我的ROS 7.9防火墙规则

mantouboji

我的RB4011 配置里firewall部分供参考，欢迎提意见。

1. # may/08/2023 16:48:21 by RouterOS 7.9
   
2. #
   
3. # model = RB4011iGS+5HacQ2HnD
   
4. /ip firewall address-list
   
5. add address=123.45.67.89 comment=Giga3 list=vps
   
6. add address=23.237.231.0/24 comment=SatTV list=vps
   
7. /ip firewall filter
   
8. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
   
9.     connection-state=established,related hw-offload=yes
   
10. add action=accept chain=forward comment=\
    
11.     "defconf: accept established,related, untracked" connection-state=\
    
12.     established,related,new,untracked
    
13. add action=accept chain=input comment=\
    
14.     "defconf: accept established,related,untracked" connection-state=\
    
15.     established,related,untracked
    
16. add action=accept chain=forward comment="Allow all from local" \
    
17.     in-interface-list=!WAN
    
18. add action=accept chain=input comment="Accept all from local " \
    
19.     in-interface-list=LAN
    
20. add action=accept chain=input comment="RB4011 accept SSH" dst-port=22,80,443 \
    
21.     in-interface-list=WAN protocol=tcp
    
22. add action=accept chain=input comment="local WG virtual**" dst-port=12312 \
    
23.     in-interface=pppoe-out1 protocol=udp
    
24. add action=accept chain=input comment="accept OSPF" in-interface-list=WAN \
    
25.     protocol=ospf
    
26. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    
27. add action=accept chain=input comment=\
    
28.     "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
    
29. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    
30.     invalid
    
31. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    
32.     in-interface-list=!LAN
    
33. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    
34.     ipsec-policy=in,ipsec
    
35. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    
36.     ipsec-policy=out,ipsec
    
37. add action=reject chain=forward comment="Guest can't access main " \
    
38.     connection-state=invalid,new dst-address=192.168.88.0/24 reject-with=\
    
39.     icmp-network-unreachable src-address=172.16.1.0/24
    
40. add action=drop chain=forward comment="defconf: drop invalid" \
    
41.     connection-state=invalid log=yes log-prefix=fwd
    
42. add action=drop chain=forward comment=\
    
43.     "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    
44.     connection-state=new in-interface-list=WAN
    
45. /ip firewall mangle
    
46. add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=\
    
47.     WAN passthrough=yes protocol=tcp tcp-flags=syn
    
48. add action=mark-routing chain=prerouting comment="Fitst 32 hosts no virtual**" \
    
49.     dst-address=!192.168.0.0/16 new-routing-mark=DirectWAN passthrough=no \
    
50.     src-address=192.168.88.0/27
    
51. add action=mark-routing chain=prerouting comment=\
    
52.     "atombox to WAN only use PPPoE" dst-address=!192.168.0.0/16 \
    
53.     new-routing-mark=DirectWAN passthrough=no src-mac-address=\
    
54.     12:34:56:B2:33:80
    
55. add action=mark-routing chain=prerouting comment="All VPS go PPPoE" \
    
56.     dst-address-list=vps new-routing-mark=DirectWAN passthrough=yes
    
57. add action=mark-routing chain=prerouting comment="Guest vlan " \
    
58.     new-routing-mark=DirectWAN passthrough=no src-address=172.16.1.0/24
    
59. /ip firewall nat
    
60. add action=src-nat chain=srcnat comment=SRC out-interface=pppoe-out1 \
    
61.     to-addresses=101.102.103.104
    
62. add action=src-nat chain=srcnat out-interface=wg1 to-addresses=10.28.6.20
    
63. add action=src-nat chain=srcnat out-interface=wg2 to-addresses=10.28.7.20
    
64. add action=src-nat chain=srcnat comment=SRC log=yes out-interface=pppoe-out1 \
    
65.     src-address=172.16.0.0/16 to-addresses=101.102.103.104
    
66. add action=src-nat chain=srcnat comment="VLAN IoT" out-interface=vlan_iot \
    
67.     to-addresses=172.16.10.1
    
68. add action=masquerade chain=srcnat comment="Fiber Modem" out-interface=ether1
    
69. /ip firewall service-port
    
70. set ftp disabled=yes
    
71. set tftp disabled=yes
    
72. set h323 disabled=yes
    
73. set p p t p disabled=yes
    
74. set rtsp disabled=no
    
75. #
    
76. # IPV6
    
77. #
    
78. /ipv6 firewall address-list
    
79. add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
    
80. add address=::1/128 comment="defconf: lo" list=bad_ipv6
    
81. add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
    
82. add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
    
83. add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
    
84. add address=100::/64 comment="defconf: discard only " list=bad_ipv6
    
85. add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
    
86. add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
    
87. add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
    
88. /ipv6 firewall filter
    
89. add action=accept chain=input comment=\
    
90.     "defconf: accept established,related,untracked" connection-state=\
    
91.     established,related,untracked
    
92. add action=accept chain=forward comment=\
    
93.     "defconf: accept established,related,untracked" connection-state=\
    
94.     established,related,untracked
    
95. add action=accept chain=forward comment="Allow Local " in-interface-list=!WAN
    
96. add action=accept chain=forward comment=Ping protocol=icmpv6
    
97. add action=accept chain=input comment="accept anything from LAN" \
    
98.     in-interface-list=!WAN
    
99. add action=accept chain=input comment="RB4011 accept SSH" dst-port=22,80,443 \
    
100.     in-interface-list=WAN protocol=tcp
     
101. add action=accept chain=forward comment="allow SSH,WWW,HTTPS,etc" dst-port=\
     
