Get best of the week

Mikrotik防火墙过滤器:脚本生成过滤策略的基础

曾经编写过防火墙过滤策略的任何人都知道这不是一件简单的事情,并且当存在两个以上的网络区域时,会涉及很多错误。本文中的脚本将在本文中为您提供帮助。

介绍


网络区域是指适用过滤规则的一组接口或IP地址。在我的脚本中,区域IP地址已分配给接口。也就是说,如果我们期望来自本地网络的“受信任” IP地址,那么如果相应的连接来自提供商,那将很奇怪。

它是如何工作的


一切都围绕着区域的描述,我们问它们如何相互作用。
在我的配置中,如果未设置其他规则,则将使用DROP规则丢弃所有流量,因此我们将设置ACCEPT和REJECT规则。

接下来,循环中的脚本遍历所有区域描述并创建:

  • 接口列表IF- <区域名称>
  • IP地址列表<区域名称>
  • 定义默认值,并由我的过滤器,修饰和原始配置稍加补充

接口的IP通信目标区域的不同之处在于其名称不在接口部分中。因此,脚本可以了解ip的用途以及接口的用途。

变数


  • gping-允许在所有方向和转发上ping。换句话说,甚至可以对过滤器中其他规则关闭的内容执行ping操作。根据需要包括);
  • debug-将ACCEPT规则放在根链的最开始,这使所有其他规则无用。在调试规则阶段非常有用。根据需要执行策略,启用安全模式,然后禁用这些规则。如果路由器不可用,则10秒钟后,规则将再次启用,您将能够思考,您在做什么错?
  • allout-允许路由器的传出流量,通常路由器不会产生不良流量,因此在许多配置中,这是可以接受的。

区域说明


描述本身分为两个块:接口和IP地址。接口有一些特殊的变量:

  • is_wan:添加处理隧道和DNS的规则
  • do_masq:向此区域添加流量屏蔽规则
  • is_lan:添加用于响应DHCP和DNS的规则
  • mss: mss ,
  • ADDoS: DDoS . — ( ) , IP . :
    • gen — generic, , .
    • mngr — managment, mikrotik (winbox, ssh)
    • — , .


还有两个特殊区域:rt,这是路由器本身,所有区域,由于不难猜测“任何方向”,因此不能将所有区域都指定为流量来源。

该脚本的主要作用是创建一系列跳转规则,并根据通信的源和目的地进行过滤,并由带有ACCEPT或REJECT的规则终止。

可以减少对区域的描述,如ISP和rt的示例中(应该始终如此)。

如果要使用规则终止链,则只需在区域描述中添加自定义(或其他)而不是接受或拒绝,则跳链将不会由任何规则完成,您可以自己创建它。

脚本中的规则说明


区域
:local gping 1
:local debug 0
:local zones {
	"if"={
		"ISP"={
			"is_wan"=1;
			"do_masq"=1;
			"ADDoS"={
				mngr={
					dst-limit="4/1m,1,src-address/1m40s";
					timeout="1d";
					comment="Blocking bruteforcing winbox & ssh port";
					excl=[:toarray ("Trusted")];
				};
				gen={
					dst-limit="50,50,src-address/10s";
					timeout="1d";
					comment="Blocking potential DDoS";
					excl=[:toarray ("Trusted")];
				};
			};
		};
		"LAN"={
			"is_lan"=1;
			policy={ 
				"all"="accept";
			};
		};
		"TUN"={
			mss=1400;
		};
		"rt"={};
	};
	"ip"={
		"rt"={
			policy={
				"all"="accept" 
			};
		};
		"TUN"={
			"Staff"={
				"Server"="accept";
			};
			"Manager"={
				"all"="accept";
			};
		};
		"ISP"={
			"Trusted"={
				"rt"="accept";
			};
		};
	};
}


接口有4个区域,其中之一是强制性rt:

  • ISP用于提供者,因此,它指示为某些协议创建附加规则。
  • 局域网-对于本地网络,它具有局域网的规则,并且在任何方向上都有通用的允许操作。
  • TUN-对于正确的隧道,将指示MSS校正。

B 3rd ip区域:

  • TUN界面的员工和经理:
    • 员工-只能访问服务器的IP区域
    • 经理-可以去任何地方

  • 在ISP接口上信任的路由器可以访问

发电机滤波器
# may/13/2020 10:00:00 by RouterOS 6.46.6
# RoS filter generator v 0.9.5

:local gping 0
:local debug 1
:local allout 1
:local zones {
	"if"={
		"ISP"={
			"is_wan"=1;
			"do_masq"=1;
			"ADDoS"={
				mngr={
					dst-limit="4/1m,1,src-address/1m40s";
					timeout="1d";
					comment="Blocking bruteforcing winbox & ssh port";
					excl=[:toarray ("Trusted")];
				};
				gen={
					dst-limit="50,50,src-address/10s";
					timeout="1d";
					comment="Blocking potential DDoS";
					excl=[:toarray ("Trusted")];
				};
			};
		};
		"LAN"={
			"is_lan"=1;
			policy={ 
				"all"="accept";
			};
		};
		"TUN"={
			mss=1400;
		};
		"rt"={};
	};
	"ip"={
		"rt"={
			policy={
				"all"="accept" 
			};
		};
		"TUN"={
			"Staff"={
				"Server"="accept";
			};
			"Manager"={
				"all"="accept";
			};
		};
		"ISP"={
			"Trusted"={
				"rt"="accept";
			};
		};
	};
}
/ip firewall raw
add action=notrack chain=prerouting ipsec-policy=in,ipsec comment="Notrack ipsec"
add action=notrack chain=prerouting dst-address-type=multicast comment="Notrack multicast"
/ip firewall filter
:if ( ($debug)=0 ) do={
	add action=accept chain=forward comment=DEBUG!!! disabled=yes
	add action=accept chain=input comment=DEBUG!!! disabled=yes
	add action=accept chain=output comment=DEBUG!!! disabled=yes
} else={
	add action=accept chain=forward comment=DEBUG!!!
	add action=accept chain=input comment=DEBUG!!!
	add action=accept chain=output comment=DEBUG!!!
}
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 dst-port=5246,5247 protocol=udp src-address-type=local
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=jump chain=input comment="defconf: new input" connection-state=new jump-target=in-new
add action=jump chain=input comment="defconf: notrack input" jump-target=in-notrack
add action=drop chain=input comment="defconf: drop all not allowed"
add action=accept chain=output comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=jump chain=output comment="defconf: new output" connection-state=new jump-target=out-new
add action=jump chain=output comment="defconf: notrack output" jump-target=out-notrack
:if ( ($allout)=1 ) do={
	add action=accept chain=out-notrack comment="defconf: Allow any trafic from rt"
} else={
	add action=accept chain=out-notrack comment="defconf: Allow any trafic from rt" disabled=yes
}
add action=drop chain=output comment="defconf: drop all not allowed"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=jump chain=forward comment="defconf: new forward" connection-state=new jump-target=fw-new
add action=jump chain=forward comment="defconf: notrack forward" jump-target=fw-notrack
add action=accept chain=forward comment="defconf: Accept all forward DSTNATed" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all not allowed for forward"
:if ( ($gping)=1 ) do={
	add action=accept chain=WAN2RT-STD-PROTO comment=ICMP protocol=icmp disabled=yes
} else={
	add action=accept chain=WAN2RT-STD-PROTO comment=ICMP protocol=icmp
}
add action=accept chain=WAN2RT-STD-PROTO comment=GRE ipsec-policy=in,ipsec protocol=gre
add action=accept chain=WAN2RT-STD-PROTO comment=IPSec protocol=ipsec-esp
add action=accept chain=WAN2RT-STD-PROTO comment=IPSec protocol=ipsec-ah
add action=accept chain=WAN2RT-STD-PROTO comment="IPSec encapsulated" dst-port=500,4500 protocol=udp
