MikroTik RB750 - Basic Firewall & Security

http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Sunday, 13 February 2011 01:59
MikroTik RB750 - Basic Firewall & Security
RB750/750G Basic Firewall & Security

Documentation links:
Fr om Mi k r oTi k : ht t p://w i k i .mi k r ot i k .c om/w i k i /Manual :I P/Fi r ew al l
Fr om User s: ht t p://w i k i .mi k r ot i k .c om/w i k i /Fi r ew al l
I ' m not f ami l i ar w i t h Mi k r oTi k and Li nux c ommand, honest l y I ' m t ot al l y l ost by r eadi ng t hose w i k i doc ument at i on!
So basi c al l y I j ust f ol l ow t he l i nk s & gui des bel ow , c opy & past e t o set up:
Basi c Ex ampl e: ht t p://w i k i .mi k r ot i k .c om/w i k i /Manual :I P/Fi r ew al l /Fi l t er #Basi c _ex ampl es
Br ut ef or c e l ogi n pr event i on: ht t p://w i k i .mi k r ot i k .c om/w i k i /Br ut ef or c e_l ogi n_pr event i on_%28FTP_%26_SSH%29
Dr op por t sc anner s: ht t p://w i k i .mi k r ot i k .c om/w i k i /Dr op_por t _sc anner s

I c an' t t el l w het her i t ' s r eal l y w or k i ng f i ne or suf f i c i ent enough f or gener al usage pur poses, pl ease not e you use i t
at your ow n r i sk !
Appr ec i at e t hose Mi k r oTi k gur u or anyone w ho i s f ami l i ar i n t hi s aspec t c an advi se/c omment t o f ur t her i mpr ove
t hi s ar t i c l e and hel p begi nner l i k e me, k i ndl y emai l : k l seet @gmai l .c om
Cr edi t w i l l def i ni t el y go t o w hoever c ont r i but e t o i mpr ove t hi s ar t i c l e, many t hank s i n advanc e!


Before starting any new setting, ALWAYS bac k up the current good setting first.
Go to Fi l es and click Bac k up option:
MAIN MENU
Home
TM-UNIFI RELATED
About TM-UniFi
Replacement Option Summary
My Setup
Mi k r oTi k
MikroTik RB250GS
MikroTik RB750 / 750G
Hard Reset (Factory Default)
Setup for UniFi
Basic Firewall & Security
Port Forward
QoS
Upgrade Version
Auto Time Update (NTP)
Setup File
Vlans Trunking
WebProxy
TP-Link
ASUS
DD-WRT for UniFi
DD-WRT RELATED
About DD-WRT
Setup Walk Through
TP-Link
Buffalo
ASUS


MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Notice it will backup a file with date & time as follow:
OPENWRT RELATED
About OpenWrt
TL-WR1043ND Ver1.8 [UniFi
Ready!]
TL-WR941ND Ver3.2 [UniFi
Ready!]
TL-MR3420 Ver1.2 [UniFi -
Vlan.500]
TL-WR740N Ver4.2 [UniFi -
Vlan.500]
TOMATO RELATED
About Tomato
Buffalo WHR-HP-G54
GPS
Garmin
China Made GPS
GADGETS
In-Car DVR (Dual Camera)
TP-Link Portable Routers
Mobile Phone
D-Link DNS-320 [NAS]
HDMI Switch
HDMI Splitter
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
You may also want to c opy t he bac k up f i l e t o your c omput er should the router crash and you need to restore the last good setting.
Select the backup file, click the Copy button:
Go to your c omput er f ol der, click Past e and the file will be copied:
HDMI Extender
Universal Remote Control - Learn
& Store Permanently
OpenBox S9 HD
DreamBox DM500-S
Laptop Universal Charger (90W)
INFORMATION
SoPhone Vs iPhone4 [HK eZone
20J an2011]
TP-Link PA-211 HomePlug AV
(3rd Generation) [by HK eZone
20J an2011]
HomePlug - 9 Products
Comparison (Chinese)
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Make sure the backup file is copied to computer folder

Default setting does not has any admin password, it's always advisable to create own admin password to access the router.
Go to Syst em --> Passw or d
Enter own admin password
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]

