kind=sfq sfq-perturb=5 sfq-allot=2000

**eniak** · 15-06-2007, 18:26

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept

1 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept

2 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept

3 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept

4 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept

5 ;;; accept localhost
chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept

6 ;;; allow http, webbox
chain=services protocol=tcp dst-port=8081 action=accept

7 ;;; Allow winbox
chain=services protocol=tcp dst-port=8291 action=accept

8 ;;; allow MACwinbox
chain=services protocol=udp dst-port=20561 action=accept

9 ;;; MT Discovery Protocol
chain=services protocol=udp dst-port=5678 action=accept

10 ;;; allow DNS request
chain=services protocol=tcp dst-port=53 action=accept

11 ;;; Allow DNS request
chain=services protocol=udp dst-port=53 action=accept

12 ;;; allow Web Proxy
chain=services protocol=tcp dst-port=3126 action=accept

13 ;;; allow ftp
chain=services protocol=tcp dst-port=20-21 action=accept

14 ;;; allow sftp, ssh
chain=services protocol=tcp dst-port=22 action=accept

15 ;;; allow telnet
chain=services protocol=tcp dst-port=23 action=accept

16 ;;; allow NTP
chain=services protocol=tcp dst-port=123 action=accept

17 ;;; allow SNMP
chain=services protocol=tcp dst-port=161 action=accept

18 chain=virus protocol=udp src-port=1900 action=drop

19 chain=virus protocol=udp dst-port=1900 action=drop

20 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop

21 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop

22 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop

23 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop

24 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop

25 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop

26 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop

27 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop

28 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop

29 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop

30 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop

31 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop

32 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop

33 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop

34 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop

35 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop

36 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop

37 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop

38 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127-3128 action=drop

39 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop

40 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop

41 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop

42 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop

43 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop

44 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop

45 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop

46 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop

47 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop

48 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop

49 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop

50 ;;; Drop PhatBot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop

51 ;;; drop invalid packets
chain=output connection-state=invalid action=drop

52 ;;; accept related packets
chain=output connection-state=related action=accept

53 ;;; accept established packets
chain=output connection-state=established action=accept

54 chain=input protocol=udp dst-port=1900 action=drop

55 ;;; drop invalid packets
chain=input connection-state=invalid action=drop

56 ;;; accept related packets
chain=input connection-state=related action=accept

57 ;;; accept established packets
chain=input connection-state=established action=accept

58 ;;; Drop SSH, FTP, TELNET
chain=input protocol=tcp dst-port=20-23 action=drop

59 ;;; detect and drop port scan connections
chain=input protocol=tcp psd=21,3s,3,1 action=drop

60 ;;; jump to chain virus
chain=input action=jump jump-target=virus

61 ;;; jump to chain ICMP
chain=input protocol=icmp action=jump jump-target=ICMP

62 ;;; jump to chain services
chain=input action=jump jump-target=services

63 ;;; NetBius
chain=forward protocol=tcp dst-port=135-139 action=drop

64 chain=forward protocol=tcp dst-port=445 action=drop

65 chain=forward protocol=udp dst-port=445 action=drop

66 chain=forward protocol=udp dst-port=1900 action=drop

67 chain=forward protocol=udp src-port=1900 action=drop

68 ;;; tratamento de p2p
chain=forward p2p=all-p2p action=jump jump-target=P2P

69 ;;; drop invalid packets
chain=forward connection-state=invalid action=drop

70 ;;; accept related packets
chain=forward connection-state=related action=accept

71 X ;;; connlimit 20
chain=forward protocol=tcp tcp-flags=syn connection-limit=30,32 action=jump jump-target=connlimit

72 ;;; accept established packets
chain=forward connection-state=established action=accept

73 ;;; drop all that is not from unicast
chain=forward src-address-type=!unicast action=drop

74 ;;; jump to chain ICMP
chain=forward protocol=icmp action=jump jump-target=ICMP

75 ;;; jump to virus chain
chain=forward action=jump jump-target=virus

76 ;;; SSL
chain=connlimit protocol=tcp dst-port=443 action=accept

77 chain=connlimit protocol=tcp src-port=443 action=accept

78 ;;; MSN
chain=connlimit protocol=tcp dst-port=1863 action=accept

79 chain=connlimit protocol=tcp src-port=1863 action=accept

80 ;;; MSN
chain=connlimit protocol=tcp dst-port=80 action=accept

**eniak** · 15-06-2007, 18:28

81 chain=connlimit protocol=tcp src-port=80 action=accept

82 X ;;; connlimit 20
chain=connlimit protocol=tcp tcp-flags=syn connection-limit=!30,24 action=drop

83 ;;; allow ping
chain=forward protocol=icmp action=accept

84 ;;; allow udp
chain=forward protocol=udp action=accept

85 chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port scanners
address-list-timeout=0s

86 chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=accept

87 chain=forward protocol=tcp action=jump jump-target=restrict-tcp

88 chain=forward protocol=udp action=jump jump-target=restrict-udp

89 chain=forward action=jump jump-target=restrict-ip

90 chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
address-list-timeout=0s

91 chain=smtp-first-drop src-address-list=approved-smtp action=return

92 chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s

93 chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

94 chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop

95 chain=restrict-ip connection-mark=other action=jump jump-target=drop

96 ;;; Allow local traffic (between router applications)
chain=input src-address-type=local dst-address-type=local action=accept

97 ;;; Sanity Check
chain=input action=jump jump-target=sanity-check

98 ;;; Dropping packets not destined to the router itself, including all broadcast traffic
chain=input dst-address-type=!local action=jump jump-target=drop

99 ;;; Allow pings, but at a very limited rate (5 per sec)
chain=input connection-mark=ping limit=5,5 action=accept

100 chain=input action=jump jump-target=drop

101 ;;; SSH (22/TCP)
chain=local-services connection-mark=ssh action=accept

102 ;;; DNS
chain=local-services connection-mark=dns action=accept

103 ;;; HTTP Proxy (3126/TCP)
chain=local-services connection-mark=proxy action=accept

104 ;;; Winbox (8291/TCP)
chain=local-services connection-mark=winbox action=accept

105 ;;; Drop Other Local Services
chain=local-services action=drop

106 ;;; SSH (22/TCP)
chain=public-services connection-mark=ssh action=accept

107 ;;; Drop Other Public Services
chain=public-services action=drop

108 ;;; Sanity Check
chain=forward action=jump jump-target=sanity-check

109 ;;; Deny illegal NAT traversal
chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop

110 ;;; Block port scans
chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d

111 ;;; Block TCP Null scan
chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d

112 ;;; Block TCP Xmas scan
chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d

113 chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop

114 ;;; Drop TCP RST
chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop

115 ;;; Drop TCP SYN+FIN
chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop

116 ;;; Dropping invalid connections at once
chain=sanity-check connection-state=invalid action=jump jump-target=drop

117 ;;; Accepting already established connections
chain=sanity-check connection-state=established action=accept

118 ;;; Also accepting related connections
chain=sanity-check connection-state=related action=accept

119 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop

120 chain=forward protocol=tcp action=jump jump-target=restrict-tcp

121 chain=forward protocol=udp action=jump jump-target=restrict-udp

122 chain=forward action=jump jump-target=restrict-ip

123 chain=restrict-tcp connection-mark=auth action=reject reject-with=icmp-network-unreachable

124 ;;; anti-spam policy
chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop

125 chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop

126 chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept

127 chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list="" address-list-timeout=0s

128 chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept

129 chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list="" address-list-timeout=0s

130 chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept

Regra Mangle

Ferramentas de Tópicos

Regras- Mangle-simple queue-queue tree-queue types

filter

continuando filter