add action=accept chain=WAN2RT-STD-PROTO comment=L2TP dst-port=1701 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=WAN2RT-STD-PROTO comment=PPtP dst-port=1723 protocol=tcp
add action=accept chain=LAN2RT-STD-PROTO comment=DNS dst-port=53 protocol=tcp
add action=accept chain=LAN2RT-STD-PROTO comment=NTP,DNS,DHCP dst-port=53,123,67-68 protocol=udp
add action=accept chain=LAN2RT-STD-PROTO comment=DHCP dst-port=67-68 protocol=udp
add action=accept chain=RT2WAN-STD-PROTO comment=DNS dst-port=53 protocol=tcp
add action=accept chain=RT2WAN-STD-PROTO comment=NTP,DNS dst-port=53,123 protocol=udp
add action=accept chain=WAN2RT-STD-PROTO comment=IPSec protocol=ipsec-esp
add action=accept chain=RT2WAN-STD-PROTO comment=IPSec protocol=ipsec-ah
add action=accept chain=RT2WAN-STD-PROTO comment="IPSec encapsulated" dst-port=500,4500 protocol=udp
add action=reject chain=RT2WAN-STD-PROTO comment=GRE ipsec-policy=out,none protocol=gre reject-with=icmp-admin-prohibited
add action=reject chain=RT2WAN-STD-PROTO comment=L2TP dst-port=1701 ipsec-policy=out,none protocol=udp reject-with=icmp-admin-prohibited
:if ( ($gping)=1 ) do={
	add action=accept chain=fw-new comment=ICMP protocol=icmp
	add action=accept chain=in-new comment=ICMP protocol=icmp
	add action=accept chain=out-new comment=ICMP protocol=icmp
} else={
	add action=accept chain=fw-new comment=ICMP protocol=icmp disabled=yes
	add action=accept chain=in-new comment=ICMP protocol=icmp disabled=yes
	add action=accept chain=out-new comment=ICMP protocol=icmp disabled=yes
}
/ip firewall filter
:foreach zone,conf in=($zones->"if") do={
	:if ( ($zone)!="rt" ) do={
		:if ( [/interface list print count-only where name=("IF-".$zone)] = 0) do={
			/interface list add name=("IF-".$zone)
		}
		add action=jump chain=fw-new in-interface-list=("IF-".$zone) comment=("Fwd plc from if ".$zone) jump-target=("fw-plc-s:".$zone)
		add action=jump chain=in-new in-interface-list=("IF-".$zone) comment=("In plc for if ".$zone) jump-target=("in-plc-s:".$zone)
		:foreach ddos,val in=($conf->"ADDoS") do={
			:if ( $ddos="mngr" ) do={
				add action=jump chain=("in-plc-s:".$zone) dst-port=22,8291 jump-target=("ADDoS-s:".$zone."-".$ddos) comment=("AntiDDoS for ".$ddos." from ".$zone) protocol=tcp
			}
			:if ( $ddos="gen" ) do={
				add action=jump chain=("in-plc-s:".$zone) jump-target=("ADDoS-s:".$zone."-".$ddos) comment=("AntiDDoS for ".$ddos." from ".$zone)
			}
			:if ( $ddos="mngr" || $ddos="gen" ) do={
				:foreach excl in=(($val)->"excl") do={ 
					add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Execption for ".$excl." from ".$zone) src-address-list=("IP-".$excl)
				}
				add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Limit number incoming connections for ".$ddos." from ".$zone) dst-limit=(($val)->"dst-limit")
				add action=add-src-to-address-list address-list=("IP-DDoS-s:".$zone."-".$ddos) address-list-timeout=(($val)->"timeout") chain=("ADDoS-s:".$zone."-".$ddos) comment=("Add to IP-DDoS-".$ddos." list from ".$zone)
			}
			:if ( $ddos!="mngr" && $ddos!="gen" ) do={
				add action=jump chain=("in-plc-s:".$zone) jump-target=("ADDoS-".$ddos) comment=("AntiDDoS for ".$ddos." from ".$zone) disabled=yes
				:foreach excl in=(($val)->"excl") do={ 
					add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Execption for ".$excl." from ".$zone) src-address-list=("IP-".$excl)
				}
