Поможите настроить OVPN между Mikrotikами

Тема в разделе "Вопросы начинающих", создана пользователем Сергей Коптяев, 19 фев 2017.

  1. Сергей Коптяев

    Сергей Коптяев Новый участник

    Спасибо. Убрал галку, заработало.
     
  2. Сергей Коптяев

    Сергей Коптяев Новый участник

    Давно мучает вопрос необходимости минимально достаточной защиты Mikrotik правилами файервола. Чтение интернета родило вот такого вот монстра, который мне совсем не нравится. Правил много, работу замедляют, часть из них не работает наверное и часть вовсе лишняя.Нравится только "ловушка" по 22 порту.
    Помогите оптимизировать, порезать и дополнить.
    Сильно не ругайте за "творчество".

    LAN- 192.168.60.0
    Drop по Bogon я выкинул.
    /interface list
    add name=Interface-out
    add name=Interface-internet
    /interface list member
    add interface=eth1-wan list=Interface-out
    add interface=modem-usb-3g list=Interface-out
    add interface=ovpn list=Interface-out
    add interface=modem-usb-3g list=Interface-internet
    add interface=eth1-wan list=Interface-internet

    /ip firewall address-list
    add address=196.2.0.0/16 comment=office list=ovpn-adress-list
    add address=8.8.8.8 comment=Internet list=internet
    add address=77.88.4.4 list=internet
    add address=213.180.204.3 list=internet
    add address=193.34.114.202 list=internet
    add address=193.34.114.201 list=internet
    add address=192.168.0.1-192.168.59.254 list=ovpn-adress-list
    add address=192.168.61.1-192.168.254.254 list=ovpn-adress-list
    add address=8.8.4.4 list=internet
    add address=146.120.90.0/24 comment "ЕГАИС" list=internet
    add address=194.54.14.162 comment="Сбербанк" list=internet
    add address=194.186.207.162 comment=" Сбербанк" list=internet

    В интернет компы ходят только по этим адресам и ещё нескольким.

    /ip firewall mangle
    add action=mark-connection chain=prerouting connection-state=new dst-port=9999 new-connection-mark=allow_in protocol=tcp
    add action=mark-routing chain=prerouting new-routing-mark=ovpn-adress-list passthrough=no src-address-list=ovpn-adress-list
    add action=mark-routing chain=prerouting new-routing-mark= internet-adress-list passthrough=no src-address-list=internet

    /ip firewall nat
    add action=redirect chain=dstnat dst-port=9999 protocol=tcp to-ports=80
    add action=masquerade chain=srcnat comment=ISP1 out-interface-list=Interface-internet
    add action=masquerade chain=srcnat comment=ovpn disabled=yes out-interface=ovpn src-address-list=ovpn-adress-list

    /ip firewall filter
    add action=drop chain=forward in-interface-list=Interface-internet routing-mark=!internet-adress-list
    add action=accept chain=forward in-interface=all-ppp routing-mark= ovpn-adress-list
    add action=accept chain=forward out-interface=all-ppp routing-mark= ovpn-adress-list
    add action=accept chain=forward connection-state=established,related in-interface-list=Interface-out out-interface=br1-lan
    add action=accept chain=forward connection-state=established,new in-interface=br1-lan out-interface-list=Interface-out

    Это вроде всё нужное, а дальше бардак:
     
  3. Сергей Коптяев

    Сергей Коптяев Новый участник

    add action=accept chain=output connection-state=!invalid
    add action=accept chain=input comment=" , WAN " in-interface-list=!Interface-out src-address=
    192.168.60.0/24
    add action=accept chain=input comment="Allow Established connections" connection-state=established,related
    add action=drop chain=input comment="Drop blocklist" dst-address-list=blocklist
    add action=drop chain=forward comment="Drop blocklist" dst-address-list= blocklist
    add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid protocol=tcp
    add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface= eth1-wan protocol=udp
    add action=drop chain=input dst-port=53 in-interface=eth1-wan protocol=tcp
    add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners
    add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners
    add action=accept chain=forward comment="Allow already established connections" connection-state=established
    add action=accept chain=forward comment="Allow related connections" connection-state=related
    add action=jump chain=forward jump-target=tcp protocol=tcp
    add action=jump chain=forward jump-target=udp protocol=udp
    add action=jump chain=forward jump-target=icmp protocol=icmp
    add action=accept chain=icmp comment="Drop invalid connection" icmp-options=0:0 protocol=icmp
    add action=accept chain=icmp comment="Allow established connections" icmp-options=3:0 protocol=icmp
    add action=accept chain=icmp comment="Allow already established connections" icmp-options=3:1 protocol=icmp
    add action=accept chain=icmp comment="Allow source quench" icmp-options=4:0 protocol=icmp
    add action=accept chain=icmp comment="Allow echo request" icmp-options=8:0 protocol=icmp
    add action=accept chain=icmp comment="Allow time exceed" icmp-options=11:0 protocol=icmp
    add action=accept chain=icmp comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
    add action=drop chain=icmp comment="Deny all other types"
    add action=accept chain=input comment="Allow ICMP" protocol=icmp
    add action=accept chain=input connection-state=new dst-port=53,123 protocol=udp src-address=
    192.168.60.0/24
    add action=accept chain=forward protocol=icmp
    add action=drop chain=input comment="DNS drop" dst-port=53 in-interface-list=Interface-out protocol=udp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=30m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=30m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=30m chain=input connection-state=new dst-port=22 protocol=tcp
    add action=accept chain=input connection-state=new dst-port=80,8291,22 in-interface=br1-lan protocol=tcp src-address=
    192.168.60.0/24
    add action=accept chain=input connection-state=new dst-port=80,8291 in-interface-list=Interface-out protocol=tcp
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-lags=fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
    add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
    add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
    add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol= udp
    add action=accept chain=input comment="Allow UDP" protocol=udp
    add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
    add action=drop chain=tcp comment="deny RPC port mapper" dst-port=111 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
    add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
    add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
    add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
    add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
    add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
    add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
    add action=drop chain=input
    add action=drop chain=forward
    add action=drop chain=output
     
  4. Илья Князев

    Илья Князев Администратор Команда форума

    За базу лучше взять дефолтный файрвол. Он вполне достаточен.
    дальше смотреть что нужно.