Mikrotik Firewall Security

I’ve been using MikroTik routers for a while now, and I am honestly impressed by what it can do for the price.  It gives you more advanced features than Cisco, Sonicwall, or Watchgaurd products, and is a fraction (literally) of the price.

So enough about singing about how much I love Mikrotik routers.

What we’ll be discussing is exploring some of the more powerful firewall rules that can be configured within the Mikrotik RouterOS.

Mikrotik offers a custom GUI utility called WinBox to configure their devices, however rather than telling you to point and click on several objects, for the most part I’ll give you the CLI commands.

For these examples, we’ll be assuming the following:
Router Internal IP: 192.168.25.1
Server IP: 192.168.25.20

Basic Firewall Setup

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=192.168.25.0/24 action=accept in-interface=!ether1 comment="Only allow internal traffic on ports other than your WAN port"
add chain=input action=drop comment="Drop everything else.  MAKE SURE THIS IS THE LAST RULE"

This technically will handle protection to the router itself, however Mikrotik treats the input chain as traffic to the router itself. If you’re performing NAT, or bridging for other devices behind the router, you’ll need to add similar entries for the fowarding chain.

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"

Block Bad Traffic

Next, I’ll want to block IP addresses that we don’t want to get to our network. I don’t like to create multiple rules to perform the same task, so we’ll create an Address List, and group them together that way. In RouterOS, click on IP > Firewall > Address Lists > +
Next use the name of Blocked IP’s, and enter each of these IP’s (you’ll need to add a new address everytime, but you use the same name to group them together).  Feel free to add more IP addresses to this list as you see fit.

0.0.0.0/8
127.0.0.0/8
224.0.0.0/3

Keep in mind that if you’ll trying to work with MultiCast traffic (such as VRRP), you’ll need to exclude 224.0.0.0/3).

Next we’ll add the following rules in the firewall to block all of the IP’s in our Address List (generally I put this towards the top, as most of the blocking example rules on this page use this):

/ip firewall filter
add chain=input src-address-list="Blocked IP's" action=drop comment="Block these IP's from getting to the router" disabled=no
add chain=forward src-address-list="Blocked IP's" action=drop comment="Block these IP's from getting through the router" disabled=no

FTP Bruteforce Blocking

/ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m comment="inspect outbound packets for the FTP login failure, and if there's less then 10 going to a single ip address within 1 minute, allow it." disabled=no
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list="Blocked IP's" address-list-timeout=3h comment="This rule must go immediately behind the previous rule.  If there's more than 10 ftp failure packets within 1 minute, add it to the blocked up list for 3 hours"

Drop Port Scanners

/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="Blocked IP's" address-list-timeout=2w comment="Add Port scanners to Blocked List" disabled=no

These examples are optional, and can help with other type of scanning attempts:

/ip firewall filter
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

I’ll follow this artice up with ports that we may want to allow to get past the router. Thanks!

This entry was posted in Security and tagged , , , , , . Bookmark the permalink.

Comments are closed.