Skip to content

Instantly share code, notes, and snippets.

@jacob-faber
Forked from SmartFinn/ip_firewall_filter.rsc
Created September 4, 2019 13:41
Show Gist options
  • Save jacob-faber/4d0b29a52f3de146b805859a26de8dbc to your computer and use it in GitHub Desktop.
Save jacob-faber/4d0b29a52f3de146b805859a26de8dbc to your computer and use it in GitHub Desktop.
MikroTik (RouterOS) Zone-Based Firewall Example
# jan/29/2018 22: 4:17 by RouterOS 6.41
#
/interface list
add name=public comment="public network"
add name=local comment="local network"
add name=guest comment="guest network"
# Change the interfaces below to your own
/interface list member
add list=public interface=ether1
add list=local interface=bridge
/ip firewall filter
# WARNING! All filter rules will be deleted
:delay 10
remove [find dynamic=no]
## Enable FastTrack for all zones
add chain=forward action=fasttrack-connection \
connection-state=established,related \
comment="Enable FastTrack for all zones"
## PUBLIC ---> ROUTER
add chain=input action=jump jump-target=PUBLIC-TO-ROUTER \
in-interface-list=public comment="PUBLIC ---> ROUTER"
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=80 \
comment="DISABLE IT IF NOT NEEDED"
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=22 \
comment="DISABLE IT IF NOT NEEDED"
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1194 \
comment="OpenVPN"
add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=500,4500 \
comment="L2TP/IPSec"
add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=1701 \
ipsec-policy=in,ipsec
add chain=PUBLIC-TO-ROUTER action=accept protocol=ipsec-esp
add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1723 \
comment="PPTP"
add chain=PUBLIC-TO-ROUTER action=accept protocol=gre
add chain=PUBLIC-TO-ROUTER action=return
## PUBLIC <--- ROUTER
add chain=output action=jump jump-target=ROUTER-TO-PUBLIC \
out-interface-list=public comment="PUBLIC <--- ROUTER"
add chain=ROUTER-TO-PUBLIC action=return
## LOCAL ---> ROUTER
add chain=input action=jump jump-target=LOCAL-TO-ROUTER \
in-interface-list=local comment="LOCAL ---> ROUTER"
add chain=LOCAL-TO-ROUTER action=accept
## LOCAL <--- ROUTER
add chain=output action=jump jump-target=ROUTER-TO-LOCAL \
out-interface-list=local comment="LOCAL <--- ROUTER"
add chain=ROUTER-TO-LOCAL action=accept
## PUBLIC ---> LOCAL
add chain=forward action=jump jump-target=PUBLIC-TO-LOCAL \
in-interface-list=public out-interface-list=local comment="PUBLIC ---> LOCAL"
add chain=PUBLIC-TO-LOCAL action=accept \
connection-state=established,related,untracked
add chain=PUBLIC-TO-LOCAL action=drop connection-state=invalid
add chain=PUBLIC-TO-LOCAL action=drop \
connection-state=new connection-nat-state=!dstnat
add chain=PUBLIC-TO-LOCAL action=accept
## PUBLIC <--- LOCAL
add chain=forward action=jump jump-target=LOCAL-TO-PUBLIC \
in-interface-list=local out-interface-list=public comment="PUBLIC <--- LOCAL"
add chain=LOCAL-TO-PUBLIC action=accept
## GUEST ---> ROUTER
add chain=input action=jump jump-target=GUEST-TO-ROUTER \
in-interface-list=guest comment="GUEST ---> ROUTER"
add chain=GUEST-TO-ROUTER action=drop protocol=icmp
add chain=GUEST-TO-ROUTER action=return
## GUEST <--- ROUTER
add chain=output action=jump jump-target=ROUTER-TO-GUEST \
out-interface-list=guest comment="GUEST <--- ROUTER"
add chain=ROUTER-TO-GUEST action=return
## PUBLIC ---> GUEST
add chain=forward action=jump jump-target=PUBLIC-TO-GUEST \
in-interface-list=public out-interface-list=guest comment="PUBLIC ---> GUEST"
add chain=PUBLIC-TO-GUEST action=return
## PUBLIC <--- GUEST
add chain=forward action=jump jump-target=GUEST-TO-PUBLIC \
in-interface-list=guest out-interface-list=public comment="PUBLIC <--- GUEST"
add chain=GUEST-TO-PUBLIC action=return
## LOCAL ---> GUEST
add chain=forward action=jump jump-target=LOCAL-TO-GUEST \
in-interface-list=local out-interface-list=guest comment="LOCAL ---> GUEST"
add chain=LOCAL-TO-GUEST action=drop
## LOCAL <--- GUEST
add chain=forward action=jump jump-target=GUEST-TO-LOCAL \
in-interface-list=guest out-interface-list=local comment="LOCAL <--- GUEST"
add chain=GUEST-TO-LOCAL action=drop
## [Default policy] INPUT
add chain=input action=accept connection-state=established,related,untracked \
comment="[Default policy] INPUT"
add chain=input action=drop connection-state=invalid
add chain=input action=accept protocol=icmp
add chain=input action=drop
## [Default policy] FORWARD
add chain=forward action=accept connection-state=established,related,untracked \
comment="[Default policy] FORWARD"
add chain=forward action=accept ipsec-policy=in,ipsec
add chain=forward action=accept ipsec-policy=out,ipsec
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop connection-state=new \
connection-nat-state=!dstnat in-interface-list=public
add chain=forward action=reject reject-with=icmp-net-prohibited disabled=yes \
comment="Forbid connections between networks"
# The next rule allows connections between networks. Enable the rule above to
# forbid that
add chain=forward action=accept
## [Default policy] OUTPUT
add chain=output action=accept comment="[Default policy] OUTPUT"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment