----------------------------------------------------------------------------------------
--------------------------- ( RouterOS.Basic-Config ) --------------------- [ INI ]
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# SO: RouterOS (Mikrotik), config general x (8) etherX.
# Interfaces: WAN (1…5) LAN (6…19) IPPu.Client (20…89) SOS/RES (90…99).
# Tormenta ARP (Interface-Loop):.
# Interfaces.Config (+anti-LOOPs): --------------------------------------------
/interface ethernet set 0 name=”WAN1” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”WAN1.[ TELCO ]”;
# …
# Nota: descubre (loops de paquetes en capa.2 ® (RB.MAC=src-MAC=dst-MAC).
# Address.Config: ------------------------------------------------------------------------
/ip address add address=X.Y.Z.W/24 interface=WAN1 comment=”01R>: WAN1.[ TELCO.1.2.3.4 ]” disable=yes;
# Interfaces.Config (+anti-LOOPs): --------------------------------------------
/interface ethernet set 0 name=”WAN1” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”WAN1.[ TELCO ]”;
/interface ethernet set 1 name=”WAN2” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”WAN2.[ … ]”;
/interface ethernet set 2 name=”WAN3” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”WAN3.[ … ]”;
/interface ethernet set 3 name=”LAN1” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”LAN1.[ WR.1-1 ]”;
/interface ethernet set 4 name=”LAN2” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”LAN2.[ WR.2-2 ]”;
/interface ethernet set 5 name=”LAN3” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”LAN3.[ … ]”;
/interface ethernet set 6 name=”SOS1” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”SOS1.[ … ]”;
/interface ethernet set 7 name=”RES1” loop-protect=on loop-protect-send-interval=5s loop-protect-disable-time=1mcomment=”RES1.[ … ]”;# …
# Nota: descubre (loops de paquetes en capa.2 ® (RB.MAC=src-MAC=dst-MAC).
# Address.Config: ------------------------------------------------------------------------
/ip address add address=X.Y.Z.W/24 interface=WAN1 comment=”01R>: WAN1.[ TELCO.1.2.3.4 ]” disable=yes;
/ip address add address=1...21/32 interface=WAN2 comment=”02Rx: WAN2.[ … ]” disable=yes;
/ip address add address=1...21/32 interface=WAN3 comment=”03Rx: WAN3.[ … ]” disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”06R+: LAN1.[ Gateway+DNS1. ]” disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”07Rx: LAN1.[ Gateway+DNS1. ]” disable=yes;
/ip address add address=1...1/24 interface=LAN2 comment=”08R+: LAN2.[ Gateway+DNS1. ]” disable=yes;
/ip address add address=1...1/24 interface=LAN2 comment=”09R+: LAN2.[ Gateway+DNS1. ]” disable=yes;
/ip address add address=1...1/24 interface=LAN3 comment=”10Rx: LAN3.[ Gateway+DNS1. ]” disable=yes;
/ip address add address=1...1/24 interface=LAN3 comment=”11Rx: LAN3.[ Gateway+DNS1. ]” disable=yes;
/ip address add address=1...2/32 interface=SOS1 comment=”90R+: EMERGENCY1.[ … ]” disable=yes;
/ip address add address=1.../32 interface=RES1 comment=”91R+: RESERVADO1.[ … ]” disable=yes;
# …
# Agrupar Interfaces (WANs): ----------------------------------------------------------
/interface list member add interface=WAN1 list=WANs comment=”01R+: WANs.Add (WAN1)” disable=yes;
/interface list member add interface=WAN2 list=WANs comment=”02Rx: WANs.Add (WAN2)” disable=yes;
/interface list member add interface=WAN3 list=WANs comment=”03Rx: WANs.Add (WAN3)” disable=yes;
# …
# Agrupar Interfaces (LANs): -----------------------------------------------------------
/interface list member add interface=LAN1 list=LANs comment=”06R+: LANs.Add (LAN1)” disable=yes;
/interface list member add interface=LAN2 list=LANs comment=”07R+: LANs.Add (LAN2)” disable=yes;
/interface list member add interface=LAN3 list=LANs comment=”08Rx: LANs.Add (LAN3)” disable=yes;
# …
# Nota: comenzar las LANs con el puerto (físico:4, lógico:3) x (WAN.Balanceo). En caso de usar Wireless (WLAN1, usar: interface=bridge1).
# Establecer Queue.Interface: ------------------------------------- (FUNDAMENTAL)
/queue interface set WAN1 queue=ethernet-default; # ® PFIFO(50p)
/queue interface set WAN2 queue=ethernet-default;
/queue interface set WAN3 queue=ethernet-default;
/queue interface set LAN1 queue=ethernet-default;
/queue interface set LAN2 queue=ethernet-default;
/queue interface set LAN3 queue=ethernet-default;
/queue interface set SOS1 queue=ethernet-default;
/queue interface set RES1 queue=ethernet-default;
# …
# Nota: continuar hasta cubrir all interafaces usadas (cambiar según eficiencia).
# DNS.Config: ----------------------------------------------------------------------------
/ip dns set servers=1.1.1.1,1.0.0.1,209.244.0.3,209.244.0.4;
/ip dns set allow-remote-requests=yes; # Uso el DNS.Cache x capturar IPs
# DNS.Config: ----------------------------------------------------------------------------
/ip dns set servers=1.1.1.1,1.0.0.1,209.244.0.3,209.244.0.4;
/ip dns set allow-remote-requests=yes; # Uso el DNS.Cache x capturar IPs
/ip dns set max-udp-packet-size=4096;
/ip dns set cache-size=51200; # (50MB, el DNS.cache, no es persistente
/ip dns set cache-max-ttl=1d; # (1d, para mitigar ataques: (Type=unknown)
# Routes.Config: -------------------------------------------------------------------------
/ip route add gateway=1.2.3.1 check-gateway=ping comment=”01R>: Ruta.WAN1, hacia XXX.GateWay-Border.....1” disable=yes;
# Nota: (AS: Active and Static Conextion), (CD: Conected and Dinamic), (X: Deshabilitada), (ping: chequea c/10s – check-gateway=ping –).
# Enmascaramiento.Config: -------------------------------------------------------------
/ip firewall nat add chain=srcnat out-interface-list=WANs comment=”100R>: NAT.C-IPPri (WANs)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN1 comment=”101R<: NAT.C-IPPri (WAN1)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN2 comment=”102R<: NAT.C-IPPri (WAN2)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN3 comment=”103R<: NAT.C-IPPri (WAN3)” action=masquerade disable=yes;
# Nota: establece y restringe, acceso desde LANs a Internet, a travez de WANs.
# Reglas para transparentar (RB.DNS-Cache): ---------------------------------------
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LANs comment=”110R+: NAT.DNS-Trafic a DNSCache.UDP” action=redirect to-ports=53 disable=yes;
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 in-interface-list=LANs comment=”111R+: NAT.DNS-Trafic a DNSCache.TCP” action=redirect to-ports=53 disable=yes;
# Nota: redirecciona (peticiones de DNS) y permite, establecer any-IP en Client.TarjetRed.
# SNTP-Client.Config: --------------------------------------------------------------------
/system ntp client set primary-ntp=170.155.148.1 secondary-ntp=201.217.3.85 enable=yes;
# Email.Config: ---------------------------------------------------------------------------
/tool e-mail set address=64.233.186.108;
/tool e-mail set port=587;
/tool e-mail set from=xxx@gmail.com; # smtp.gmail.com
/tool e-mail set user=xxx;
/tool e-mail set password=Gmail.Key; # o la clave de 2da autenticación
/tool e-mail set start-tls=yes; # Cifrado entre el RB y Gmail.Servers
# -------------------------------------------------------------------------------------------
# Configuración básica de seguridad del RB:
# Usuarios.Config: -----------------------------------------------------------------------
/system identity set name="xxx.ISP [ .... ]"; # cambiar según RB
/user set 0 name="user(x)" password=”key.generator(x)” group=full comment=“xxx.RB01 ”; # dejar espacio final y cambiar según RB
# --------------------------------------------------
/user add name="user(y)" password="zzzzzzza” group=write comment=“xxx.RB01 ” disable=yes; # dejar espacio final y cambiar según RB
/user add name="user(z)" password="zzzzzzzb” group=read comment=“xxx.RB01 ” disable=yes; # dejar espacio final y cambiar según RB
# Nota: modificar permisos (read a full), según corresponda.
# Servicios-RBAccess.Config: ------------------------------------------------------------
/ip service disable telnet,ftp,www,www-ssl,api-ssl,ssh;
/ip service enable winbox,api;
/ip service set api-ssl port=3333; # Activar, solo si logre resolver: (SSL)
/ip service set www-ssl port=3334; # Activar, solo si logre resolver: (SSL)
/ip service set winbox port=3335;
# Nota: o cerrarlo por ej.: address=.....
/ip service set api port=3336;
# Nota: o cerrarlo por ej.: address=..... solo x (WiFi.BackUp)
# Winbox-RBDiscovery.Config: ----------------------------------------------------------
/tool mac-server mac-winbox set allowed-interface-list=all; # none, drop Winbox-Access.MAC (actualmente, permito acceso por MAC).