102.     22,80,443,993 in-interface-list=WAN protocol=tcp
     
103. add action=accept chain=input comment="Local Wireguard" dst-port=12312 \
     
104.     in-interface=pppoe-out1 protocol=udp
     
105. add action=accept chain=input comment="for OSPF" protocol=ospf
     
106. add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
     
107.     icmpv6
     
108. add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
     
109.     33434-33534 protocol=udp
     
110. add action=accept chain=input comment=\
     
111.     "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
     
112.     udp src-address=fe80::/10
     
113. add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
     
114.     protocol=udp
     
115. add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
     
116.     ipsec-ah
     
117. add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
     
118.     ipsec-esp
     
119. add action=accept chain=input comment=\
     
120.     "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
     
121. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
     
122.     invalid
     
123. add action=drop chain=forward comment=\
     
124.     "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
     
125. add action=drop chain=forward comment=\
     
126.     "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
     
127. add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
     
128.     hop-limit=equal:1 protocol=icmpv6
     
129. add action=drop chain=forward comment="defconf: drop invalid" \
     
130.     connection-state=invalid
     
131. add action=accept chain=forward comment="defconf: accept HIP" protocol=139
     
132. add action=drop chain=forward comment=\
     
133.     "defconf: drop everything else not coming from LAN" in-interface-list=\
     
134.     !LAN
     
135. /ipv6 firewall mangle
     
136. add action=change-mss chain=forward comment="fix MTU, make HTTPS happy" \
     
137.     new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
     
138. add action=mark-routing chain=prerouting comment=ATOMBOX dst-address=::/0 \
     
139.     in-interface-list=LAN log=yes new-routing-mark=DirectWAN passthrough=no \
     
140.     src-mac-address=12:34:56:B2:33:80
     
141. /ipv6 firewall nat
     
142. add action=src-nat chain=srcnat out-interface=wg1 src-address=!fe00::/8 \
     
143.     to-address=fd80:88:2::20/128
     
144. add action=src-nat chain=srcnat out-interface=wg2 src-address=!fe00::/8 \
     
145.     to-address=fd80:88:66:3::20/128
     
146. add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
     
147.     fd80::/16

复制代码

请不要胡乱输入以及粘贴、复制等方式灌水

请尊重作者、并共同维护网站的正常阅读，否则账户将会被限制发帖、回帖，站内短信以及阅读权限等都会受到影响，谢谢。 具体限制方式：https://www.right.com.cn/forum/thread-8307840-1-1.html

mantouboji

精品网只是IPv4部分，走IPv6就不是了[尴尬]。

因为wireguard的udp会被QoS限速，我搞了定时更换随机端口，还兮嘎嘎搞了对VPS地址IPv4和IPv6地址的乒乓切换，发现换到v6后延迟增长了一大截，从130变到了180-250。还是老老实实只在v4地址上随机切换端口吧。

arieslo

能看到你这份内容。。才知道怎么修改。。才知道怎么应用到自己的环境内。。。

mantouboji

arieslo 发表于 2023-5-17 12:00
能看到你这份内容。。才知道怎么修改。。才知道怎么应用到自己的环境内。。。 ...

ssh进去命令行操作嘛，老鸟都懂的。

phoniex

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
你这条开启，QUEUES已无效，不过也对，你是硬路由，我是软路由。

linuxunion

好复杂。。。。。。。。。

cerellean

能写个注释吗？

mantouboji

cerellean 发表于 2023-6-6 21:40
能写个注释吗？

里面的comment= 就是注释啊

garrickchen

求问大神，add action=accept chain=input comment="accept OSPF" in-interface-list=WAN \ protocol=ospf，路由表是通过旁路由获取的对吗？这条放行wan进入流量不是很懂为什么要这样做

mantouboji

garrickchen 发表于 2023-6-18 11:07
求问大神，add action=accept chain=input comment="accept OSPF" in-interface-list=WAN \ protocol=ospf ...

没有旁路由。跟远程的VPS交换OSPF路由信息。bird2运行在远程的VPS 上（Ubuntu 22.04）

garrickchen

mantouboji 发表于 2023-6-18 14:49
没有旁路由。跟远程的VPS交换OSPF路由信息。bird2运行在远程的VPS 上（Ubuntu 22.04） ...

这样明白了，感谢回答

mantouboji

garrickchen 发表于 2023-6-18 14:52
这样明白了，感谢回答

这样如果跟VPS之间的隧道断了，OSPF会自动撤销所有的路由。一旦恢复又能自动更新。

garrickchen

mantouboji 发表于 2023-6-18 15:04
这样如果跟VPS之间的隧道断了，OSPF会自动撤销所有的路由。一旦恢复又能自动更新。

...

另外想请教一下ROS的DNS设置是公共DNS还是走隧道的IP啊？

mantouboji

garrickchen 发表于 2023-6-19 10:26
另外想请教一下ROS的DNS设置是公共DNS还是走隧道的IP啊？

我本来是另外装了一个跑armbian的OrangePi 小盒子，运行china-dns-ng

后来另外一个帖子里大师给我建议了在VPS上跑AdGuard Home，于是就改进了，两个都在用。

国内的公共DNS完全不靠谱。也是被污染过的。

nobug1

mantouboji 发表于 2023-5-16 22:18
精品网只是IPv4部分，走IPv6就不是了[尴尬]。

因为wireguard的udp会被QoS限速，我搞了定时更换随机端口， ...

随机切换端口能解决？需要怎么操作