-
-
Save jacob-faber/4d0b29a52f3de146b805859a26de8dbc to your computer and use it in GitHub Desktop.
MikroTik (RouterOS) Zone-Based Firewall Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# jan/29/2018 22: 4:17 by RouterOS 6.41 | |
# | |
/interface list | |
add name=public comment="public network" | |
add name=local comment="local network" | |
add name=guest comment="guest network" | |
# Change the interfaces below to your own | |
/interface list member | |
add list=public interface=ether1 | |
add list=local interface=bridge | |
/ip firewall filter | |
# WARNING! All filter rules will be deleted | |
:delay 10 | |
remove [find dynamic=no] | |
## Enable FastTrack for all zones | |
add chain=forward action=fasttrack-connection \ | |
connection-state=established,related \ | |
comment="Enable FastTrack for all zones" | |
## PUBLIC ---> ROUTER | |
add chain=input action=jump jump-target=PUBLIC-TO-ROUTER \ | |
in-interface-list=public comment="PUBLIC ---> ROUTER" | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=80 \ | |
comment="DISABLE IT IF NOT NEEDED" | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=22 \ | |
comment="DISABLE IT IF NOT NEEDED" | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1194 \ | |
comment="OpenVPN" | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=500,4500 \ | |
comment="L2TP/IPSec" | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=1701 \ | |
ipsec-policy=in,ipsec | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=ipsec-esp | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1723 \ | |
comment="PPTP" | |
add chain=PUBLIC-TO-ROUTER action=accept protocol=gre | |
add chain=PUBLIC-TO-ROUTER action=return | |
## PUBLIC <--- ROUTER | |
add chain=output action=jump jump-target=ROUTER-TO-PUBLIC \ | |
out-interface-list=public comment="PUBLIC <--- ROUTER" | |
add chain=ROUTER-TO-PUBLIC action=return | |
## LOCAL ---> ROUTER | |
add chain=input action=jump jump-target=LOCAL-TO-ROUTER \ | |
in-interface-list=local comment="LOCAL ---> ROUTER" | |
add chain=LOCAL-TO-ROUTER action=accept | |
## LOCAL <--- ROUTER | |
add chain=output action=jump jump-target=ROUTER-TO-LOCAL \ | |
out-interface-list=local comment="LOCAL <--- ROUTER" | |
add chain=ROUTER-TO-LOCAL action=accept | |
## PUBLIC ---> LOCAL | |
add chain=forward action=jump jump-target=PUBLIC-TO-LOCAL \ | |
in-interface-list=public out-interface-list=local comment="PUBLIC ---> LOCAL" | |
add chain=PUBLIC-TO-LOCAL action=accept \ | |
connection-state=established,related,untracked | |
add chain=PUBLIC-TO-LOCAL action=drop connection-state=invalid | |
add chain=PUBLIC-TO-LOCAL action=drop \ | |
connection-state=new connection-nat-state=!dstnat | |
add chain=PUBLIC-TO-LOCAL action=accept | |
## PUBLIC <--- LOCAL | |
add chain=forward action=jump jump-target=LOCAL-TO-PUBLIC \ | |
in-interface-list=local out-interface-list=public comment="PUBLIC <--- LOCAL" | |
add chain=LOCAL-TO-PUBLIC action=accept | |
## GUEST ---> ROUTER | |
add chain=input action=jump jump-target=GUEST-TO-ROUTER \ | |
in-interface-list=guest comment="GUEST ---> ROUTER" | |
add chain=GUEST-TO-ROUTER action=drop protocol=icmp | |
add chain=GUEST-TO-ROUTER action=return | |
## GUEST <--- ROUTER | |
add chain=output action=jump jump-target=ROUTER-TO-GUEST \ | |
out-interface-list=guest comment="GUEST <--- ROUTER" | |
add chain=ROUTER-TO-GUEST action=return | |
## PUBLIC ---> GUEST | |
add chain=forward action=jump jump-target=PUBLIC-TO-GUEST \ | |
in-interface-list=public out-interface-list=guest comment="PUBLIC ---> GUEST" | |
add chain=PUBLIC-TO-GUEST action=return | |
## PUBLIC <--- GUEST | |
add chain=forward action=jump jump-target=GUEST-TO-PUBLIC \ | |
in-interface-list=guest out-interface-list=public comment="PUBLIC <--- GUEST" | |
add chain=GUEST-TO-PUBLIC action=return | |
## LOCAL ---> GUEST | |
add chain=forward action=jump jump-target=LOCAL-TO-GUEST \ | |
in-interface-list=local out-interface-list=guest comment="LOCAL ---> GUEST" | |
add chain=LOCAL-TO-GUEST action=drop | |
## LOCAL <--- GUEST | |
add chain=forward action=jump jump-target=GUEST-TO-LOCAL \ | |
in-interface-list=guest out-interface-list=local comment="LOCAL <--- GUEST" | |
add chain=GUEST-TO-LOCAL action=drop | |
## [Default policy] INPUT | |
add chain=input action=accept connection-state=established,related,untracked \ | |
comment="[Default policy] INPUT" | |
add chain=input action=drop connection-state=invalid | |
add chain=input action=accept protocol=icmp | |
add chain=input action=drop | |
## [Default policy] FORWARD | |
add chain=forward action=accept connection-state=established,related,untracked \ | |
comment="[Default policy] FORWARD" | |
add chain=forward action=accept ipsec-policy=in,ipsec | |
add chain=forward action=accept ipsec-policy=out,ipsec | |
add chain=forward action=drop connection-state=invalid | |
add chain=forward action=drop connection-state=new \ | |
connection-nat-state=!dstnat in-interface-list=public | |
add chain=forward action=reject reject-with=icmp-net-prohibited disabled=yes \ | |
comment="Forbid connections between networks" | |
# The next rule allows connections between networks. Enable the rule above to | |
# forbid that | |
add chain=forward action=accept | |
## [Default policy] OUTPUT | |
add chain=output action=accept comment="[Default policy] OUTPUT" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment