Mikrotik WAN Bacağı Erişim Engelleme

3 sene önce, Burak Çalışkan tarafından yazılmıştır.
Mikrotik WAN Bacağı Erişim Engelleme için yorumlar kapalı
Mikrotik

D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related in-interface=PPPoE_RDS log=no log-prefix="" 

;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related in-interface=PPPoE_RDS log=no log-prefix="" 

;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid in-interface=PPPoE_RDS log=no log-prefix="" 

;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=ETH1_and_PPPoE log=no log-prefix="" 

;;; HTTP WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=80 log=no log-prefix="" 

;;; WinBox WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=8291 log=no log-prefix="" 

;;; API WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=8728 log=no log-prefix="" 

;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid in-interface=PPPoE_RDS log=no log-prefix="" 

;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

;;; Accept L2TP VPN
      chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=1701 log=no log-prefix="" 

;;; Accept L2TP VPN
      chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=500 log=no log-prefix="" 

;;; Accept L2TP VPN
      chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=4500 log=no log-prefix="" 

;;; Accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

;;; drop DNS requests from WAN
      chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=53 log=no log-prefix="" 

;;; drop DNS requests from WAN
      chain=input action=drop protocol=udp in-interface=PPPoE_RDS dst-port=53 log=no log-prefix="" 

;;; defconf: drop all from WAN
      chain=input action=drop in-interface=PPPoE_RDS log=no log-prefix="" 

;;; defcon: drop all ETH1
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""

D ;;; special dummy rule to show fasttrack counters

chain=forward action=passthrough

;;; defconf: fasttrack

chain=forward action=fasttrack-connection connection-state=established,related in-interface=PPPoE_RDS log=no log-prefix=""

;;; defconf: accept established,related

chain=forward action=accept connection-state=established,related in-interface=PPPoE_RDS log=no log-prefix=""

;;; defconf: drop invalid

chain=forward action=drop connection-state=invalid in-interface=PPPoE_RDS log=no log-prefix=""

;;; defconf: drop all from WAN not DSTNATed

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=ETH1_and_PPPoE log=no log-prefix=""

;;; HTTP WAN

chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=80 log=no log-prefix=""

;;; WinBox WAN

chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=8291 log=no log-prefix=""

;;; API WAN

chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=8728 log=no log-prefix=""

;;; defconf: drop invalid

chain=input action=drop connection-state=invalid in-interface=PPPoE_RDS log=no log-prefix=""

;;; defconf: accept established,related

chain=input action=accept connection-state=established,related log=no log-prefix=""

;;; Accept L2TP VPN

chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=1701 log=no log-prefix=""

;;; Accept L2TP VPN

chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=500 log=no log-prefix=""

;;; Accept L2TP VPN

chain=input action=accept protocol=udp in-interface=PPPoE_RDS dst-port=4500 log=no log-prefix=""

;;; Accept ICMP

chain=input action=accept protocol=icmp log=no log-prefix=""

;;; drop DNS requests from WAN

chain=input action=drop protocol=tcp in-interface=PPPoE_RDS dst-port=53 log=no log-prefix=""

;;; drop DNS requests from WAN

chain=input action=drop protocol=udp in-interface=PPPoE_RDS dst-port=53 log=no log-prefix=""

;;; defconf: drop all from WAN

chain=input action=drop in-interface=PPPoE_RDS log=no log-prefix=""

;;; defcon: drop all ETH1

chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""