Tema: Mikrotik - za početnika
View Single Post
Staro 12.09.2023., 10:18   #469
yossariane
Registered User
Moj komp
 
yossariane's Avatar
 
Datum registracije: Oct 2021
Lokacija: Grobinština
Postovi: 66
Citiraj:
Autor c-shadow Pregled postova
Samo si firewall provjeri da ne bi bilo poslije nismo znali :-)
Default config je prilično ok, samo se moraš poigrati s pravilima ovisi kako su kod tebe sad složeni wan i lan strana.
Firewall ima default config,
Code:
/ip/firewall> export
# 2023-09-12 10:12:54 by RouterOS 7.11
# software id = 2Q2C-PP2H
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HEQ096F3685
/ip firewall address-list
add address=192.168.5.10-192.168.5.30 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=Container dst-address=192.168.5.5 dst-port=888 protocol=tcp to-addresses=\
    192.168.10.2 to-ports=80
/ip firewall service-port
set tftp disabled=yes
set h323 disabled=yes
Što misliš da bi trebalo dodati? Tek trebam ići proučavati što staviti u firewall. Ima li koja dobra stranica onako for dummys za poštimati firewall. Znam za wiki ali me je... terminologija, novi sam u ovim vodama
yossariane je offline   Reply With Quote