Get best of the week

Filtro de firewall Mikrotik: script gerando a base para uma política de filtragem

Qualquer pessoa que já tenha escrito uma política de filtragem de firewall sabe que isso não é uma questão simples e envolve muitos erros quando há mais de 2 zonas de rede. O script deste artigo o ajudará neste ensaio.

Introdução


Por zona de rede, quero dizer um conjunto de interfaces ou endereços IP aos quais a regra de filtro se aplica. No meu script, os endereços IP da zona são atribuídos à interface. Ou seja, se esperamos endereços IP "confiáveis" da rede local, será estranho se as conexões correspondentes chegarem do provedor.

Como funciona


Tudo gira em torno da descrição das zonas em que perguntamos como elas interagem umas com as outras.
Na minha configuração, se nenhuma outra regra for definida, todo o tráfego será descartado com a regra DROP; portanto, definiremos as regras ACCEPT e REJECT.

Em seguida, o script em um loop percorre todas as descrições de zona e cria:

  • Lista de interfaces IF- <nome da zona>
  • Lista de endereços IP <nome da zona>
  • Define a configuração padrão e levemente suplementada por mim, filtro, mangle e raw

A zona de destino do tráfego IP da interface difere porque seu nome não está na seção de interfaces. Assim, o script entende onde temos o objetivo do ip e onde está a interface.

Variáveis


  • gping - Permite ping em todas as direções e no encaminhamento. Em outras palavras, será possível executar ping até mesmo no que foi fechado por outras regras no filtro. Incluir conforme desejado;)
  • debug - Coloque a regra ACEITAR no início das cadeias raiz, o que torna todas as outras regras inúteis. Muito útil no estágio de regras de depuração. Faça a política como desejar, ative o Modo de segurança e desative essas regras. Se o roteador ficar indisponível, depois de 10 segundos as regras serão ativadas novamente e você poderá pensar sobre o que estava errado.
  • allout - permite o tráfego de saída do roteador, normalmente o roteador não gera tráfego ruim, portanto, em várias configurações, isso é aceitável.

Descrição das zonas


A descrição em si é dividida em dois blocos: interfaces e endereços IP. Existem variáveis ​​especiais para interfaces:

  • is_wan: adiciona regras para o processamento de túneis e DNS
  • do_masq: adiciona regras de mascaramento de tráfego a esta zona
  • is_lan: adiciona regras para responder ao DHCP e DNS
  • mss: mss ,
  • ADDoS: DDoS . — ( ) , IP . :
    • gen — generic, , .
    • mngr — managment, mikrotik (winbox, ssh)
    • — , .


Há também duas zonas especiais: rt, esse é o próprio roteador e tudo, como não é difícil adivinhar "qualquer direção", nem tudo pode ser especificado como fonte de tráfego.

A principal ação do script é criar uma série de regras de salto com filtragem por origem e destino do tráfego, finalizadas por uma regra com ACCEPT ou REJECT.

A descrição da zona pode ser reduzida, como no exemplo para ISP e rt (sempre deve ser).

Se você deseja encerrar a cadeia com sua regra, basta adicionar personalizado (ou qualquer outra coisa) na descrição da zona em vez de aceitar ou rejeitar, a cadeia de salto não será concluída por nenhuma regra e você poderá criá-la.

Explicação das regras do script


Zonas
:local gping 1
:local debug 0
:local zones {
	"if"={
		"ISP"={
			"is_wan"=1;
			"do_masq"=1;
			"ADDoS"={
				mngr={
					dst-limit="4/1m,1,src-address/1m40s";
					timeout="1d";
					comment="Blocking bruteforcing winbox & ssh port";
					excl=[:toarray ("Trusted")];
				};
				gen={
					dst-limit="50,50,src-address/10s";
					timeout="1d";
					comment="Blocking potential DDoS";
					excl=[:toarray ("Trusted")];
				};
			};
		};
		"LAN"={
			"is_lan"=1;
			policy={ 
				"all"="accept";
			};
		};
		"TUN"={
			mss=1400;
		};
		"rt"={};
	};
	"ip"={
		"rt"={
			policy={
				"all"="accept" 
			};
		};
		"TUN"={
			"Staff"={
				"Server"="accept";
			};
			"Manager"={
				"all"="accept";
			};
		};
		"ISP"={
			"Trusted"={
				"rt"="accept";
			};
		};
	};
}


Existem 4 zonas para interfaces, uma das quais é rt obrigatória:

  • O ISP é para o provedor, portanto, é indicado para criar regras adicionais para alguns protocolos.
  • LAN - para uma rede local, são dadas regras para lan e há uma ação geral de permissão em qualquer direção.
  • TUN - para os túneis adequados, a correção MSS é indicada.

B 3 zonas ip:

  • Equipe e gerente nas interfaces TUN:
    • Staff - tem acesso apenas à zona ip do servidor
    • Manager - pode ir a qualquer lugar

  • Confiável na interface ISP tem acesso ao roteador

filtro gen
# may/13/2020 10:00:00 by RouterOS 6.46.6
# RoS filter generator v 0.9.5

:local gping 0
:local debug 1
:local allout 1
:local zones {
	"if"={
		"ISP"={
			"is_wan"=1;
			"do_masq"=1;
			"ADDoS"={
				mngr={
					dst-limit="4/1m,1,src-address/1m40s";
					timeout="1d";
					comment="Blocking bruteforcing winbox & ssh port";
					excl=[:toarray ("Trusted")];
				};
				gen={
					dst-limit="50,50,src-address/10s";
					timeout="1d";
					comment="Blocking potential DDoS";
					excl=[:toarray ("Trusted")];
				};
			};
		};
		"LAN"={
			"is_lan"=1;
			policy={ 
				"all"="accept";
			};
		};
		"TUN"={
			mss=1400;
		};
		"rt"={};
	};
	"ip"={
		"rt"={
			policy={
				"all"="accept" 
			};
		};
		"TUN"={
			"Staff"={
				"Server"="accept";
			};
			"Manager"={
				"all"="accept";
			};
		};
		"ISP"={
			"Trusted"={
				"rt"="accept";
			};
		};
	};
}
/ip firewall raw
add action=notrack chain=prerouting ipsec-policy=in,ipsec comment="Notrack ipsec"
add action=notrack chain=prerouting dst-address-type=multicast comment="Notrack multicast"
/ip firewall filter
:if ( ($debug)=0 ) do={
	add action=accept chain=forward comment=DEBUG!!! disabled=yes
	add action=accept chain=input comment=DEBUG!!! disabled=yes
	add action=accept chain=output comment=DEBUG!!! disabled=yes
} else={
	add action=accept chain=forward comment=DEBUG!!!
	add action=accept chain=input comment=DEBUG!!!
	add action=accept chain=output comment=DEBUG!!!
}
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 dst-port=5246,5247 protocol=udp src-address-type=local
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=jump chain=input comment="defconf: new input" connection-state=new jump-target=in-new
add action=jump chain=input comment="defconf: notrack input" jump-target=in-notrack
add action=drop chain=input comment="defconf: drop all not allowed"
add action=accept chain=output comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=jump chain=output comment="defconf: new output" connection-state=new jump-target=out-new
add action=jump chain=output comment="defconf: notrack output" jump-target=out-notrack
:if ( ($allout)=1 ) do={
	add action=accept chain=out-notrack comment="defconf: Allow any trafic from rt"
} else={
	add action=accept chain=out-notrack comment="defconf: Allow any trafic from rt" disabled=yes
}
add action=drop chain=output comment="defconf: drop all not allowed"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=jump chain=forward comment="defconf: new forward" connection-state=new jump-target=fw-new
add action=jump chain=forward comment="defconf: notrack forward" jump-target=fw-notrack
add action=accept chain=forward comment="defconf: Accept all forward DSTNATed" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all not allowed for forward"
:if ( ($gping)=1 ) do={
	add action=accept chain=WAN2RT-STD-PROTO comment=ICMP protocol=icmp disabled=yes
} else={
	add action=accept chain=WAN2RT-STD-PROTO comment=ICMP protocol=icmp
}
add action=accept chain=WAN2RT-STD-PROTO comment=GRE ipsec-policy=in,ipsec protocol=gre
add action=accept chain=WAN2RT-STD-PROTO comment=IPSec protocol=ipsec-esp
add action=accept chain=WAN2RT-STD-PROTO comment=IPSec protocol=ipsec-ah
add action=accept chain=WAN2RT-STD-PROTO comment="IPSec encapsulated" dst-port=500,4500 protocol=udp
add action=accept chain=WAN2RT-STD-PROTO comment=L2TP dst-port=1701 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=WAN2RT-STD-PROTO comment=PPtP dst-port=1723 protocol=tcp
add action=accept chain=LAN2RT-STD-PROTO comment=DNS dst-port=53 protocol=tcp
add action=accept chain=LAN2RT-STD-PROTO comment=NTP,DNS,DHCP dst-port=53,123,67-68 protocol=udp
add action=accept chain=LAN2RT-STD-PROTO comment=DHCP dst-port=67-68 protocol=udp
add action=accept chain=RT2WAN-STD-PROTO comment=DNS dst-port=53 protocol=tcp
add action=accept chain=RT2WAN-STD-PROTO comment=NTP,DNS dst-port=53,123 protocol=udp
add action=accept chain=WAN2RT-STD-PROTO comment=IPSec protocol=ipsec-esp
add action=accept chain=RT2WAN-STD-PROTO comment=IPSec protocol=ipsec-ah
add action=accept chain=RT2WAN-STD-PROTO comment="IPSec encapsulated" dst-port=500,4500 protocol=udp
add action=reject chain=RT2WAN-STD-PROTO comment=GRE ipsec-policy=out,none protocol=gre reject-with=icmp-admin-prohibited
add action=reject chain=RT2WAN-STD-PROTO comment=L2TP dst-port=1701 ipsec-policy=out,none protocol=udp reject-with=icmp-admin-prohibited
:if ( ($gping)=1 ) do={
	add action=accept chain=fw-new comment=ICMP protocol=icmp
	add action=accept chain=in-new comment=ICMP protocol=icmp
	add action=accept chain=out-new comment=ICMP protocol=icmp
} else={
	add action=accept chain=fw-new comment=ICMP protocol=icmp disabled=yes
	add action=accept chain=in-new comment=ICMP protocol=icmp disabled=yes
	add action=accept chain=out-new comment=ICMP protocol=icmp disabled=yes
}
/ip firewall filter
:foreach zone,conf in=($zones->"if") do={
	:if ( ($zone)!="rt" ) do={
		:if ( [/interface list print count-only where name=("IF-".$zone)] = 0) do={
			/interface list add name=("IF-".$zone)
		}
		add action=jump chain=fw-new in-interface-list=("IF-".$zone) comment=("Fwd plc from if ".$zone) jump-target=("fw-plc-s:".$zone)
		add action=jump chain=in-new in-interface-list=("IF-".$zone) comment=("In plc for if ".$zone) jump-target=("in-plc-s:".$zone)
		:foreach ddos,val in=($conf->"ADDoS") do={
			:if ( $ddos="mngr" ) do={
				add action=jump chain=("in-plc-s:".$zone) dst-port=22,8291 jump-target=("ADDoS-s:".$zone."-".$ddos) comment=("AntiDDoS for ".$ddos." from ".$zone) protocol=tcp
			}
			:if ( $ddos="gen" ) do={
				add action=jump chain=("in-plc-s:".$zone) jump-target=("ADDoS-s:".$zone."-".$ddos) comment=("AntiDDoS for ".$ddos." from ".$zone)
			}
			:if ( $ddos="mngr" || $ddos="gen" ) do={
				:foreach excl in=(($val)->"excl") do={ 
					add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Execption for ".$excl." from ".$zone) src-address-list=("IP-".$excl)
				}
				add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Limit number incoming connections for ".$ddos." from ".$zone) dst-limit=(($val)->"dst-limit")
				add action=add-src-to-address-list address-list=("IP-DDoS-s:".$zone."-".$ddos) address-list-timeout=(($val)->"timeout") chain=("ADDoS-s:".$zone."-".$ddos) comment=("Add to IP-DDoS-".$ddos." list from ".$zone)
			}
			:if ( $ddos!="mngr" && $ddos!="gen" ) do={
				add action=jump chain=("in-plc-s:".$zone) jump-target=("ADDoS-".$ddos) comment=("AntiDDoS for ".$ddos." from ".$zone) disabled=yes
				:foreach excl in=(($val)->"excl") do={ 
					add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Execption for ".$excl." from ".$zone) src-address-list=("IP-".$excl)
				}
				add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Limit number incoming connections for ".$ddos." from ".$zone) dst-limit=(($val)->"dst-limit")
				add action=add-src-to-address-list address-list=("IP-DDoS-s:".$zone."-".$ddos) address-list-timeout=(($val)->"timeout") chain=("ADDoS-s:".$zone."-".$ddos) comment=("Add to IP-DDoS-".$ddos." list from ".$zone)
			}
			/ip firewall raw add action=drop chain=prerouting comment=("DROP Banned by ".$ddos." from ".$zone) in-interface-list=("IF-".$zone) src-address-list=("IP-DDoS-s:".$zone."-".$ddos)
		}
	} else={
		add action=jump chain=out-new comment=("Out plc for rt") jump-target="out-plc-s:rt"
	}	
}
:foreach zone,conf in=($zones->"if") do={
	:if ( ($zone)!="rt" && ($zone)!="all") do={
		:if ( ($conf->"is_lan")=1 || ($conf->"is_wan")=1 ) do={
			add action=jump chain=in-notrack comment=("In Allow plc for STD LAN PROTO from ".$zone) in-interface-list=("IF-".$zone) jump-target=LAN2RT-STD-PROTO
		}
		:if ( ($conf->"is_wan")=1) do={
			add action=jump chain=in-notrack comment=("In Allow plc for STD WAN PROTO from ".$zone) in-interface-list=("IF-".$zone) jump-target=WAN2RT-STD-PROTO
			add action=jump chain=out-notrack out-interface-list=("IF-".$zone) comment=("Out Allow plc for STD WAN PROTO to ".$zone) jump-target=RT2WAN-STD-PROTO
		}
		:if ( ($conf->"do_masq")=1) do={
			/ip firewall nat add action=masquerade chain=srcnat out-interface-list=("IF-".$zone) comment=("Masquerade traffic going to ".$zone)
		}
		:if ( [:len ($conf->"mss")]!=0 ) do={
			/ip firewall mangle add action=change-mss chain=forward in-interface-list=("IF-".$zone) new-mss=($conf->"mss") passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=(($conf->"mss"+1)."-65535") comment=("Fix mss on tunel ".$zone)
			/ip firewall mangle add action=change-mss chain=forward out-interface-list=("IF-".$zone) new-mss=($conf->"mss") passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=(($conf->"mss"+1)."-65535") comment=("Fix mss on tunel ".$zone)
		}
		:foreach src,val in=(($zones->"ip")->$"zone") do={
			:foreach tgt,policy in=$val do={
				:if ( ($tgt)!="rt" && ($tgt)!="all") do={
					:if ( [:len (($zones->"if")->$"tgt")]=0 ) do={
						add action=jump chain=("fw-plc-s:".$zone) src-address-list=("IP-".$src) dst-address-list=("IP-".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." to ".$tgt) jump-target=("fw-plc-s:".$zone."&".$src.">".$tgt)
					} else={
						add action=jump chain=("fw-plc-s:".$zone) src-address-list=("IP-".$src) out-interface-list=("IF-".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." to ".$tgt) jump-target=("fw-plc-s:".$zone."&".$src.">".$tgt)
					}
					:if ( ($policy)="accept") do={
						add action=accept chain=("fw-plc-s:".$zone."&".$src.">".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." Accept to ".$tgt)
					}
					:if ( ($policy)="reject") do={
						add action=reject chain=("fw-plc-s:".$zone."&".$src.">".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." Reject to ".$tgt)
					}
				}
				:if ( ($tgt)="rt" ) do={
					add action=jump chain=("in-plc-s:".$zone) src-address-list=("IP-".$src) comment=("In plc for if ".$zone." & ip ".$src." to rt") jump-target=("in-plc-s:".$zone."&".$src.">rt")
					:if ( ($policy)="accept") do={
						add action=accept chain=("in-plc-s:".$zone."&".$src.">rt") comment=("In plc for if ".$zone." & ip ".$src." Accept to rt")
					}
					:if ( ($policy)="reject") do={
						add action=reject chain=("in-plc-s:".$zone."&".$src.">rt") comment=("In plc for if ".$zone." & ip ".$src." Accept to rt")
