MikroTik: Полезные команды и заметки

#Очистка истории команд в консоли MikroTik:

console clear-history

#Базовые правила фаервола MikroTik

ip firewall filter add chain=input connection-state=established,related action=accept comment="Accept OK-traffic"
ip firewall filter add chain=forward connection-state=established,related action=accept comment="Forward OK-traffic"
ip firewall filter add chain=input in-interface=eth1-wan connection-state=invalid action=drop comment="Drop INVALID-traffic"
ip firewall filter add chain=forward in-interface=eth1-wan connection-state=invalid action=drop comment="Drop INVALID-traffic"
ip firewall filter add chain=input in-interface=eth1-wan protocol=icmp action=accept comment="ping"
ip firewall filter add chain=input in-interface=eth1-wan protocol=tcp port=8291 action=accept comment=Winbox
ip firewall filter add chain=input in-interface=eth1-wan action=drop comment=Winbox comment="Drop all from WAN"

#Аналог Fail2Ban в MikroTik(в примере telnet по порту 23)

ip firewall filter add chain=input protocol=tcp dst-port=23 src-address-list=telnet_blacklist action=drop comment="Drop telnet Brute forces" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage3 action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=30d comment="" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=10m comment="" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=5m comment="" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=23 connection-state=new action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment="" disabled=no

Posted in MikroTik on Dec 09, 2019.