当前位置: 首页 > news >正文

X86 RouterOS 7.18 设置笔记三:防火墙设置(IPV4)

news 来源:原创 2025/5/19 2:29:34

X86 j4125 4网口小主机折腾笔记五:PVE安装ROS RouterOS
X86 RouterOS 7.18 设置笔记一:基础设置
X86 RouterOS 7.18 设置笔记二:网络基础设置(IPV4)
X86 RouterOS 7.18 设置笔记三:防火墙设置(IPV4)
X86 RouterOS 7.18 设置笔记四:网络设置(IPV6)
X86 RouterOS 7.18 设置笔记五:防火墙设置(IPV6)
X86 RouterOS 7.18 设置笔记六:端口映射(IPv4、IPv6)及回流问题
X86 RouterOS 7.18 设置笔记七:不使用Upnp的映射方法
X86 RouterOS 7.18 设置笔记八:策略路由及DNS劫持
X86 RouterOS 7.18 设置笔记九:上海电信单线复用IPTV设置
X86 RouterOS 7.18 设置笔记十:上海电信IPTV使用msd_lite实现组播转单拨

目录标题

  • 实现的目标
  • 防火墙设置
    • 添加地址列表
    • 重定向非DNS列表里的客户端DNS到主路由(可选)
    • 添加规则

实现的目标

- 设置缺省防火墙规则

防火墙设置

添加地址列表

 ```
/ip firewall address-list add address=192.168.1.1 comment="local moden ipv4" list=local_moden_ipv4
/ip firewall address-list add address=192.168.0.0/24 comment="local LAN ipv4" list=local_LAN_ipv4

/ip firewall address-list add address=192.168.0.1 comment="local DNS ipv4" list=local_DNS_ipv4
/ip firewall address-list add address=192.168.0.5 comment="local DNS ipv4" list=local_DNS_ipv4

/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4

/ip firewall address-list add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4

/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4

/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4

/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4

重定向非DNS列表里的客户端DNS到主路由(可选)

/ip firewall nat add action=dst-nat chain=dstnat comment="lanconf: DNS dstnat to DNS Server(UDP)" dst-address-list=!local_DNS_ipv4 dst-port=53 in-interface-list=LAN protocol=udp to-addresses=192.168.0.1 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat comment="lanconf: DNS dstnat to DNS Server(TCP)" dst-address-list=!local_DNS_ipv4 dst-port=53 in-interface-list=LAN protocol=tcp to-addresses=192.168.0.1 to-ports=53

添加规则

#接受已建立的、相关的或未跟踪的入站流量
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 丢弃无效的入站流量
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
# 接受来自 LAN 的 ICMP 流量
/ip firewall filter add action=accept chain=input comment="defconf: accept icmp from lan" in-interface-list=LAN protocol=icmp
# 接受 IGMP 入站流量
/ip firewall filter add action=accept chain=input comment="defconf: accept igmp" protocol=igmp
# 丢弃所有非 LAN 接口进入的流量
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from lan" in-interface-list=!LAN
# 接受进入的 IPsec 策略流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
# 接受出去的 IPsec 策略流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
# 启用 FastTrack 加速已建立的连接
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=no
# 接受转发链中的已建立、相关的或未跟踪的连接的流量
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 丢弃无效的转发连接
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
# 丢弃所有从 WAN 接口进入且未经过目标地址转换(DNAT)的新连接
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
# 丢弃所有从 Modem 接口进入且未经过目标地址转换(DNAT)的新连接
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from Moden not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=MODEN log=yes log-prefix="[fw_modem-not-dnat]" #访问光猫用
# 丢弃所有从 WAN 接口进入且源地址在 BlockIP 地址列表中的流量
/ip firewall filter add action=drop chain=input comment="block ip" in-interface-list=WAN src-address-list=BlockIP
# 将发送 RST 数据包且目标端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=tcp psd=21,5s,3,1 tcp-flags=rst
# 将发送 SYN 数据包且目标端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=tcp psd=21,5s,3,1 tcp-flags=syn
# 将发送 UDP 数据包且目标端口不是 53 或 853 的 WAN 流量的源 IP 地址添加到 BlockIP 列表中
/ip firewall filter add action=add-src-to-address-list address-list=BlockIP address-list-timeout=1w chain=input comment="other port from wan to block" dst-port=!53,853 in-interface-list=WAN protocol=udp psd=21,5s,3,1
# 丢弃所有来源地址在 no_forward_ipv4 地址列表中的流量
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
# 丢弃所有目标地址在 no_forward_ipv4 地址列表中的流量
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4

相关文章:

  • 数据的存储---整型、浮点型
  • 数字化建设经营管理平台解决方案(34页PPT)(文末有下载方式)
  • 如何关闭和打开本地的mysql
  • 地基Prompt提示常用方式
  • 【SpringMVC】常用注解:@RequestBody
  • 【综述】An Introduction to Vision-Language Modeling【一】
  • Django REST Framework中的序列化器类和视图类
  • DataKit APM 自动注入原理篇
  • 5.编译链接和宏**
  • TCP 全连接队列 内核层理解socket
  • 芯驿电子 ALINX 亮相德国纽伦堡,Embedded World 2025 精彩回顾
  • 值传递与引用传递
  • 基础知识《Redis解析》
  • 如何分析和可视化时间序列数据
  • 模拟类似 DeepSeek 的对话
  • HiPixel开源AI驱动的图像超分辨率的原生macOS 应用程序,使用 SwiftUI 构建并利用 Upscayl 强大的 AI 模型
  • 使用谷歌浏览器(chrome)的地址栏搜索白屏
  • 外包干了6天,技术明显退步。。。
  • Docker Compose 容器卷映射:是否需要提前将文件拷贝到宿主机?
  • Linux 匿名管道实现进程池
  • 芬兰直升机相撞坠毁事故中五名人员全部遇难
  • 2人恶意传播刘国梁谣言被处罚,媒体:以法律利剑劈谣斩邪,加快推进依法治体
  • 原核试验基地司令员范如玉逝世,从事核试验研究超40年
  • 上市公司重大资产重组新规九要点:引入私募“反向挂钩”,压缩审核流程
  • 词条数量大幅扩充,《辞海》第八版启动编纂
  • 网易一季度净利增长三成,丁磊:高度重视海外游戏市场