System Error Message
Part of the Furniture
I've managed to compile a list of basic firewall rules for home use. This implements an automatic blacklist feature. Feel free to ask for more firewall configs or suggest improvements. I've also tried to make the config lean for performance. order of rules are important for the same chain. I will add other configs on request. You can also use this example with other routers such as ubiquiti and iptables but it is not a copy and paste for them.
To use this you will first need to define a few things.
Address lists
-DNS (IP addresses you use for DNS and NTP such as 8.8.8.8)
-Networked (LAN IP addresses you whitelist such as 192.168.88.0/24)
-LAN interface (its just the name of the LAN interface in /interfaces)
-WAN interface (name of the WAN interface in /interfaces)
- assuming the router's IP is 192.168.88.1
For /filters,
Mangle rules (used for filter)
NAT (requires connection tracking)
Hijacking rules, for proxy and other services.
If you need to access some of your internal services outside, do it through VPN using the router as a VPN server (hence the accept PPTP but disable the rule if you arent using vpn or change it to the port you use) so it requires config and authentication, something some services that have it arent secured such as the nissan car vulnerability or being able to bypass CCTV server authentications. If you do want to host a server (such as a public Web or game server) than there are clear enough port forwarding rules on mikrotik wiki.
Edit: updated rules
To use this you will first need to define a few things.
Address lists
-DNS (IP addresses you use for DNS and NTP such as 8.8.8.8)
-Networked (LAN IP addresses you whitelist such as 192.168.88.0/24)
-LAN interface (its just the name of the LAN interface in /interfaces)
-WAN interface (name of the WAN interface in /interfaces)
- assuming the router's IP is 192.168.88.1
For /filters,
note: XI for disabled, these rules are for alternative use if you want even more security but can cause problems. New rules added, you may need to add exceptions for output for other services too or instead of using IP based filtering you can go with port based by using the interface instead. Some of these rules can be applied in mangle instead.chain=input action=drop connection-state=invalid
chain=output action=drop connection-state=invalid
chain=forward action=drop connection-state=invalid
;;; allow MACwinbox (you may want to add the in-interface)
chain=services action=accept protocol=udp dst-port=20561
;;; Allow DNS,NTP
chain=input action=accept protocol=udp src-address-list=DNS src-port=53,123
chain=output action=accept protocol=udp dst-address-list=DNS dst-port=53,123
chain=input action=accept protocol=tcp src-address-list=DNS src-port=53,123
chain=output action=accept protocol=tcp dst-address-list=DNS dst-port=53,123
;;; hold hackers
chain=input action=tarpit protocol=tcp src-address-list=invalid
chain=input action=drop src-address-list=invalid
chain=output action=drop src-address-list=invalid
chain=forward action=drop dst-address-list=invalid
chain=forward action=drop src-address-list=invalid
;;; Accept PPTP connections (change to the vpn port and protocol used)
chain=input action=accept protocol=tcp dst-port=1723
chain=output action=accept protocol=tcp src-port=1723
;;; Record attempted hackers
chain=input action=add-src-to-address-list src-address-list=!Networked address-list=invalid address-list-timeout=0s
;;; Accept LAN input
chain=input action=accept src-address-list=Networked
chain=output action=accept dst-address-list=Networked
XI ;;; Add output IP to whitelist for 3s
chain=forward action=add-dst-to-address-list address-list=proxy address-list-timeout=3s out-interface=WAN"
XI ;;; accept input from output whitelist
chain=forward action=accept src-address-list=proxy
XI ;;; drop everything else
chain=forward action=drop
XI ;;; drop unauthorised output
chain=output action=drop dst-address-list=!Networked
;;; drop everything else
chain=input action=tarpit protocol=tcp
;;; drop everything else
chain=input action=drop
chain=output action=drop
Mangle rules (used for filter)
if you want to use mangle for QoS, mark packets in mangle and you can use those marked packets in filters too. I cannot give QoS examples because of my network.;;; Packets from WAN
chain=forward action=add-src-to-address-list address-list=External address-list-timeout=1d in-interface=WAN"
;;; Packets from LAN
chain=forward action=add-src-to-address-list address-list=Internal address-list-timeout=1d in-interface=LAN"
NAT (requires connection tracking)
note: You may need to add an out interface if needed.;;; Perform NAT
chain=srcnat action=masquerade src-address-list=Networked dst-address-list=!Networked
Hijacking rules, for proxy and other services.
If your proxy/dns/NTP server isnt the router itself you can use dst-nat action for the hijacking to set the server but you will than need to add an exception for it before the hijacking rules.;;; hijack NTP
chain=dstnat action=redirect to-ports=123 protocol=udp dst-port=123 dst-address=!Networked
;;; hijack dns
chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53 dst-address=!Networked
;;; hijack dns
chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 dst-address=!Networked
;;;transparent proxy, assuming port 8080
chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address=Networked dst-address=!Networked
chain=dstnat action=redirect to-ports=8080 protocol=udp src-address=Networked dst-address=!Networked
For multicore systems under system---resources---irq you can assign some functionality to a specific core. First core is 0. Some settings can be changed under IP---settings which is where it shows some settings for TCP and other things and shows whether acceleration is enabled.chain=dstnat src-address=server dst-address=!Networked action=accept
If you need to access some of your internal services outside, do it through VPN using the router as a VPN server (hence the accept PPTP but disable the rule if you arent using vpn or change it to the port you use) so it requires config and authentication, something some services that have it arent secured such as the nissan car vulnerability or being able to bypass CCTV server authentications. If you do want to host a server (such as a public Web or game server) than there are clear enough port forwarding rules on mikrotik wiki.
Edit: updated rules
Last edited: