This script has basic rules to protect your router and avoid some unnecessary forwarding traffic. Pay attention for all comments before apply each DROP rules.
HANDS ON! First we need to create our ADDRESS LIST with all IPs we will use most times
Below you need to change x.x.x.x/x for your technical subnet. This subnet will have full access to the router.
/ip firewall address-list add address=x.x.x.x/x disabled=no list=support
Below we have the bogon list.
/ip firewall address-list add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"\ disabled=yes list=bogons add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it"\ disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it"\ disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\ disabled=yes list=bogons
Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and much more. For more information read the comments.
/ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \ comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\ disabled=no protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp add action=drop chain=input\ comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\ disabled=yes dst-port=8291 protocol=tcp src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\ connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp add action=accept chain=input comment="Accept to established connections" connection-state=established\ disabled=no add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\ disabled=yes add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
I think this is basic. You can add or remove anything else according to your needs. I hope it helps!
By Guilherme Ramires
Fuente:
https://wiki.mikrotik.com/wiki/Basic_universal_firewall_script