					}
				}
				:if ( ($tgt)="all" ) do={
					add action=jump chain=("fw-plc-s:".$zone) src-address-list=("IP-".$src) comment=("Fwd plc from if ".$zone." & ip ".$src." to All") jump-target=("fw-plc-s:".$zone."&".$src.">all")
					add action=jump chain=("in-plc-s:".$zone) src-address-list=("IP-".$src) comment=("In plc for if ".$zone." & ip ".$src." to All") jump-target=("in-plc-s:".$zone."&".$src.">all")
					:if ( ($policy)="accept") do={
						add action=accept chain=("fw-plc-s:".$zone."&".$src.">all") comment=("Fwd plc from if ".$zone." & ip ".$src." Accept to All")
						add action=accept chain=("in-plc-s:".$zone."&".$src.">all") comment=("In plc from if ".$zone." & ip ".$src." Accept to All")
					}
					:if ( ($policy)="reject") do={
						add action=reject chain=("fw-plc-s:".$zone."&".$src.">all") comment=("Fwd plc from if ".$zone." & ip ".$src." Reject to All")
						add action=reject chain=("in-plc-s:".$zone."&".$src.">all") comment=("In plc from if ".$zone." & ip ".$src." Reject to All")
					}
				}
			}
		}
		:foreach tgt,policy in=($conf->"policy") do={
			:if ( ($tgt)!="rt" && ($tgt)!="all") do={
				:if ( [:len (($zones->"if")->$"tgt")]=0 ) do={
					add action=jump chain=("fw-plc-s:".$zone) dst-address-list=("IP-".$tgt) comment=("Fwd plc from if ".$zone." to ".$tgt) jump-target=("fw-plc-s:".$zone.">".$tgt)
				} else={
					add action=jump chain=("fw-plc-s:".$zone) out-interface-list=("IF-".$tgt) comment=("Fwd plc from if ".$zone." to ".$tgt) jump-target=("fw-plc-s:".$zone.">".$tgt)
				}
				:if ( ($policy)="accept") do={
					add action=accept chain=("fw-plc-s:".$zone.">".$tgt) comment=("Fwd plc from if ".$zone." Accept to ".$tgt)
				}
				:if ( ($policy)="reject") do={
					add action=reject chain=("fw-plc-s:".$zone.">".$tgt) comment=("Fwd plc from if ".$zone." Reject to ".$tgt)
				}
			}
			:if ( ($tgt)="rt" ) do={
				:if ( ($conf->"is_lan")!=1 && ($conf->"is_wan")!=1 ) do={
					add action=jump chain=("in-plc-s:".$zone) comment=("In plc for if ".$zone." to rt") jump-target=("in-plc-s:".$zone.">rt")
				}
				:if ( ($policy)="accept") do={
					add action=accept chain=("in-plc-s:".$zone.">rt") comment=("In plc for if ".$zone." Accept to rt")
				}
				:if ( ($policy)="reject") do={
					add action=reject chain=("in-plc-s:".$zone.">rt") comment=("In plc for if ".$zone." Reject to rt")
				}
			}
			:if ( ($tgt)="all" ) do={
				add action=jump chain=("fw-plc-s:".$zone) comment=("Fwd plc from if ".$zone." to All") jump-target=("fw-plc-s:".$zone.">all")
				add action=jump chain=("in-plc-s:".$zone) comment=("In plc for if ".$zone." to All") jump-target=("in-plc-s:".$zone.">all")
				:if ( ($policy)="accept") do={
					add action=accept chain=("fw-plc-s:".$zone.">all") comment=("Fwd plc from if ".$zone." Accept to All")
					add action=accept chain=("in-plc-s:".$zone.">all") comment=("In plc from if ".$zone." Accept to All")
				}
				:if ( ($policy)="reject") do={
					add action=reject chain=("fw-plc-s:".$zone.">all") comment=("Fwd plc from if ".$zone." Reject to All")
					add action=reject chain=("in-plc-s:".$zone.">all") comment=("In plc from if ".$zone." Reject to All")
				}
			}
		}
	}
}


Conclusão


Esse script me ajudou a simplificar bastante a configuração de políticas complexas, no entanto, ainda pode haver erros. Antes de usar, consulte um especialista. Em caso de detecção de efeitos colaterais, escreva, iremos corrigir.

More articles:


All Articles