-
Ip Firewall Filter
Amigos... ai vai a Filter Rules
0 ;;; Drop Netbios e Similar
chain=input protocol=udp src-port=135 action=drop
1 chain=input protocol=tcp src-port=135 action=drop
2 chain=input protocol=udp src-port=137 action=drop
3 chain=input protocol=tcp src-port=137 action=drop
4 chain=input protocol=udp src-port=138 action=drop
5 chain=input protocol=tcp src-port=138 action=drop
6 chain=input protocol=udp src-port=139 action=drop
7 chain=input protocol=tcp src-port=139 action=drop
8 chain=input protocol=tcp src-port=445 action=drop
9 chain=input protocol=udp src-port=445 action=drop
10 ;;; Bloqueio de acesso externo ao proxy
chain=input in-interface=ether1 protocol=tcp dst-port=3126 action=drop
11 ;;; drop invalid packets
chain=input connection-state=invalid action=drop
12 ;;; accept related packets
chain=input connection-state=related action=accept
13 ;;; accept established packets
chain=input connection-state=established action=accept
14 chain=input src-address=200.101.81.0/24 action=accept
15 chain=input src-address=201.34.35.0/24 action=accept
16 ;;; Bloqueio da Porta 22-23
chain=input src-address-list=drop_port_22_23 action=drop
17 ;;; detect and drop port scan connections
chain=input protocol=tcp psd=21,3s,3,1 action=drop
18 ;;; drop bogon IP's
chain=input in-interface=ether1 src-address-list=not_in_internet
action=drop
19 ;;; jump to chain ICMP
chain=input protocol=icmp action=jump jump-target=ICMP
20 ;;; jump to chain services
chain=input action=jump jump-target=services
21 ;;; drop everything else
chain=input action=drop
22 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
23 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
24 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
25 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
26 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
27 ;;; Drop everything else
chain=ICMP protocol=icmp action=drop
28 ;;; accept localhost
chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
29 ;;; allow ftp
chain=services protocol=tcp dst-port=20-21 action=accept
30 ;;; allow sftp, ssh
chain=services protocol=tcp dst-port=22 action=accept
31 ;;; allow telnet
chain=services protocol=tcp dst-port=23 action=accept
32 ;;; allow http, webbox
chain=services protocol=tcp dst-port=8081 action=accept
33 ;;; Allow winbox
chain=services protocol=tcp dst-port=8291 action=accept
34 ;;; allow MACwinbox
chain=services protocol=udp dst-port=20561 action=accept
35 ;;; Bandwidth server
chain=services protocol=tcp dst-port=2000 action=accept
36 ;;; MT Discovery Protocol
chain=services protocol=udp dst-port=5678 action=accept
37 ;;; allow DNS request
chain=services protocol=tcp dst-port=53 action=accept
38 ;;; Allow DNS request
chain=services protocol=udp dst-port=53 action=accept
39 ;;; allow L2TP
chain=services protocol=udp dst-port=1701 action=accept
40 ;;; allow PPTP
chain=services protocol=tcp dst-port=1723 action=accept
41 ;;; allow PPTP and EoIP
chain=services protocol=gre action=accept
42 ;;; allow IPIP
chain=services protocol=ipencap action=accept
43 ;;; UPnP
chain=services protocol=udp dst-port=1900 action=accept
44 ;;; UPnP
chain=services protocol=tcp dst-port=2828 action=accept
45 ;;; allow DHCP
chain=services protocol=udp dst-port=67-68 action=accept
46 ;;; allow Web Proxy
chain=services protocol=tcp dst-port=3126 action=accept
47 ;;; allow NTP
chain=services protocol=tcp dst-port=123 action=accept
48 ;;; allow SNMP
chain=services protocol=tcp dst-port=161 action=accept
49 ;;; allow https for Hotspot
chain=services protocol=tcp dst-port=443 action=accept
50 ;;; allow Socks for Hotspot
chain=services protocol=tcp dst-port=1080 action=accept
51 ;;; allow IPSec connections
chain=services protocol=udp dst-port=500 action=accept
52 ;;; allow IPSec
chain=services protocol=ipsec-esp action=accept
53 ;;; allow IPSec
chain=services protocol=ipsec-ah action=accept
54 ;;; Allow BGP
chain=services protocol=tcp dst-port=179 action=accept
55 ;;; allow RIP
chain=services protocol=udp dst-port=520-521 action=accept
56 ;;; allow OSPF
chain=services protocol=ospf action=accept
57 ;;; allow BGP
chain=services protocol=udp dst-port=5000-5100 action=accept
58 ;;; allow Telephony
chain=services protocol=tcp dst-port=1720 action=accept
59 ;;; allow Telephony
chain=services protocol=udp dst-port=1719 action=accept
60 ;;; allow VRRP
chain=services protocol=vrrp action=accept
61 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop
62 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop
63 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop
64 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop
65 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop
66 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop
67 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop
68 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop
69 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop
70 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop
71 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop
72 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop
73 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop
74 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop
75 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop
76 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop
77 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop
78 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop
79 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127-3128 action=drop
80 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop
81 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop
82 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop
83 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop
84 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop
85 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop
86 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop
87 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop
88 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop
89 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop
90 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop
91 ;;; Drop PhatBot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop
92 ;;; Drop Netbios e Similar
chain=forward protocol=udp dst-port=135 action=drop
93 chain=forward protocol=tcp dst-port=135 action=drop
94 chain=forward protocol=udp dst-port=137 action=drop
95 chain=forward protocol=tcp dst-port=137 action=drop
96 chain=forward protocol=udp dst-port=138 action=drop
97 chain=forward protocol=tcp dst-port=138 action=drop
98 chain=forward protocol=udp dst-port=139 action=drop
99 chain=forward protocol=tcp dst-port=139 action=drop
100 chain=forward protocol=tcp dst-port=445 action=drop
101 chain=forward protocol=udp dst-port=445 action=drop
102 ;;; tratamento de p2p
chain=forward p2p=all-p2p action=jump jump-target=P2P
103 ;;; drop invalid packets
chain=forward connection-state=invalid action=drop
104 ;;; accept related packets
chain=forward connection-state=related action=accept
105 ;;; accept established packets
chain=forward connection-state=established action=accept
106 ;;; drop all that is not from unicast
chain=forward src-address-type=!unicast action=drop
107 ;;; jump to chain ICMP
chain=forward protocol=icmp action=jump jump-target=ICMP
108 ;;; jump to virus chain
chain=forward action=jump jump-target=virus
109 ;;; drop invalid packets
chain=output connection-state=invalid action=drop
110 ;;; accept related packets
chain=output connection-state=related action=accept
111 ;;; accept established packets
chain=output connection-state=established action=accept
112 ;;; conection limit 60
chain=forward protocol=tcp tcp-flags=syn connection-limit=60,32
action=drop
113 ;;; Libera P2P para cliente TESTE
chain=P2P src-address=10.10.1.2 protocol=tcp p2p=all-p2p action=accept
114 chain=P2P dst-address=10.10.1.2 protocol=tcp p2p=all-p2p action=accept
115 chain=P2P p2p=all-p2p action=drop
-
Nat
O NAT
chain=srcnat src-address=10.10.0.0/16 action=masquerade
chain=srcnat src-address=20.20.0.0/16 action=masquerade
chain=srcnat src-address=30.30.0.0/16 action=masquerade
chain=srcnat src-address=40.40.0.0/16 action=masquerade
chain=dstnat src-address=10.10.0.0/16 protocol=tcp dst-port=80
action=redirect to-ports=3126
chain=dstnat src-address=20.20.0.0/16 protocol=tcp dst-port=80
action=redirect to-ports=3126
chain=dstnat src-address=30.30.0.0/16 protocol=tcp dst-port=80
action=redirect to-ports=3126
chain=dstnat src-address=40.40.0.0/16 protocol=tcp dst-port=80
action=redirect to-ports=3126
-
Mangle
0 ;;; Ajuste de Bloqueio SSH e Telnet
chain=prerouting protocol=tcp dst-port=22-23
action=add-src-to-address-list address-list=drop_port_22_23
address-list-timeout=0s
1 ;;; MSN
chain=prerouting protocol=tcp src-port=1863 action=mark-packet
new-packet-mark=msn-out passthrough=yes
2 chain=prerouting protocol=tcp dst-port=1863 action=mark-packet
new-packet-mark=msn-in passthrough=yes
3 ;;; HTTP
chain=prerouting protocol=tcp dst-port=80 action=mark-connection
new-connection-mark=http_conn passthrough=yes
4 chain=prerouting connection-mark=http_conn action=mark-packet
new-packet-mark=http_down passthrough=yes
-
Address List
# LIST ADDRESS
0 not_in_internet 0.0.0.0/8
1 not_in_internet 169.254.0.0/16
2 not_in_internet 127.0.0.0/8
3 not_in_internet 224.0.0.0/3
4 drop_port_22_23 0.0.0.0
5 port scaners 0.0.0.0
Obrigado
