/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
==========================
MikroTik RouterOS RAW 設定
RouterOS 從 6.36 版後多了一個 RAW 功能,上網收集資料了解了解,順便整理起來。
(上圖是依網友的流程圖模仿重畫的)
firewall Raw 列表允許選擇性在 connection tracking 之前繞過或者丟棄封包,這樣能大大的降低 CPU 負載。
該功能非常有助於防御 DOS 攻擊,RAW 列表不能匹配連接狀態的追蹤,例如 connection-state 和 L7 協議。
Raw Policy 出現在 Prerouting chin 和 output chin,並在 connection-tracking 前執行。
Raw 目的是對指定的 IP 訪問可以不經過連接追蹤(connection-tracking),有助於減少 CPU 負載 ,
但對於私有網路做 NAT 轉換,connection-tracking 是必須的,Raw 又如何在實際網路應用中發揮作用。
例如遭到 DDoS 攻擊,可以通過 Raw 規則關閉掉攻擊來源 IP 的連接追蹤,不建立本地連接會話,不予回應,降低 CPU 負載 。
在 Raw 中有兩個連表,分別是 prerouting 和 output:
prerouting 用於處理任何進入路由器的封包
output 用於處理封包來自於路由器,並通過其中一個接口離開,即由路由器自身發出的封包
例如:
遭到 11.22.33.44 的 IP 通過 syn 的 DDoS 攻擊,可以拒絕對該 IP 做連接追蹤,減少 CPU 負載 :
/ip firewall raw
add chain=prerouting src-address=11.22.33.44 action=notrack
另一種情況, 如較大的網路環境,涉及內網和外網請求,在訪問外網時需要做 nat 轉換,而內網則不需要,
因此流量和對話增加的情況下,避免 CPU 負載過高,可以透過 Raw 關閉掉訪問內網的連接追蹤。
例如,在一個大型網絡,內網IP地址段是192.168.0.0/16,關閉掉內網的連接跟蹤,配置如下:
/ip firewall raw
add chain=prerouting dst-address=192.168.0.0/16 action=notrack
配置後,在 connection-tracking 列表將不會看到內網訪問 192.168.0.0/16 的連接訊息
其他 RAW policy:
/ip firewall raw
add action=drop chain=prerouting comment="Port scanners" protocol=tcp psd=21,3s,3,1
add action=drop chain=prerouting comment="Drop oversized unfragmented packets" packet-size=
1492-65535 protocol=icmp
add action=drop chain=prerouting comment="SYN-FIN attack protection" protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting comment="SYN-RST attack protection" protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting comment="X-Mas attack protection" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=drop chain=prerouting comment="NMAP FIN attack protection" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=prerouting comment="NMAP Push attack protection" protocol=tcp tcp-flags=fin,syn,rst,ack,urg,!psh
add action=drop chain=prerouting comment="NMAP FIN/PSH/URG attack protection" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=drop chain=prerouting comment="NULLflags attack protection" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=prerouting comment="ALLflags attack protection" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=prerouting comment="Drop udp DNS queries from WAN" dst-port=53 in-interface="WAN" protocol=udp
add action=drop chain=prerouting comment="Drop tcp DNS queries from WAN" dst-port=53 in-interface="WAN" protocol=tcp
資料來源:
http://www.rosjb.com/803.html
https://quchao.com/entry/basic-rules-of-raw-table-in-the-routeros-firewall/
===============
ddos 拒絕 設定
/ip firewall filter add action=drop chain=input comment="drop sniffer" in-interface=ether1 src-address-list=sniffer
/ip firewall filter add action=add-src-to-address-list address-list=sniffer address-list-timeout=30d chain=input comment="mark sniffer" dst-port=22,23,876,3306,3389,137,139,445,5001,6379,27017 in-interface=ether1 log=yes log-prefix=sniffer protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=sniffer address-list-timeout=30d chain=input comment="mark sniffer" dst-port=22,23,876,3306,3389,137,139,445,5001,6379,27017 in-interface=ether1 log=yes log-prefix=sniffer protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=sniffer address-list-timeout=30d chain=input comment="mark sniffer" dst-port=2323,5555,80,81,37215,8000,8080,8081,8291,8443,53 in-interface=ether1 log=yes log-prefix=sniffer protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=sniffer address-list-timeout=30d chain=input comment="mark sniffer" dst-port=2323,5555,80,81,37215,8000,8080,8081,8291,8443 in-interface=ether1 log=yes log-prefix=sniffer protocol=udp
/ip firewall filter add action=drop chain=input comment="drop sniffer" in-interface=ether1 src-address-list=sniffer
======================