classic.ISPforum.cz

chain=dstnat action=dst-nat to-addresses=10.0.11.11 to-ports=21 protocol=tcp in-interface=Inet dst-port=21

hapi píše:dst-nat se prování při vstupu do routeru a dřív než dojde na filter. Takže potom co s nim udělá dst-nat, platí ve filtru. Jasný? Prostě proběhne prvně dst-nat a pak teprve filtr takže musíš počítat ve filtru s upravenym paketem kterej dst-nat upravil.

hapi píše:nová cílová adresa je 10.0.11.11. A ve filtru můžeš omezit paket přes src address. Filtr nejde dát před dst-nat, ono to ani neni třeba, vlastě ono je to uplně logický proč to tak je.

chain=services action=accept protocol=tcp src-address-list=pristup dst-port=21

# feb/05/2010 09:57:27 by RouterOS 3.30
# software id = DUE9-7GDT
#
/ip firewall filter
add action=jump chain=input comment="Port scanners" disabled=no jump-target="port scaning"
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input comment=Knock disabled=no dst-port=782 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=1h chain=input comment="" disabled=no dst-port=53 protocol=tcp src-address-list=knock
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no src-address-list=!10.0.0.0/8
add action=accept chain=input comment=UDP disabled=yes protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=yes limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=yes protocol=icmp
add action=accept chain=input comment="SSH for secure shell" disabled=yes dst-port=22 protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291-8296 protocol=tcp
add action=accept chain=input comment="Allow access to router from known network" disabled=no src-address-list=safe
add action=accept chain=input comment="From Mikrotiks network" disabled=no src-address=159.148.172.192/28
add action=accept chain=input comment="From our private LAN - " disabled=no src-address=10.0.1.0/24
add action=accept chain=input comment="From our private LAN - " disabled=no src-address=10.0.3.0/24
add action=accept chain=input comment="From our private LAN - " disabled= no src-address=10.0.5.0/24
add action=accept chain=input comment="From our private LAN - " disabled=no src-address=10.0.10.0/24
add action=accept chain=input comment="From our private LAN - " disabled=no src-address=10.0.11.0/24
add action=accept chain=input comment="From our private LAN - Bridge " disabled=no src-address=10.0.20.0/24
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no dst-address-type=broadcast
add action=jump chain=input comment="jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump to chain viruses" disabled=no jump-target=virus
add action=jump chain=input comment="jump to chain services" disabled=no jump-target=services
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 disabled=no protocol=tcp
add action=tarpit chain=input comment="suppress DoS attack" connection-limit= 3,32 disabled=no protocol=tcp src-address-list=black_list
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="Filter 1:"
add action=log chain=input comment="Log everything else" disabled=no log-prefix="Filter 2:"
add action=drop chain=input comment= "drop everything else - tady to chce vyladit" disabled=no
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment= "Port scanners to list " disabled=no protocol=tcp psd=21,3s,3,1 src-address-list=!BOGONS
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment= "NMAP FIN Stealth scan" disabled=no protocol=tcp src-address-list=!BOGONS tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment="SYN/FIN scan" disabled=no protocol=tcp src-address-list=!BOGONS tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment="SYN/RST scan" disabled=no protocol=tcp src-address-list=!BOGONS tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment="FIN/PSH/URG scan" disabled=no protocol=tcp src-address-list=!BOGONS tcp-flags= fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment="ALL/ALL scan" disabled=no protocol=tcp src-address-list=!BOGONS tcp-flags= fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scaning" comment="NMAP NULL scan" disabled=no protocol=tcp src-address-list=!BOGONS tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain="port scaning" comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=return chain="port scaning" comment="" disabled=no
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port= 135-139 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port= 445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port= 445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port= 2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port= 3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol= udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port= 9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port= 10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port= 10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port= 27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled= no dst-port=65506 protocol=tcp
add action=return chain=virus comment="Kontrola a n\E1vrat z vir\F9" disabled=no
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no protocol=icmp
add action=return chain=ICMP comment="Jen ze slu\9Anosti" disabled=no
add action=accept chain=services comment="accept localhost" disabled=no dst-address=127.0.0.1 src-address-list=127.0.0.1
add action=accept chain=services comment="allow MACwinbox " disabled=no dst-port=20561 protocol=udp
add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" disabled= yes dst-port=5678 protocol=udp
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port= 161 protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port= 179 protocol=tcpadd action=accept chain=services comment="allow BGP" disabled=yes dst-port= 5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" disabled=yes dst-port= 123 protocol=udp
add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port= 1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
add action=accept chain=services comment="allow DNS request" disabled=yes dst-port=53 protocol=tcp
add action=accept chain=services comment="Allow DNS request" disabled=yes dst-port=53 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=yes dst-port= 67-68 protocol=udp
add action=accept chain=services comment= "allow Web Proxy - tudy proud\ED virusy" disabled=yes dst-port=8080 protocol=tcp
add action=accept chain=services comment= "allow Web Proxy - pouze z dovolen\FDch IP" disabled=no dst-port=8080 protocol=tcp src-address-list=www_pristup
add action=accept chain=services comment= "allow FTP - pouze z dovolen\FDch IP" disabled=no dst-port=21 protocol= tcp src-address-list=www_pristup
add action=accept chain=services comment="allow IPIP" disabled=yes protocol= ipencap
add action=accept chain=services comment="allow https for Hotspot" disabled= yes dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled= yes dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled= yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol= ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol= ipsec-ah
add action=accept chain=services comment="allow RIP" disabled=yes dst-port= 520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol= ospf
add action=return chain=services comment=Kontrola disabled=no