Mikrotik - примеры конфигураций и команд
|
export compact - вывод конфига в терминал
Перенос настроек MikroTik:
export file=28_07_2022.rsc import file=название файла.rsc
Частичный перенос настроек:
ip address export file=ip.rsc ip firewall mangle export file=mangle.rsc ip firewall nat export file=nat.rsc ip firewall filter export file=filter.rsc queue simple export file=simple.rsc ip dns export file=dns.rsc system script export file=script.rsc system scheduler export file=scheduler.rsc tool e-mail export file=email.rsc ip firewall address-list export file=address-list.rsc ip route export file=route.rsc ip dhcp-server network export file=network.rsc queue type export file=type.rsc queue tree export file=tree.rsc queue simple export file=simple.rsc interface ethernet export file=ethernet.rsc ip pool export file=pool.rsc ppp profile export file=profile.rsc system logging export file=log.rsc
Обнаружение левых DHCP серверов со скриптом отправки сообщения на E-mail администратора (Внимание НАЗВАНИЕ ИНТЕРФЕЙСА может быть другим !!!):
/ip dhcp-server alert
add alert-timeout=10s disabled=no interface=bridge1 on-alert="/tool e-mail send server=77.88.21.158 port=25 user=svis-s@yandex.ru password=ndwmshortsxgvjxp start-tls=yes to=\"svis-s@yandex.ru\" from=svis-s@yandex.ru subject=\"Detect Unknow DHCP Server\" body=\"MikroTik have been detected unknown dhcp-server\"" valid-server=48:8F:5A:EE:7F:C9
Скрипт:
/tool e-mail send server=77.88.21.158 port=25 user=svis-s@yandex.ru password=ndwmshortsxgvjxp start-tls=yes to="svis-s@yandex.ru" from=svis-s@yandex.ru subject="Detect Unknow DHCP Server" body="MikroTik have been detected unknown dhcp-server"
Базовая настройка Фаервола (Внимание НАЗВАНИЕ ИНТЕРФЕЙСОВ может быть другим !!!):
/ip firewall filter add action=accept chain=input comment="Accept ICMP" protocol=icmp add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=input comment="Drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="Drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="Drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="Drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp add action=drop chain=input comment="Drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=permit address-list-timeout=1h chain=input comment="Access ISMP 740 size" packet-size=740-790 protocol=icmp add action=accept chain=input comment="Access ISMP 740 size Managment \E8 Btest" connection-state=new dst-port=80,8291,22,2000 protocol=tcp src-address-list=permit add action=accept chain=input comment="Access ISMP 740 size NTP, SNMP \E8 Btest" connection-state=new dst-port=53,123,161,2000 protocol=udp src-address-list=permit add action=add-src-to-address-list address-list="dns spoofing" address-list-timeout=1h chain=input comment="Block DNS Spoofing" dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input comment="Block DNS Spoofing" dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns spoofing" add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="Drop invalid" connection-state=invalid add action=drop chain=input comment="Drop all not from lan" in-interface=!ether2 add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked add action=accept chain=forward comment="Accept http & https from LAN" dst-port=80,443 in-interface=ether2 out-interface=ether1 protocol=tcp add action=accept chain=forward comment="Accept dns from lan" dst-port=53 in-interface=ether2 out-interface=ether1 protocol=udp add action=drop chain=forward comment="Drop invalid" connection-state=invalid add action=drop chain=forward comment="Drop all from LAN to WAN" connection-nat-state=!dstnat in-interface=ether2 out-interface=ether1 add action=accept chain=output comment="Allow everything except invalid" connection-state=!invalid add action=drop chain=output comment="Drop All Output" /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp src-address=77.37.178.48 to-addresses=10.10.10.17 to-ports=3389
Простая блокировка сайта (Для того, чтобы правило блокировки работало, его необходимо разместить в списке выше правила, разрешающего трафик из локальной сети в интернет.)
/ip firewall address-list add address=ok.ru list=Block_Site /ip firewall filter add action=reject chain=forward comment="Block Site List" dst-address-list=Block_Site protocol=tcp reject-with=icmp-network-unreachable
Блокировка сайта:
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=reject add chain=forward dst-port=443 protocol=tcp tls-host=*.youtube.com action=reject
Защита от подбора паролей (в зависимости на какой порт долбят, в данном примере SSH порт 22)
/ip firewall filter add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
Открыть доступ из интернета пингом пакетами по 740 байт
/ip firewall filter add action=add-src-to-address-list address-list=permit address-list-timeout=1h chain=input packet-size=740-790 protocol=icmp add action=accept chain=input comment="Managment \E8 Btest" connection-state=new dst-port=80,8291,22,2000 protocol=tcp src-address-list=permit add action=accept chain=input comment="Permit NTP, SNMP \E8 Btest" connection-state=new dst-port=53,123,161,2000 protocol=udp src-address-list=permit
Закрываем порты 53 (DNS spoofing), или любые порты:
/ip firewall filter add chain=input action=drop protocol=udp in-interface=ether1 dst-port=53
заходим в статистику и проверяем есть флуд или нет, если есть, то добавляем правило...
/ip firewall filter add action=add-src-to-address-list address-list="dns spoofing" address-list-timeout=1h chain=input comment="Block DNS Spoofing" dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input comment="Block DNS Spoofing" dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns spoofing"
Отправка конфигурации на E-mail каждую неделю:
/system scheduler add interval=1w name=Backup_Config on-event=Backup_Config policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/16/2022 start-time=00:00:00/ /system script add dont-require-permissions=no name=Backup_Config owner=gptel policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon/ /tool e-mail set address=77.88.21.158 from=<Mikrotik_test> password=ndwmshortsxgvjxp start-tls=yes user=svis-s@yandex.ru/
Скрипт (Вставляем в скрипт в поле "Source"):
/export file=export_config /tool e-mail send server=77.88.21.158 port=25 user=svis-s@yandex.ru password=ndwmshortsxgvjxp start-tls=yes to="svis-s@yandex.ru" from=svis-s@yandex.ru subject="$[/system identity get name] export_config" body="$[/system clock get date] configuration file" file=export_config.rsc
Скрипт №2 (рабочая почта без шифрования TLS)
/export file=export_config /tool e-mail send server=77.73.24.4 port=25 user=p-sulimov@gptel.ru password=fgh78vb to="p-sulimov@gptel.ru" from=p-sulimov@gptel.ru subject="$[/system identity get name] - export configuration file" body="Data creation configuration file: $[/system clock get date]" file=export_config.rsc