				add action=return chain=("ADDoS-s:".$zone."-".$ddos) comment=("Limit number incoming connections for ".$ddos." from ".$zone) dst-limit=(($val)->"dst-limit")
				add action=add-src-to-address-list address-list=("IP-DDoS-s:".$zone."-".$ddos) address-list-timeout=(($val)->"timeout") chain=("ADDoS-s:".$zone."-".$ddos) comment=("Add to IP-DDoS-".$ddos." list from ".$zone)
			}
			/ip firewall raw add action=drop chain=prerouting comment=("DROP Banned by ".$ddos." from ".$zone) in-interface-list=("IF-".$zone) src-address-list=("IP-DDoS-s:".$zone."-".$ddos)
		}
	} else={
		add action=jump chain=out-new comment=("Out plc for rt") jump-target="out-plc-s:rt"
	}	
}
:foreach zone,conf in=($zones->"if") do={
	:if ( ($zone)!="rt" && ($zone)!="all") do={
		:if ( ($conf->"is_lan")=1 || ($conf->"is_wan")=1 ) do={
			add action=jump chain=in-notrack comment=("In Allow plc for STD LAN PROTO from ".$zone) in-interface-list=("IF-".$zone) jump-target=LAN2RT-STD-PROTO
		}
		:if ( ($conf->"is_wan")=1) do={
			add action=jump chain=in-notrack comment=("In Allow plc for STD WAN PROTO from ".$zone) in-interface-list=("IF-".$zone) jump-target=WAN2RT-STD-PROTO
			add action=jump chain=out-notrack out-interface-list=("IF-".$zone) comment=("Out Allow plc for STD WAN PROTO to ".$zone) jump-target=RT2WAN-STD-PROTO
		}
		:if ( ($conf->"do_masq")=1) do={
			/ip firewall nat add action=masquerade chain=srcnat out-interface-list=("IF-".$zone) comment=("Masquerade traffic going to ".$zone)
		}
		:if ( [:len ($conf->"mss")]!=0 ) do={
			/ip firewall mangle add action=change-mss chain=forward in-interface-list=("IF-".$zone) new-mss=($conf->"mss") passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=(($conf->"mss"+1)."-65535") comment=("Fix mss on tunel ".$zone)
			/ip firewall mangle add action=change-mss chain=forward out-interface-list=("IF-".$zone) new-mss=($conf->"mss") passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=(($conf->"mss"+1)."-65535") comment=("Fix mss on tunel ".$zone)
		}
		:foreach src,val in=(($zones->"ip")->$"zone") do={
			:foreach tgt,policy in=$val do={
				:if ( ($tgt)!="rt" && ($tgt)!="all") do={
					:if ( [:len (($zones->"if")->$"tgt")]=0 ) do={
						add action=jump chain=("fw-plc-s:".$zone) src-address-list=("IP-".$src) dst-address-list=("IP-".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." to ".$tgt) jump-target=("fw-plc-s:".$zone."&".$src.">".$tgt)
					} else={
						add action=jump chain=("fw-plc-s:".$zone) src-address-list=("IP-".$src) out-interface-list=("IF-".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." to ".$tgt) jump-target=("fw-plc-s:".$zone."&".$src.">".$tgt)
					}
					:if ( ($policy)="accept") do={
						add action=accept chain=("fw-plc-s:".$zone."&".$src.">".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." Accept to ".$tgt)
					}
					:if ( ($policy)="reject") do={
						add action=reject chain=("fw-plc-s:".$zone."&".$src.">".$tgt) comment=("Fwd plc from if ".$zone." & ip ".$src." Reject to ".$tgt)
					}
				}
				:if ( ($tgt)="rt" ) do={
					add action=jump chain=("in-plc-s:".$zone) src-address-list=("IP-".$src) comment=("In plc for if ".$zone." & ip ".$src." to rt") jump-target=("in-plc-s:".$zone."&".$src.">rt")
					:if ( ($policy)="accept") do={
						add action=accept chain=("in-plc-s:".$zone."&".$src.">rt") comment=("In plc for if ".$zone." & ip ".$src." Accept to rt")
					}
					:if ( ($policy)="reject") do={