/tool mac-server set allowed-interface-list=none; # Ignora MAC-Telnet Services
/tool mac-server ping set enabled=no; # Ignora ping a MAC
/ip neighbor discovery-settings set discover-interface-list=none; # Oculta MAC
# Email.Critical Alert: --------------------------------------------------------------------
/system logging action add name=EmailCriticalAlert target=email email-to=xxx@gmail.com;
/system logging action add name=EmailCriticalAlert target=email email-to=xxx@gmail.com;
/system logging add topics=critical,system,error prefix=([/system identity get name].“.LoginFailed”) action=EmailCriticalAlert; # Se da, cuando acontece un acceso fallido.
/system logging add topics=interface,warning prefix=([/system identity get name].“.EthernetLoop”) action=EmailCriticalAlert; # Se da, cuando acontece un loop-ethernet.
# Creo listas static de IPs, según necesidad: ----------------------------------------
# ---------------------------------- [Admin.IPs]
/ip firewall address-list add address=X.Y.Z.W list=A-ADMIN.List comment=”R+: AdminCtrl.AX (Public)” disable=yes;
/ip firewall address-list add address=X.Y.Z.W1 list=A-ADMIN.List comment=”R+: AdminCtrl.Router (WiFi)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”R+: AdminCtrl.AX (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”R+: AdminCtrl.AX (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”Rx: AdminCtrl.AX (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”R+: Emergencia.Acceso (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”R+: Emergencia.Acceso (Private)” disable=yes;
# Nota: si la (IP.RouterAdmin), se encuentra en el rango del (RB.IPLAN), debo agregar la (IP.RouterAdmin) como permitida.
/ip firewall address-list add address=1...0/24 list=A-LAN.List comment=”C+: IPs.LAN1 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=A-LAN.List comment=”C+: IPs.LAN2 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=A-LAN.List comment=”C+: IPs.LAN2 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=A-LAN.List comment=”Cx: IPs.LAN3 permitidas” disable=yes;
# Nota: LANs, habilitadas en el RB.
# --------------------------------------- [ISPServers.IPs]
/ip firewall address-list add address=X.Y.Z.W/32 list=A-ISPSERVER.List comment=”Rx: BGP/24.Server permitido” disable=yes;
/ip firewall address-list add address=1.1.1.1/32 list=A-ISPSERVER.List comment=”Rx: DNS.Server permitido” disable=yes;
/ip firewall address-list add address=1.0.0.1/32 list=A-ISPSERVER.List comment=”Rx: DNS.Server permitido” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ISPSERVER.List comment=”Rx: DNS.Server permitido” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ISPSERVER.List comment=”Rx: DNS.Server permitido” disable=yes;
# …
# ----------------------------------------- [RBNAT.IPs (especiales)]
# /ip firewall address-list add address=1...11/32 list=A-LAN.List comment=”Rx: IP.AdminSpecialPort (ID: Zarate.Omni5G)” disable=yes;
# /ip firewall address-list add address=1...12/32 list=A-LAN.List comment=”Rx: IP.AdminSpecialPort (ID: Zarate.ClientX)” disable=yes;
# Nota: especificas IPs (no A-LAN.List), habilitadas x Nateo de Ports en el RB.
# ---------------------------------------- [ICMPWANSRC.Permitidos]
/ip firewall address-list add address=X.Y.Z.W1 list=A-ICMPWANSRC.List comment=”R+: ICMPWANSRC.Permitido (ID: Publ.Admin)” disable=yes;
/ip firewall address-list add address=1.1.1.1 list=A-ICMPWANSRC.List comment=”R+: ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=1.0.0.1 list=A-ICMPWANSRC.List comment=”R+: ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ICMPWANSRC.List comment=”R+: ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ICMPWANSRC.List comment=”R+: ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
# …
Nota: ¿desbloquear (#), si fuese necesario, responder ping de los DNS?
# ----------------------------------- [ICMPWANDST.Permitidos] (ClientWAN.IPs)
/ip firewall address-list add address=X.Y.Z.W10-X.Y.Z.W42 list=A-ICMPWANDST.List comment=”R+: ICMPWANDST.Permitido (ID: Familia )” disable=yes;
# …
# ---------------------------------------- [ICMPSRCLAN.Permitidos]
/ip firewall address-list add address=1...120 list=A-ICMPLANSRC.List comment=”R+: ICMPLANSRC.Permitido (ID: Priv.Admin)” disable=yes;
/ip firewall address-list add address=1...121 list=A-ICMPLANSRC.List comment=”R+: ICMPLANSRC.Permitido (ID: Priv.Admin)” disable=yes;
/ip firewall address-list add address=1...123 list=A-ICMPLANSRC.List comment=”R+: ICMPLANSRC.Permitido (ID: ______,________________ )” disable=yes;
# …
# Nota: Se usará solo x ataque. Add IP.LANs, según requerimiento del Client.
# ---------------------------------------- [ICMPLANDST.Permitidos]
/ip firewall address-list add address=X.Y.Z.0/24 list=A-ICMPLANDST.List comment=”R+: ICMPLANDST.Permitido (ID: Pool/24.VCI)” disable=yes;
/ip firewall address-list add address=1.1.1.1 list=A-ICMPLANDST.List comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=1.0.0.1 list=A-ICMPLANDST.List comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ICMPLANDST.List comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ICMPLANDST.List comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
# …
Nota: ¿desbloquear (#), si fuese necesario, emitir ping a los DNS?
# ----------------------------- [BOGON IPs]
/ip firewall address-list add address=169.254.0.0/16 list=A-BOGON.List comment=”R+: BOGONIP: Rango IP.Privadas” disable=yes;
/ip firewall address-list add address=127.0.0.0/8 list=A-BOGON.List comment=”R+: BOGONIP: ” disable=yes;
/ip firewall address-list add address=0.0.0.0/8 list=A-BOGON.List comment=”R: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=192.0.2.0/24 list= A-BOGON.List comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=192.88.99.0/24 list=A-BOGON.List comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=198.18.0.0/15 list=A-BOGON.List comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=198.51.100.0/24 list=A-BOGON.List comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=203.0.113.0/24 list=A-BOGON.List comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=224.0.0.0/4 list=A-BOGON.List comment=”R+: BOGONIP: --- ” disable=yes;
# Nota: (ips, actualmente, no asignadas a ninguna entidad, hay un monton mas).
# -------------------------------------------- [IP Public especiales]
# --------------------- [DOS.ATTACK]
/ip firewall address-list add address=1..255 list=A-DARK.List comment=”Rx: RB.Input (IP.Drop)” disable=yes;
/ip firewall address-list add address=1..255 list=A-WHITE.List comment=”Rx: RB.Input (IP.Accept)” disable=yes;
/ip firewall address-list add address=10..1 list=A-BLACKHOLE.List comment=”R+: RB.Forward (IP.Carnada: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED)” disable=yes;
# --------------------- [ENACOM.OFF]
# --------------------- [ENACOM.ON]
/ip firewall address-list add address=1..1 list=A-ENACOMACCEPT.List comment=”Cx: Client.Forward (Accept x ENACOM (ID: ______,________________ ))” disable=yes;
# …
# Nota: CuevanaÌ(AS13335 - NetName: CLOUDFLARENET), limitar rangos.
# --------------------------------------------- [Alta-Conectividad.IPs]
/ip firewall address-list add address=X.Y.Z.W/32 list=C-ALTACONECTIVIDAD.List comment=”R+: Alta-Conectividad (BGP/24.Server permitido)” disable=yes;
/ip firewall address-list add address=1.1.1.1/32 list=C-ALTACONECTIVIDAD.List comment=”R+: Alta-Conectividad (DNS.Server permitido)” disable=yes;
/ip firewall address-list add address=1.0.0.1/32 list=C-ALTACONECTIVIDAD.List comment=”R+: Alta-Conectividad (DNS.Server permitido)” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=C-ALTACONECTIVIDAD.List comment=”R+: Alta-Conectividad (DNS.Server permitido)” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=C-ALTACONECTIVIDAD.List comment=”R+: Alta-Conectividad (DNS.Server permitido)” disable=yes;
/ip firewall address-list add address=1..1 list=C-ALTACONECTIVIDAD.List comment=”Cx: Alta-Conectividad (ID: ______,________________)” disable=yes;
# --------------------------------------------- [Promo.Franja-Horaria]
/ip firewall address-list add address=1..1 list=C-PROMO2DCLIENT.List comment=”C+: Client.Promo (S-D)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO5DCLIENT.List comment=”C+: Client.Promo (L-V)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO7MCLIENT.List comment=”Cx: Client.Promo (7.Mañanas)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO7NCLIENT.List comment=”Cx: Client.Promo (7.Noches)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMOXDCLIENT.List comment=”Cx: Client.Promo (<Nombre>: 000D, expira el: 00/00/0000)” disable=yes;
# Nota: Promo.XD, Script.Ctrl hasta comment (fecha expira<fecha actual).
# --------------------------------------------- [Promo.Social-Media]
/ip firewall address-list add address=1..1 list=C-PROMO!FACEBOOK.List comment=”Cx: Client.Promo (!RS.Facebook)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!YOUTUBE.List comment=”Cx: Client.Promo (!RS.Youtube)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!NETFLIX.List comment=”Cx: Client.Promo (!RS.Netflix)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!WHATSAPP.List comment=”Cx: Client.Promo (!RS.Whatsapp)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TWITTER.List comment=”Cx: Client.Promo (!RS.Twitter)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!INSTAGRAM.List comment=”Cx: Client.Promo (!RS.Instagram)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SKYPE.List comment=”Cx: Client.Promo (!RS.Skype)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SPOTIFY.List comment=”Cx: Client.Promo (!RS.Spotify)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SNAPCHAT.List comment=”Cx: Client.Promo (!RS.Snapchat)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TELEGRAM.List comment=”Cx: Client.Promo (!RS.Telegram)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TWITCH.List comment=”Cx: Client.Promo (!RS.Twitch)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!VIMEO.List comment=”Cx: Client.Promo (!RS.Vimeo)” disable=yes;
# …
/ip proxy set enabled=no; # Desactivo el (Web.Proxy)
# ---------------------------------------------
# /ip proxy set enabled=yes; # Activo el Web-Proxy
# /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface-list=LANs comment=”Rx: Web.Proxy (Redireciona Port (80 a 8070)” action=redirect to-port=8070 disable=yes;
# Nota: si (on), redireccionar port (80a8070) y bloquear pedidos desde (WANs).
# Web.Proxy (Config y Protection): ------------------------------- [en construcción]
# Schedulers.Config: ---------------------------------------------------------------------
/system scheduler add name=”TP (RB.PromoXDay-Cheq)“ start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”RB.PromoXDay-Cheq” comment="C+: ( RB.PromoXDay-Cheq )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.Ctrl (QoS.Redes Sociales)“ start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”AddressList.Ctrl (QoS.Redes Sociales)” comment="C+: ( AddressList.Ctrl (QoS.Redes Sociales) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.IP-Change)“ start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”RB.IP-ChangeWAN1” comment="R+: ( RB.IP-Change )" disabled=yes;
# --------------------------------------------
/system scheduler add name="TP (RB.Reboot)" on-event="/system reboot" start-date=dec/01/2017 start-time=hh:mm:ss interval=xd02:13:00 comment="Rx: ( RB.Reboot )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.QoSChange% (xRB))“ start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”RB.QoSChange% (xRB)” comment="Cx: ( RB.QoSChange% (xRate y Bytes) )" disabled=yes;
# --------------------------------------------
/ system scheduler add name="TP (RB.BackUp-Config)" on-event="RB.BackUp-Config" start-date=dec/01/2017 start-time=hh:mm:ss interval=1d comment="R+: ( RB.BackUp-Config )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.BackUp-AddressList)“ start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”RB.BackUp-AddressList” comment="Rx: ( RB.BackUp-AddressList )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.ISP-Stadistic)“ start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=RB.ISP-Stadistic comment="C+: ( RB.ISP-Stadistic )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.DOSAttack-Alert)“ start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”AddressList.DOSAttack-Alert” comment="R+: ( AddressList.DOSAttack-Alert )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (QS.ChangeAB)“ start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”QS.ChangeAB” comment="C+: ( QS.ChangeAB )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.AddIP-RSociales)“ start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”AddressList.AddIP-RSociales” comment="C+: ( AddressList.AddIP-RSociales )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.Ctrl (Services IP Change)“ start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”AddressList.Ctrl (Services IP Change)” comment="C+: ( AddressList.Ctrl (Services IP Change) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (Alert.LinkChange-RBLink)“ start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”Alert.LinkChange-RBLink” comment="Rx: ( RB.Alert.LinkChange-RBList )" disabled=yes;
# Micelaneos.Config: ---------------------------------------------------------------------
/ip socks set enabled=no;
/ip upnp set enabled=no;
/ip cloud set ddns-enabled=no update-time=no;
/tool bandwidth-server set enabled=no;
/ip firewall connection tracking set enabled=yes; # Necesario x FastTrack
/ip settings set tcp-syncookies=yes; # Mitiga (DDoS)
/ip settings set rp-filter=strict; # Mitiga (IPSpoofing: no test)
/snmp set enabled=no;
# Nota: bloquea el RB.(agente.SNMP) para monitoreo externo (TCP.UDP (161-162)ÌSNMP). Un agente.SNMP, almacena y recupera información tal como se definio por el fabricante en las especificas (MIBs: lo que un control.SNMP (NMS) puede preguntar a un agente.SNMP) de éste (SNMPv3).
# -------------------------------------------------------------------------------------------
/system scheduler add name=RB.Reboot on-event="/system reboot" start-time=([/system clock get time]+00:00:10); # Reiniciando (RB) en 10s
# [ 02 ] --------------------------- [ RB reinciando ] ------------------------------
# ---------------------------- [ Connections Types ]-----------------------------------
# NEW: Intenta crear una nueva conexión.
# ESTABLISHED: El paquete forma parte de una conexión ya existente.
# RELATED: El paquete está relacionado, aunque realmente no forma parte de una conexión existente.
# INVALID: El paquete ni es parte de una conexión existente ni intenta crear una nueva conexión.
# -------------------------------------------------------------------------------------------
/system scheduler set [/system scheduler get [find name=”RB.Reboot”] value-name=name] disable=yes; # Deshabilito tarea (RB.Reboot anterior)
# ------------------------------------------------------------------------------ [INI]
# -------------------------------------------------------------------------------------
# -------------------------- Reglas básica del Firewall: ---------------------------
# -------------------------------------------------------------------------------------
# -------------------------------------------------------------------------------------
# Recorre, en forma descendente, las listas del firewall, hasta cumplirse las condiciones de una regla (accept o drop). Ergo: disponer, las mas probables arriba y en secuencia (de estar relacionadas).
# ----------------------------------------------------------------------------------- [INI]
# ------------------------------------------ [Raw] ---------------------------------------
# ------------------------------------------------------------------------------------------
# Reglas x Mitigar (DoS Attacks): --------------------------------------------- [INI]
# El (1.Raw), es previo a (2.Connection-Tracking 3.Mangle, 4.NAT y 5.Filter). Ergo: RAM-, e igual efectividad que el firewall (CPU-) y sirve, tanto x (Forward) como x (Input). Ante un ataque masivo, mis reglas no son efectivas. (log=yes – save MAC –, only x ataque).
# -------------------------------------------------------------- [x DNSTCPFlood.WAN]
/ip firewall raw add chain=prerouting protocol=tcp dst-port=53 in-interface-list=WANs comment=“001Rx: Guardo.1h (src-IP en T-DOSDNSTCPWAN.List x Input.DNSTCPConn desde WANs)” action=add-src-to-address-list log=no log-prefix="[DOS-DNSTCPWAN.Flood]: " address-list=T-DOSDNSTCPWAN.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=tcp dst-port=53 in-interface-list=WANs comment="002R+: Mitiga (DNSTCPWAN.Flood)" action=drop disable=yes;
# ------------------------------------------------------------- [x DNSUDPFlood.WAN]
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-list=WANs comment=“003Rx: Guardo.1h (src-IP en T-DOSDNSUDPWAN.List x Input.DNSUDPConn desde WANs)” action=add-src-to-address-list log=no log-prefix="[DOS-DNSUDPWAN.Flood]: " address-list=T-DOSDNSUDPWAN.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-list=WANs comment="004R+: Mitiga (DNSUDPWAN.Flood)" action=drop disable=yes;
# Nota: crea redundancia, pues en (Filter), bloqueo lo no-aceptado; pero sirve para proteger (ClientIPPub.Port (53)).
# ------------------------------------------------------- [x UDPACKFlood.WAN/LAN]
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-address-list=!A-ICMPWANSRC.List icmp-options=3:3 limit=1000/5s,5:packet comment=“005Cx: Guardo.1h (src-IP en T-DOSUDPACK.List x Input.UDPACKFlood)” action=add-dst-to-address-list log=no log-prefix="[DOS-UDPACK.Flood]: " address-list=T-DOSUDPACK.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-address-list=!A-ICMPWANSRC.List icmp-options=3:3 limit=1000/5s,5:packet comment="006R+: Mitigo (UDPACK.Flood x ICMP.ACK [ 3:3 port unreachable ])" action=drop disable=yes;
# Nota: cuando el RB recibe un UDP.Packet (Port), revisa si existen programas escuchando dicho (Port), de no existir, envia un (ICMP.PortACK, 3:3) al origen, avisando que (destino unreachable). Cuidado con (dst-address-list).
# ------------------------------------------------------------------ [x IPSpoofing.LAN]
# ACK: Confirma conexión.
# PSH: Fuerza priorización del paquete en destino y obliga esperar otro.
# RST: Indica que se debe reiniciar la conexión.
# SYN: Indica que se pretende iniciar una conexión.
# FIN: Indica la finalización de una conexión.
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-LAN.List comment=“007Rx: Guardo.1h (src-IP en T-DOSIPSPOOFLAN.List x Input/Forward.Conn desde !A-LAN.List)” action=add-src-to-address-list log=yes log-prefix="[DOS-IPSPOOFLAN.BCP38]: " address-list=T-DOSIPSPOOFLAN.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-LAN.List comment="008R+: Mitigo.IPSpoofingLAN (x Input/Forward.Conn desde !A-LAN.List)" action=drop disable=yes;
# ----------------------------------------------------------------- [x ICMPFlood.WAN]
# ------------------------------------ [x Client.IPPub (WAN)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-address-list=A-ICMPWANDST.List limit=50/5s,5:packet comment=“009Cx: Guardo.1h (src-IP en T-DOSICMPWANDST.List x ICMPWANDST.Flood)” action=add-src-to-address-list log=no log-prefix="[DOS-ICMPWANDST.Flood]: " address-list=T-DOSICMPWANDST.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-address-list=A-ICMPWANDST.List limit=50/5s,5:packet comment=“010C+: Acepto.InputICMP-Limitado (desde src-IP hacia ICMPWANDST.List)” action=accept disable=yes;
# Nota: tambien se supera (limit=50/5s,5:p) con (ping x.x.x.x –l 8873 –t).
# ---------------------------------------- [x RB.IPPub (WAN)]
# Regla x RBACCESS (x ByteKnocking - ICMP): ---------------------------- [INI]
# (A: Administrativo), (P: Privilegiado – durante ataques –) y (L: Liberado).
# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall raw add chain=prerouting protocol=icmp packet-size=700 in-interface-list=WANs src-address-list=!A-ADMIN.List limit=50/5s,5:packet log=no log-prefix="[ BKnocking1-1 (A) ]: " action=add-src-to-address-list comment=“011R>: BKnocking1-1 (A) (Add.60s src-IP a A-ADMIN.List x Input.ICMP)” address-list=A-ICMPWANSRC.List address-list-timeout=60s disable=yes;
# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]
/ip firewall raw add chain=prerouting protocol=icmp packet-size=800 in-interface-list=WANs src-address-list=!A-ADMIN.List limit=50/5s,5:packet log=no log-prefix="[ BKnocking1-1 (P) ]: " action=add-src-to-address-list comment=“011R<: BKnocking1-1 (P) (Add.60s src-IP a A-ADMIN.List x Input.ICMP)” address-list=A-ICMPWANSRC.List address-list-timeout=60s disable=yes;
# --------------------------------------------------------- [Acceso Liberado (x Port)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs limit=50/5s,5:packet log=no log-prefix="[ ICMP.Free (L) ]: " action=add-src-to-address-list comment=“011R*: ICMP.Free (L) (Add.60s src-IP a A-ADMIN.List x Input.ICMP)” address-list=A-ICMPWANSRC.List address-list-timeout=60s disable=yes;
# Nota: 60s+, y la IP deja de ser valida (ping IP -l {700/800=((672/772)+(28 – cabezera de paquete TCP –))}.
# Regla x RBACCESS (x ByteKnocking - ICMP): ---------------------------- [FIN]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-address-list=A-ICMPWANSRC.List limit=100/5s,5:packet comment=“012R+: Acepto.InputICMP-Limitado (desde A-ICMPWANSRC.List)” action=accept disable=yes;
# Nota: tambien se supera (limit=100/5s,5:p) con (ping x.x.x.x –l 17753 –t). Dado que, (Raw.Accept) no llega hasta (Filter), es necesario un (Filter.Accept).
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-address-list=!A-ICMPWANSRC.List comment=“013Rx: Guardo.1h (src-IP en T-DOSICMPWANSRC.List x !A-ICMPWANSRC.List, posible ICMPWAN.Flood)” action=add-src-to-address-list log=no log-prefix="[DOS-ICMPWANSRC.Flood]: " address-list=T-DOSICMPWANSRC.List address-list-timeout=1h disable=yes;
# Nota: no graba, si el ataque: (es de src-A-ICMPWANSRC y supera limit).
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs comment=“014R+: Bloqueo.Resto de InputICMP.Conn (hacia WANs)” action=drop disable=yes;
# Nota: Si (icmp-type=!0:0 action=drop), el RB, pide y recibe ecos, mas no los responde.
# ----------------------------------------------------------------- [x ICMPFlood.LAN]
# ------------------------------------ [x RB.IPPri (src-LANs)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-address-list=A-ICMPLANSRC.List limit=50/5s,5:packet comment=“015Rx: Acepto.InputICMP-Limitado (desde A-ICMPLANSRC.List)” action=accept disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-address-list=!A-ICMPLANSRC.List comment=“016Rx: Guardo.1h (src-IP en T-DOSICMPLANSRC.List x !A-ICMPLANSRC.List, debido a ICMPLAN.Limit)” action=add-src-to-address-list log=no log-prefix="[DOS-ICMPLANSRC.Flood]: " address-list=T-DOSICMPLANSRC.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs comment=“017Rx: Bloqueo.Resto de InputICMP.Conn (desde LANs)” action=drop disable=yes;
# Nota: activar solo x uso de ICMPLANSRC.Limit (desactivar Forward ICMP.Jump) o ICMP.LAN-Attack.
# ------------------------------------ [x RB.IPPri (dst-LANs)]
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs dst-address-list=A-ICMPLANDST.List limit=50/5s,5:packet comment=“018Rx: Acepto.OutputICMP-Limitado (hacia A-ICMPLANDST.List)” action=accept disable=yes;
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs dst-address-list=!A-ICMPLANDST.List comment=“019Rx: Guardo.1h (src-IP en T-DOSICMPLANDST.List x !A-ICMPLANDST.List, debido a ICMPLAN.Limit)” action=add-src-to-address-list log=no log-prefix="[DOS-ICMPLANDST.Flood]: " address-list=T-DOSICMPLANDST.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs comment=“020Rx: Bloqueo.Resto de OutputICMP.Conn (hacia LANs)” action=drop disable=yes;
# Nota: activar solo x uso de ICMPLANDST.Limit (desactivar Forward ICMP.Jump) o ICMP.LAN-Attack.
# Reglas x Mitigar (DoS Attacks): --------------------------------------------- [FIN]
# Reglas x Ctrl.Client (x C-CLIENTDROP.List): ------------------------------ [INI]
# Eficiencia+, pero CPU+ que usar reglas en (Filter.Input/Forward).
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=C-CLIENTDROP.List comment=”021Cx: Bloqueo (Input/Forward.Conn desde C-CLIENTDROP.List)” action=drop disable=yes;
#... (Constituir seguidamente, solo x ataque desde (C-CLIENTDROP.List), el resto de reglas de Control de Clientes (Drop), antes de los (Accept) de (Filter)). Desactivar, homónimos en (Filter).
# Reglas x Ctrl.Client (x C-CLIENTDROP.List): ----------------------------- [FIN]
# ----------------------------------------------------------------------------------- [FIN]
# ------------------------------------------ [Raw] ---------------------------------------
# ------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------- [INI]
# ----------------------------------------- [Filter] ---------------------------------------
# -------------------------------------------------------------------------------------------
# Reglas x Aceleracion de Tráfico: ------------------------------------------ [INI]
/ip firewall filter add chain=forward connection-state=established,related comment=”001C+: Acepto (Forward.Conn=Establecidas y Relacionadas)” action=accept disable=yes;
/ip firewall filter add chain=input connection-state=established,related comment=”002R+: Acepto (Input.Conn=Establecidas y Relacioadas)” action=accept disable=yes;
/ip firewall filter add chain=forward connection-state=invalid comment=”003C+: Rechazo (Forward.Conn=Invalidas)” action=drop disable=yes;
/ip firewall filter add chain=input connection-state=invalid comment=”004R+: Rechazo (Input.Conn=Invalidas)” action=drop disable=yes;
# Reglas x Aceleracion de Tráfico: ------------------------------------------ [FIN]
# Reglas x Mitigar (DoS Attacks): --------------------------------------------- [INI]
# ---------------------------------- Opcion.01 (>) ------------------------ [INI]
# (A), referencia una regla que tanto puede aplicarse a (R) como a (C). Recomiendan que: (burst>=rate).
# ---------------------------------------------------------------- [x TCPFlood/src-dst]
/ip firewall filter add chain=forward comment=”005A>: JUMP.Make (Forward.DOSJUMP to new-chains.Forward)” action=jump jump-target=DOS.Jump disable=yes;
/ip firewall filter add chain=DOS.Jump dst-limit=X,Y,src-and-dst-addresses/Ts comment=”006A>: Acepto (hasta un Packet-Limit=Xp/s-burst=Ys x src-dst)” action=return disable=yes;
/ip firewall filter add chain=DOS.Jump src-address-list=C-ALTACONECTIVIDAD.List action=return log=no log-prefix="[DOS-TCP.Flood/Excepcion]: " comment=”007A>: Excepciones.aPacket-Limit (src-C-ALTACONECTIVIDAD.List)” disable=yes;
/ip firewall filter add chain=DOS.Jump comment=”008A>: Add.10m (src-Address a T-DOSTCPFSRC.List)” action=add-src-to-address-list address-list=T-DOSTCPFSRC.List address-list-timeout=10m disable=yes;
/ip firewall filter add chain=DOS.Jump comment=”009A>: Add.10m (dst-Address a T-DOSTCPFDST.List)” action=add-dst-to-address-list address-list=T-DOSTCPFDST.List address-list-timeout=10m disable=yes;
/ip firewall filter add chain=forward src-address-list=T-DOSTCPFSRC.List dst-address-list=T-DOSTCPFDST.List action=drop log=no log-prefix="[DOS-TCP.Flood/src-dst]: " comment=”010A>: Bloqueo (src-dst x Packet-Limit+)” disable=yes;
# ---------------------------------- Opcion.01 (>) ----------------------------- [FIN]
# ---------------------------------- Opcion.02 (<) ----------------------------- [INI]
# --------------------------------------------------------------------- [x TCPFlood/32]
# En (Raw), dropearia cada connection TCP (new o establecida) de T-DOSTCPF____.List, provocando en las LANs, un Client.IPDrop. Siendo que, lo que busco, es limitar las connection x IP a (IN: 200+/32)/FW: 400+/32).
# --------------------------------------------- [x TCPFlood/32.IN]
/ip firewall filter add chain=input protocol=tcp src-address-list=T-DOSTCPFIN.List connection-limit=20,32 comment="005R<: Limito (a 20/32 Input.TarpitType (ralentizadas) a los de T-DOSTCPFIN.List)" action=tarpit disabled=yes;
/ip firewall filter add chain=input protocol=tcp src-address-list=!C-ALTACONECTIVIDAD.List connection-limit=200,32 comment="006R<: Guardo.1h (src-IPs en T-DOSTCPFIN.List x 200+/32 Input.TCP)” action=add-src-to-address-list log=yes log-prefix="[DOS-TCP.Flood/IN32]: " address-list=T-DOSTCPFIN.List address-list-timeout=1h disabled=yes;
# --------------------------------------------- [x TCPFlood/32.FW]
/ip firewall filter add chain=forward protocol=tcp src-address-list=T-DOSTCPFFW.List connection-limit=40,32 comment="007R<: Limito (a 40/32 Forward.TarpitType (ralentizadas) a los de T-DOSTCPFFW.List)" action=tarpit disabled=yes;
/ip firewall filter add chain=forward protocol=tcp src-address-list=!C-ALTACONECTIVIDAD.List connection-limit=400,32 comment="008R<: Guardo.1h (src-IPs en T-DOSTCPFFW.List x 400+/32 Forward.TCP)” action=add-src-to-address-list log=yes log-prefix="[DOS-TCP.Flood/FW32]: " address-list=T-DOSTCPFFW.List address-list-timeout=1h disabled=yes;
# … (reservado hasta 011R)
# Nota: (Tarpit), usa CPU+ que (Drop), ya que mantiene la conexión establecida, reduciendo su trafico hasta cero, evitando asi, que el atacante cree una new-connection al hacerle nosotros un (Drop).
# -------------------------------------------------------------------------- [x SYNFlood]
# En (Raw), dropearia cada connection SYN (new o establecida) de T-DOSSYN____.List, provocando en las LANs, un Client.IPDrop. Siendo que, lo que busco, es limitar las connection x Chain a (IN: 150+/s)/FW: 600+/s). Activar, las next 4 reglas, solo en caso de (DoSAttack.SYNFlood), estando usando (Opcion.02) y determinar valores reales para: (IN/FW).
# ------------------------------------------------------- [x SYNFlood.IN]
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet comment="012Cx: Guardo.1h (src-IP en T-DOSSYNIN.List x posible Input.SYNFlood)" action=add-src-to-address-list log=no log-prefix="[DOS-InputSYN.Flood]: " address-list=T-DOSSYNIN.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet comment="013Cx: Bloqueo (x 150+/s Input.SYN-Conn simultaneas x posible Input.SYNFlood)" action=drop disabled=yes;
# ------------------------------------------------------- [x SYNFlood.FW]
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet comment="014Cx: Guardo.1h (src-IP en T-DOSSYNFW.List x posible Forward.SYNFlood)" action=add-src-to-address-list log=no log-prefix="[DOS-ForwardSYN.Flood]: " address-list=T-DOSSYNFW.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet comment="015Cx: Bloqueo (x 600+/s Forward.SYN-Conn simultaneas x posible Input.SYNFlood)" action=drop disabled=yes;
# Nota: x descubrir (IP.Externa), cambiar en (IN/FW) a: (action=add-dst-to-address-list).
# ---------------------------------- Opcion.02 (<) ----------------------------- [FIN]
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-list=WANs comment="016Rx: Guardo.1h (src-IPs en T-DOSNTPWAN.List x posible Input.NTPWANFlood)" action=add-src-to-address-list log=no log-prefix="[DOS-NTPWAN.Flood]: " address-list=T-DOSNTPWAN.List address-list-timeout=1h disabled=yes;
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-list=WANs comment="017R+: Bloqueo (src-IP x posible DOSNTPWAN.Flood)" action=drop disabled=yes;
# Nota: x posicionarse después de (Aceleracion de Trafico), no pregunto x (connection-state=new), para asegurarme que solo bloquee trafico NTP iniciado externamente. No puede hacerla funcionar en (Raw).
# ------------------------------------------------------------ [x dst-LANIP.BlackHole]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-BLACKHOLE comment=“018Cx: Guardo.1h (src-IP en T-BLACKHOLE.List x Forward.Conn no permitido hacia RB.IPPubClient)” action=add-src-to-address-list log=no log-prefix="[DOS-RBIPPubClient.BLACKHOLE]: " address-list=T-DOSBLACKHOLE.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-BLACKHOLE comment="019C+: Mitigo.DOSIPPubClient (ForwardConn no permitido hacia RB.IPPubClient)" action=drop disable=yes;
# Nota: considerar usar (tarpit) o mandarlo a un PC.Carnada.
# -------------------------------------------------------------- [x dst-LANIP.UnKnow]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-LAN.List comment=“020Rx: Guardo.1h (src-IP en T-DOSdstLANIPUK.List x Forward.Conn hacia !A-LAN.List)” action=add-src-to-address-list log=no log-prefix="[DOS-dstLANIP.UnKnow]: " address-list=T-DOSdstLANIPUK.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-LAN.List comment="021R+: Mitigo.dstLANIPUnKnow (x Forward.Conn hacia !A-LAN.List)" action=drop disable=yes;
# ------------------------------------------------------------- [x PortScan.WAN/LAN]
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="022Rx: Guardo.1h (src-IPs en T-DOSPORTSCAN.List x posible Input.PortScan)" action=add-src-to-address-list log=no log-prefix="[DOS-Input.PortScan]: " address-list=T-DOSPORTSCAN.List address-list-timeout=1h disabled=yes;
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="023R+: Bloqueo (src-IP x posible Input.PortScan)" action=drop disabled=yes;
# … (reservado hasta 025R)
# Nota: no uso (src-address-list=!A-ADMIN.List) x posible infeccion. Cuidado: si, el atacante, usa las IPs de mis DNS.Externos (IP.Spoofing), termino por auto-bloquearme. Alternativa de amplio expectro: (tcp-flags=fin,syn,rst,psh,ack,urg).
# Reglas x Mitigar (DoS Attacks): --------------------------------------------- [FIN]
# Regla x Drop (A-DARK.List desde Input): -----------------------------------------
/ip firewall filter add chain=input src-address-list=A-DARK.List comment=”026Rx: Rechazo (Input.Conn desde A-DARK.List)” action=drop disable=yes;
# Nota: Precisión-, al excluir (in-interface-list=WANs), para CPU-.
# Regla x Accept (A-WHITE.List desde Input): -------------------------------------
/ip firewall filter add chain=input src-address-list=A-WHITE.List comment=”027Rx: Acepto (Input.Conn desde A-WHITE.List)” action=accept disable=yes;
# Nota: Precisión-, al excluir (in-interface-list=WANs), para CPU-.
# Regla x Accept (Input.ICMP desde ICMPWANSRC.List): -----------------------
/ip firewall filter add chain=input protocol=icmp in-interface-list=WANs src-address-list=A-ICMPWANSRC.List limit=100/5s,5:packet comment=“028R+: Acepto.InputICMP-Limitado (desde A-ICMPWANSRC.List)” action=accept disable=yes;
# Regla x RBACCESS (x Access.Type - WINBOX): -------------------------- [INI]
# (A: Administrativo), (P: Privilegiado – durante ataques –) y (L: Liberado).
# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall filter add chain=input protocol=tcp dst-port=3335-3336 src-address-list=A-ADMIN.List comment="029R>: Acepto (A) (only Input.RBACC desde A-ADMIN.List)" action=accept disable=yes;
# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]
/ip firewall filter add chain=input protocol=tcp dst-port=3333-3334 src-address-list=A-ADMIN.List comment="029R<: Acepto (P) (only Input.RBACC desde A-ADMIN.List)" action=accept disable=yes;
# --------------------------------------------------------- [Acceso Liberado (x Port)]
/ip firewall filter add chain=input protocol=tcp dst-port=3333-3334 comment="029R*: Acepto (L) (only Input.RBACC desde AnyIP)" action=accept disable=yes;
# Nota: only RBACC.TCPP (debo cambiar los ports de IP/Services).
# Regla x RBACCESS (x Access.Type - WINBOX): -------------------------- [FIN]
# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [INI]
# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall filter add chain=input protocol=tcp dst-port=111 comment=“030R>: PKnocking1-3 (A) (Add.30s src-IP a T-RBACCS1.List x Input.RBACC)” log=no log-prefix="[ PKnocking1-3 (A) ]: " action=add-src-to-address-list address-list=T-RBACCS1.List address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=112 src-address-list=T-RBACC-S1.List comment=“031R>: PKnocking2-3 (A) (Add.30s src-IP a T-RBACCS2.List x Input.RBACC)” log=no log-prefix="[ PKnocking2-3 (A) ]: " action=add-src-to-address-list address-list=T-RBACCS2.List address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=113 src-address-list=T-RBACC-S2.List comment=“032R>: PKnocking3-3 (A) (Add.15m src-IP a A-ADMIN.List x Input.RBACC)” log=no log-prefix="[ PKnocking3-3 (A) ]: " action=add-src-to-address-list address-list=A-ADMIN.List address-list-timeout=15m disable=yes;
# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]
/ip firewall filter add chain=input protocol=tcp dst-port=22 comment=“030R<: PKnocking1-3 (P) (Add.30s src-IP a T-RBACCS1.List x Input.RBACC)” log=no log-prefix="[ PKnocking1-3 (P) ]: " action=add-src-to-address-list address-list=T-RBACCS1.List address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=33 src-address-list=T-RBACC-S1.List comment=“031R<: PKnocking2-3 (P) (Add.30s src-IP a T-RBACCS2.List x Input.RBACC)” log=no log-prefix="[ PKnocking2-3 (P) ]: " action=add-src-to-address-list address-list=T-RBACCS2.List address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=44 src-address-list=T-RBACC-S2.List comment=“032R<: PKnocking3-3 (P) (Add.15m src-IP a A-ADMIN.List x Input.RBACC)” log=no log-prefix="[ PKnocking3-3 (P) ]: " action=add-src-to-address-list address-list=A-ADMIN.List address-list-timeout=15m disable=yes;
# Nota: +30s, y la IP deja de ser valida. Hasta que, la sesión (conexión no finalice: winbox o ping) no se de por finalizada, la IP en cuestion, continuara habilitada por mas tiempo que (15m o 60s).
# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [FIN]
# Regla x RBACCESS (save src-!A-ADMIN.List - WINBOX): ----------------------
/ip firewall filter add chain=input src-address-list=!A-ADMIN.List protocol=tcp dst-port=3333-3336 comment=“033Rx: Guardo.1d (src-IP en T-RBACCUK.List x Input.RBACCUnKnow desde !A-ADMIN.List)” action=add-src-to-address-list log=no log-prefix="[RBACC.UnKnow]: " address-list=T-RBACCUK.List address-list-timeout=1d disable=yes;
# Nota: x secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos (port).
# Reglas x Ctrl.Client (x C-CLIENTDROP.List): -------------------------------------
/ip firewall filter add chain=input in-interface-list=LANs src-address-list=C-CLIENTDROP.List comment=”034Cx: Bloqueo (Input.Conn desde C-CLIENTDROP.List)” action=drop disable=yes;
# Nota: regla escasamente relevante, tan solo, aumenta el nivel de bloqueo.
# Regla x Accept (LANInput.Trafic-Autorizado): ----------------------------------
/ip firewall filter add chain=input in-interface-list=LANs src-address-list=A-LAN.List comment=“035R+: Acepto (only LAN-Input.Conn desde A-LAN.List)” action=accept disable=yes;
# Nota: precisión-, dado que, no especifico segmento IP permitido x interface.
# Regla x Drop (Input.Rest-Trafic): -------------------------------------------------
/ip firewall filter add chain=input comment=“036R+: Bloqueo (resto de Input.Conn)” action=drop disable=yes;
# … (reservado hasta 041R)
# Nota: x CPU-, las reglas que save IPs (ej: no-PKnocking), deben deshabilitarse o eliminarse, dejando solo el bloqueo de las mismas.
# Regla x Drop (Forward.Bogons): --------------------------------------------------
/ip firewall filter add chain=forward dst-address-list=A-BOGON.List comment="042C+: Bloqueo (Forward.Conn desde A-BOGON.List)" action=drop disable=yes;
# Nota: precisión-, al excluir la condicion (out-interface-list=WANs), para CPU-.
# Reglas x Mitigar (Email.Spam): ----------------------------------------------------
/ip firewall filter add chain=forward protocol=tcp dst-port=25,110,587,993,995 connection-limit=30,32 limit=30/1m,0 comment="043Cx: Guardo.1h (src-IP en T-EMAILSPAM.List x posible Email.Spam)" action=add-src-to-address-list log=no log-prefix="[EMAIL.SPAM]: " address-list=T-EMAILSPAM.List address-list-timeout=1h disabled=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=25,110,587,993,995 connection-limit=30,32 limit=30/1m,0 comment="044Cx: Mitigo.EMAILSPAM (Forward.TCP [ 25,110,587,993,995 ] x posible Email.Spam)" action=drop disabled=yes;
# Reglas x Ctrl.Client (Estado): ----------------------------------------------- [INI]
# En (Raw), dropearian mas eficientemente, pero implicaria CPU+.
# Reglas x Ctrl.Client-Basic (x C-CLIENTDROP.List): -----------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-CLIENTDROP.List comment=”045C+: Bloqueo (Forward.Conn desde C-CLIENTDROP.List)” action=drop disable=yes;
# Nota: Precisión+, al incluir la condicion (in-interface-list=LANs), CPU+. Dada la posición en (Firewall.Filter), es necesario eliminar sus conexiones existentes en (Connections), para surtir efecto al agregar IP a (Address-List).
# Reglas x Ctrl.Promo-Franjas (x C-PPROMO__CLIENT.List): ----------- [INI]
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO2DCLIENT.List comment=”046C+: Ctrl.Promo (bloqueo Forward.Conn desde C-PROMO2DCLIENT.List)” time=00:00:00-1d,mon,tue,wed,thu,fri action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO5DCLIENT.List comment=”047C+: Ctrl.Promo (bloqueo Forward.Conn desde C-PROMO5DCLIENT.List)” time=00:00:00-1d,sat,sun action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO7MCLIENTP.List comment=”048Cx: Ctrl.Promo (bloqueo Forward.Conn desde C-PROMO7MCLIENT.List)” time=19:00:00-07:00:00,mon,tue,wed,thu,fri,sat,sun action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO7NCLIENT.List comment=”049Cx: Ctrl.Promo (bloqueo Forward.Conn desde C-PROMO7NCLIENT.List)” time=07:00:00-19:00:00,mon,tue,wed,thu,fri,sat,sun action=drop disable=yes;
# … (reservado hasta 055C)
# Nota: precisión+, al incluir la condicion (in-interface=LANs), aunque CPU+. Importante: el Ctrl.Promo de (C-PROMOXDCLIENT.List) se hace x script.
# Reglas x Ctrl.Promo-Franjas (x C-PPROMO__CLIENT.List): ----------- [FIN]
# Reglas x Ctrl.Promo-SocialMedia (x C-PPROMO______.List): --------- [INI]
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!YOUTUBE.List dst-address-list=S-YOUTUBE.List comment=”056Cx: Ctrl.Promo (bloqueo Youtube.Servers x src-IP of C-PROMO!YOUTUBE.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!FACEBOOK.List dst-address-list=S-FACEBOOK.List comment=”057Cx: Ctrl.Promo (bloqueo Facebook.Servers x src-IP of C-PROMO!FACEBOOK.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!NETFLIX.List dst-address-list=S-NETFLIX.List comment=”058Cx: Ctrl.Promo (bloqueo Netflix.Servers x src-IP of C-PROMO!NETFLIX.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!WHATSAPP.List dst-address-list=S-WHATSAPP.List comment=”059Cx: Ctrl.Promo (bloqueo Whatsapp.Servers x src-IP of C-PROMO!WHATSAPP.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!TWITTER.List dst-address-list=S-TWITTER.List comment=”060Cx: Ctrl.Promo (bloqueo Twitter.Servers x src-IP of C-PROMO!TWITTER.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!INSTAGRAM.List dst-address-list=S-INSTAGRAM.List comment=”061Cx: Ctrl.Promo (bloqueo Instagram.Servers x src-IP of C-PROMO!INSTAGRAM.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!SKYPE.List dst-address-list=S-SKYPE.List comment=”062Cx: Ctrl.Promo (bloqueo Skype.Servers x src-IP of C-PROMO!SKYPE.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!SPOTIFY.List dst-address-list=S-SPOTIFY.List comment=”063Cx: Ctrl.Promo (bloqueo Spotify.Servers x src-IP of C-PROMO!SPOTIFY.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!SNAPCHAT.List dst-address-list=S-SNAPCHAT.List comment=”064Cx: Ctrl.Promo (bloqueo Snapchat.Servers x src-IP of C-PROMO!SNAPCHAT.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!TELEGRAM.List dst-address-list=S-TELEGRAM.List comment=”065Cx: Ctrl.Promo (bloqueo Telegram.Servers x src-IP of C-PROMO!TELEGRAM.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!TWITCH.List dst-address-list=S-TWITCH.List comment=”066Cx: Ctrl.Promo (bloqueo Twitch.Servers x src-IP of C-PROMO!TWITCH.List)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-PROMO!VIMEO.List dst-address-list=S-VIMEO.List comment=”067Cx: Ctrl.Promo (bloqueo Vimeo.Servers x src-IP of C-PROMO!VIMEO.List)” action=drop disable=yes;
# … (reservado hasta 077C)
# Nota: precisión+, al incluir la condicion (in-interface-list=WANs), CPU+.
# Reglas x Ctrl.Promo-SocialMedia (x C-PPROMO______.List): --------- [FIN]
# Reglas x Ctrl.Client (Estado): ----------------------------------------------- [FIN]
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!A-ENACOMACCEPT.List dst-address-list=A-ENACOMDROP.List comment=”078C+: Bloqueo (Cuevana.Servers x ENACOM NO-2019-16651442)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs protocol=tcp dst-port=443 tls-host=”*torproject.org*” comment=”079Cx: Bloqueo.HTTPS (https://www.torproject.org/...)” action=drop disable=yes;
# … (reservado hasta 088C)
# Nota: (tls-host), usa TCP, mientra que (QUIC: google), usa UDP.
# Reglas x Drop (específicos Servicios.IP): ---------------------------------- [FIN]
# Reglas x JUMP.FW ICMP/TCP/UDP (new Chain x Protect): ------------ [INI]
/ip firewall filter add chain=forward protocol=icmp comment=”089C+: JUMP.Make (Forward.ICMPJUMP to new-chains.ICMP)” action=jump jump-target=FW-ICMP.Jump disable=yes;
/ip firewall filter add chain=forward protocol=tcp comment=”090C+: JUMP.Make (Forward.TCPJUMP to new-chains.TCP)” action=jump jump-target=FW-TCP.Jump disable=yes;
/ip firewall filter add chain=forward protocol=udp comment=”091C+: JUMP.Make (Forward.UDPJUMP to new-chains.UPD)” action=jump jump-target=FW-UDP.Jump disable=yes;
# Reglas x JUMP.FW ICMP/TCP/UDP (new Chain x Protect): ------------ [FIN]
# Reglas x Ctrl (ICMP.Jump x Amenazas.Forward-ICMP): --------------- [INI]
/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=8:0 limit=50/5s,5:packet action=accept comment="092C+: Acepto (Forward.ICMP [ 8:0 ] limitado x allow echo request)" disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=0:0 limit=50/5s,5:packet comment="093C+: Acepto (Forward.ICMP [ 0:0 ] limitado x echo reply)" action=accept disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=11:0 limit=50/5s,5:packet action=accept comment="094C+: Acepto (Forward.ICMP [ 11:0 ] limitado x allow time exceed)" disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=3:0-1 limit=50/5s,5:packet comment="095C+: Acepto (Forward.ICMP [ 3:0-1 ] limitado x net/host unreachable)" action=accept disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=3:4 limit=50/5s,5:packet comment="096C+: Acepto (Forward.ICMP [ 3:4 ] limitado x host unreachable fragmentation required)" action=accept disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump comment="097C+: Bloqueo (all other types of Forward.ICMP)" action=drop disable=yes;
# Nota: determinar, conveniencia de (limit=50/5s,5:packet) en cada regla.
# Reglas x Ctrl (ICMP.Jump x Amenazas.Forward-ICMP): --------------- [FIN]
# Reglas x Drop (TCP.Jump x Amenazas.Forward-TCPPort): ------------ [INI]
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=67-68 comment="098C+: Bloqueo (Forward.TCP [ 67-68 ] x posible DHCP)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=69 comment="099C+: Bloqueo (Forward.TCP [ 69 ] x posible TFTP)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=111 comment="100C+: Bloqueo (Forward.TCP [ 111 ] x posible RPC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=135 comment="101C+: Bloqueo (Forward.TCP [ 135 ] x posible RPC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=137-139 comment="102C+: Bloqueo (Forward.TCP [ 137-139 ] x posible NBT)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=445 comment="103C+: Bloqueo (Forward.TCP [ 445 ] x posible CIFS)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=2049 comment="104C+: Bloqueo (Forward.TCP [ 2049 ] x posible NFS)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=3133 comment="105C+: Bloqueo (Forward.TCP [ 3133 ] x posible BackOriffice)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=12345-12346 comment="106C+: Bloqueo (Forward.TCP [ 12345-12346 ] x posible NetBus)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=20034 comment="107C+: Bloqueo (Forward.TCP [ 20034 ] x posible NetBus)" action=drop disable=yes;
# Reglas x Drop (TCP.Jump x Amenazas.Forward-TCPPort): ------------ [FIN]
# Reglas x Drop (UDP.Jump x Amenazas.Forward-UDPPort): ----------- [INI]
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=69 comment="108C+: Bloqueo (Forward.UDP [ 69 ] x posible TFTP)" action=drop disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=111 comment="109C+: Bloqueo (Forward.UDP [ 111 ] x posible PRC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=135 comment="110C+: Bloqueo (Forward.UDP [ 135 ] x posible PRC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=137-139 comment="111C+: Bloqueo (Forward.UDP [ 137-139 ] x posible NBT)" action=drop disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=2049 comment="112C+: Bloqueo (Forward.UDP [ 2049 ] x posible NFS)" action=drop disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=3133 comment="113C+: Bloqueo (Forward.UDP [ 3133 ] x posible BackOriffice)" action=drop disable=yes;
# Reglas x Drop (UDP.Jump x Amenazas.Forward-UDPPort): ----------- [FIN]
# ----------------------------------------------------------------------------------- [INI]
# ------------------------------------------ [NAT] ----------------------------------------
# -------------------------------------------------------------------------------------------
# Nateo (IP.Pub y RB.Port): ----- [Opcional] ------ ( 1x Client.IP/Client.Port )
# ------------------------------------------------- [ IP.Pub (costo extra x IP)]
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) protocol=tcp dst-port=22,23,53,67-69,111,135,137-139,161,162,445,2049,3133,20034 comment=”002Cx: NAT.C-IPPub (Firewall.TCP-Port –> 10..1, IN : ______,________________)” to-address=10..1 action=dst-nat disable=yes;
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) protocol=udp dst-port=22,23,53,69,111,135,137-139,161,162,445,2049,3133 comment=”003Cx: NAT.C-IPPub (Firewall.UDP-Port –> 10..1, IN : ______,________________)” to-address=10..1 action=dst-nat disable=yes;
# …
# Nota: Posicionar antes de (to-address=IPPriClient) y Activar solo en caso de necesitar un Firewall x IPPubClient. Siendo (10.1), una IP.Priv inexistente en LANs o la IP.Priv de una PC.Carnada.
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) comment=”004C+: NAT.C-IPPub (IN : ______,________________)” to-address=1..(x).(y) action=dst-nat disable=yes;
/ip firewall nat add chain=srcnat scr-address=1..(x).(y) comment=”005C+: NAT.C-IPPub (OUT: ______,________________)” to-address=X.Y.Z.(x) action=src-nat disable=yes;
# Nota: agregar (in/out-interface-list=WANs x IN/OUT, serian casi redundantes).
# ------------------------------------------------- [ RB.Port (resta Port disp. en RB)]
/ip firewall nat add chain=dstnat protocol=udp dst-port=9XXX comment=”110C+: Redirec Forward.Trafic-Port to RB.IPPub24 to (IPPriClient,PortDstClient (IN/OUT: ______,________________)” to-address=1..(x).(y) to-port=9YYY action=dst-nat disable=yes;
# …
# Nota: para los puertos especiales (x Admin.Port o x Client.Port: camera, shh, telnet, etc.), deben implementarse los redireccionamientos mediante el agregado de reglas de Nateo (IPPubClient o RB.PortDstClient), puesto que, el (/IP Firewall Nat) se chequea antes del (/IP Firewall Filter).
# ----------------------------------------------------------------------------------- [FIN]
# ------------------------------------------ [NAT] ----------------------------------------
# -------------------------------------------------------------------------------------------
QoS (Leyer7+AddressList+Mangle+QueueTree): ---------------------- [ INI ]
Layer 7 (RegExp): ------------------------------------------------------------------------
(^): implica, coincidir desde el principio del string.
(.): implica, coincidir con al menos un carácter.
(+): cuantificador que define cuantos caracteres anteriores deben repetirse (+, significa 1 o cualquier repetición).
(*): cuantificador que define cuantos caracteres anteriores deben repetirse (*, significa 0 o cualquier repetición).
(\.): (\), se usa para definir (.), y evitar asi, su confusión con un punto.
($): implica, coincidencia con el fin del string.
Nota: el (protocolo layer 7), es un método de búsqueda de patrones (expresiones regulares: regexp) en flujos (ICMP/TCP/UDP), pudiendo usarse, para bloqueo por dominio. En base a los 1eros 10 paquetes de una new conection (o 2KB) – de no encontrarse el patrón, se lo declara: no coincidente –.
...
No hay comentarios:
Publicar un comentario