Since I only use WinBox to configure the router locally and I do not wish to connect or run any other services, therefore I choose to disable
all the following services.
You may choose and decide which services to enable/disable according to your requirement.
Go to I P --> Ser vi c es
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Select those services and click Di sabl e button
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Make sure it's disabled as follows:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Next go to I P --> Fi r ew al l
Choose Ser vi c e Por t s tab, select those services and click Di sabl e
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Make sure it's disabled as follows:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]



The next step is to setup basic firewall rules.
Pl ease not e t hi s set up i s c ont i nue f r om t he Uni Fi set up ar t i c l e and i s based on t he assumpt i on t hat :
Def aul t net w or k segment : 192.168.88.0/24
I nt er net i nt er f ac e: Uni Fi -I nt er net
You may need t o c hange t he above val ue ac c or di ng t o your ac t ual set up.
For first time setup, it's easier to use Terminal and enter codes.
Click New Ter mi nal and it will show you the command entry screen:
To setup firewall rule & filter, type "/i p f i r ew al l f i l t er " and hit enter
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]

Sel ec t & c opy those codes (from the list below after this section), please do it one por t i on at a t i me, DO NOT sel ec t al l at one
go!!

then Past e those codes at the terminal:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]

Re-c onf i r m t he number of ent r i es and mak e sur e t her e i s no er r or (i n r ed c ol our s)
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
ALWAYS hit enter and make sure return to "[ admi n@Mi k r oTi k ] /i p f i r ew al l f i l t er >" :
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Close the Terminal window once confirmed. Now we need to check whether those codes entered are properly listed.
Go to I P --> Fi r ew al l
Noticed the additional firewall rules are now added:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]

Select the f i r st 4 def aul t r ul es , click Di sabl e since we are creating own rules.
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Make sure it's disabled as follows:
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]

Pr oc eed t o c ont i nue ent er t hose c odes by f ol l ow i ng t he same st eps above, por t i on by por t i on, t o c ompl et e t he
f i r ew al l r ul es set up.
Once it's completed, you may see the connection statistic like this:

You may need t o c ont i nue r evi se & enhanc e t he r ul es ac c or di ng t o your needs.
Onc e c onf i r med, agai n, ALWAYS mak e anot her bac k up and c opy i t t o your c omput er !
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]

MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]



Codes - Firewall Rules
Not e: Ent er " /i p f i r ew al l f i l t er " at Ter mi nal w i ndow bef or e c opy & past e t he f ol l ow i ng c odes

Al l ow onl y needed i c mp c odes i n i c mp c hai n:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

Bruteforce login prevention
Al l ow s onl y 10 FTP l ogi n i nc or r ec t answ er s per mi nut e:
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-
timeout=3h
Pr event a SSH br ut e f or c er t o be banned f or 10 days af t er r epet i t i ve at t empt s:
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-
list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-
list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-
list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-
timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Drop port scanners
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="Port scanners to list " disabled=no
Var i ous c ombi nat i ons of TCP f l ags c an al so i ndi c at e por t sc anner ac t i vi t y:
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="NMAP NULL scan"
Dr op t hose I Ps i n bot h I nput & For w ar d c hai ns:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Rout er pr ot ec t i on :
add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \ comment="Allow Established connections"
add chain=input src-address=192.168.88.0/24 action=accept \ in-interface=!UniFi-Internet
add chain=input action=drop comment="Drop everything else"
Cust omer pr ot ec t i on (f or w ar d c hai n - t r af f i c passi ng t hr ough t he r out er ):
add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \ comment="allow already established connections"
add chain=forward connection-state=related action=accept \ comment="allow related connections"
Bl oc k Bogon I P addr esses:
add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
Mak e j umps t o new c hai ns:
add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
MikroTik RB750 - Basic Firewall & Security
http://klseet.com/index.php?option=com_content&view=article&id=43&Itemid=40[19/6/2012 10:46:09 ]
Last Updated on Monday, 28 February 2011 23:43
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
Cr eat e TCP c hai n and deny some TCP por t s i n i t (r evi se por t number s as needed) :
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Cr eat e UDP c hai n and deny some UDP por t s i n i t (r evi se por t number s as needed):
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"