						add action=reject chain=("in-plc-s:".$zone."&".$src.">rt") comment=("In plc for if ".$zone." & ip ".$src." Accept to rt")
					}
				}
				:if ( ($tgt)="all" ) do={
					add action=jump chain=("fw-plc-s:".$zone) src-address-list=("IP-".$src) comment=("Fwd plc from if ".$zone." & ip ".$src." to All") jump-target=("fw-plc-s:".$zone."&".$src.">all")
					add action=jump chain=("in-plc-s:".$zone) src-address-list=("IP-".$src) comment=("In plc for if ".$zone." & ip ".$src." to All") jump-target=("in-plc-s:".$zone."&".$src.">all")
					:if ( ($policy)="accept") do={
						add action=accept chain=("fw-plc-s:".$zone."&".$src.">all") comment=("Fwd plc from if ".$zone." & ip ".$src." Accept to All")
						add action=accept chain=("in-plc-s:".$zone."&".$src.">all") comment=("In plc from if ".$zone." & ip ".$src." Accept to All")
					}
					:if ( ($policy)="reject") do={
						add action=reject chain=("fw-plc-s:".$zone."&".$src.">all") comment=("Fwd plc from if ".$zone." & ip ".$src." Reject to All")
						add action=reject chain=("in-plc-s:".$zone."&".$src.">all") comment=("In plc from if ".$zone." & ip ".$src." Reject to All")
					}
				}
			}
		}
		:foreach tgt,policy in=($conf->"policy") do={
			:if ( ($tgt)!="rt" && ($tgt)!="all") do={
				:if ( [:len (($zones->"if")->$"tgt")]=0 ) do={
					add action=jump chain=("fw-plc-s:".$zone) dst-address-list=("IP-".$tgt) comment=("Fwd plc from if ".$zone." to ".$tgt) jump-target=("fw-plc-s:".$zone.">".$tgt)
				} else={
					add action=jump chain=("fw-plc-s:".$zone) out-interface-list=("IF-".$tgt) comment=("Fwd plc from if ".$zone." to ".$tgt) jump-target=("fw-plc-s:".$zone.">".$tgt)
				}
				:if ( ($policy)="accept") do={
					add action=accept chain=("fw-plc-s:".$zone.">".$tgt) comment=("Fwd plc from if ".$zone." Accept to ".$tgt)
				}
				:if ( ($policy)="reject") do={
					add action=reject chain=("fw-plc-s:".$zone.">".$tgt) comment=("Fwd plc from if ".$zone." Reject to ".$tgt)
				}
			}
			:if ( ($tgt)="rt" ) do={
				:if ( ($conf->"is_lan")!=1 && ($conf->"is_wan")!=1 ) do={
					add action=jump chain=("in-plc-s:".$zone) comment=("In plc for if ".$zone." to rt") jump-target=("in-plc-s:".$zone.">rt")
				}
				:if ( ($policy)="accept") do={
					add action=accept chain=("in-plc-s:".$zone.">rt") comment=("In plc for if ".$zone." Accept to rt")
				}
				:if ( ($policy)="reject") do={
					add action=reject chain=("in-plc-s:".$zone.">rt") comment=("In plc for if ".$zone." Reject to rt")
				}
			}
			:if ( ($tgt)="all" ) do={
				add action=jump chain=("fw-plc-s:".$zone) comment=("Fwd plc from if ".$zone." to All") jump-target=("fw-plc-s:".$zone.">all")
				add action=jump chain=("in-plc-s:".$zone) comment=("In plc for if ".$zone." to All") jump-target=("in-plc-s:".$zone.">all")
				:if ( ($policy)="accept") do={
					add action=accept chain=("fw-plc-s:".$zone.">all") comment=("Fwd plc from if ".$zone." Accept to All")
					add action=accept chain=("in-plc-s:".$zone.">all") comment=("In plc from if ".$zone." Accept to All")
				}
				:if ( ($policy)="reject") do={
					add action=reject chain=("fw-plc-s:".$zone.">all") comment=("Fwd plc from if ".$zone." Reject to All")
					add action=reject chain=("in-plc-s:".$zone.">all") comment=("In plc from if ".$zone." Reject to All")
				}
			}
		}
	}
}


结论


该脚本帮助我极大地简化了复杂策略的配置,但是其中可能仍然存在错误。使用前,请咨询专家。如果发现有副作用,请写信,我们将予以纠正。

More articles:


All Articles