Configuración de reglas de firewall predeterminadas para RouterOS

Establecimiento de listas de interfaces

Primero definimos las agrupaciones de interfaces para distinguir entre redees externas e internas:

/interface list
add name=WAN comment="redes externas"
add name=LAN comment="redes internas"

/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=WAN
add interface=pppoe-client1 list=WAN

Reglas de firewall para tráfico IPv4

Configuramos las reglas base para inspeccionar y filtrar paquetes en las cadenas input y forward:

/ip firewall filter
add chain=input protocol=icmp action=accept comment="permitir icmp"
add chain=input connection-state=established,related,untracked action=accept comment="permitir sesiones activas"

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="descartar invalidos"
add chain=input in-interface-list=WAN action=drop comment="bloquear WAN entrante"
add chain=forward connection-state=established,related action=fasttrack-connection comment="acelerar sesiones"
add chain=forward connection-state=established,related,untracked action=accept comment="permitir transito valido"
add chain=forward connection-state=invalid action=drop comment="descartar transito invalido"
add chain=forward in-interface-list=WAN connection-state=new connection-nat-state=!dstnat action=drop comment="bloquear WAN sin DNAT"

Detección de escaneos de puertos

Identificamos y bloqueamos direcciones que realizan escaneos de puertos:

/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar psd"
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar FIN stealth"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar SYN/FIN"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar SYN/RST"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar FIN/PSH/URG"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar ALL"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="escaneos" address-list-timeout=2w comment="detectar NULL"
add chain=input src-address-list="escaneos" action=drop comment="bloquear escaneadores"

Reglas de firewall para tráfico IPv6

Si se utiliza IPv6, se requiere configuración adicional. Primero definimos prefijos inválidos:

/ipv6 firewall address-list
add address=::/128 list=ipv6_invalid comment="direccion no especificada"
add address=::1/128 list=ipv6_invalid comment="loopback"
add address=fec0::/10 list=ipv6_invalid comment="site-local obsoleto"
add address=::ffff:0.0.0.0/96 list=ipv6_invalid comment="mapeado ipv4"
add address=::/96 list=ipv6_invalid comment="compat ipv4"
add address=100::/64 list=ipv6_invalid comment="discard"
add address=2001:db8::/32 list=ipv6_invalid comment="documentacion"
add address=2001:10::/28 list=ipv6_invalid comment="ORCHID"
add address=3ffe::/16 list=ipv6_invalid comment="6bone"
add address=::224.0.0.0/100 list=ipv6_invalid comment="multicast invalido"
add address=::127.0.0.0/104 list=ipv6_invalid comment="loopback invalido"
add address=::/104 list=ipv6_invalid comment="espacio invalido"
add address=::255.0.0.0/104 list=ipv6_invalid comment="broadcast invalido"

Ahora las reglas de filtrado para IPv6:

/ipv6 firewall filter
add chain=input connection-state=established,related,untracked action=accept comment="sesiones activas"
add chain=input connection-state=invalid action=drop comment="descartar invalidos"
add chain=input protocol=icmpv6 action=accept comment="permitir icmpv6"
add chain=input protocol=udp port=33434-33534 action=accept comment="traceroute udp"
add chain=input protocol=udp dst-port=546 src-address=fe80::/16 action=accept comment="dhcpv6 client"
add chain=input protocol=udp dst-port=500,4500 action=accept comment="ike"
add chain=input protocol=ipsec-ah action=accept comment="ipsec ah"
add chain=input protocol=ipsec-esp action=accept comment="ipsec esp"
add chain=input ipsec-policy=in,ipsec action=accept comment="politica ipsec"
add chain=input in-interface-list=!LAN action=drop comment="bloquear no-LAN"

/ipv6 firewall filter
add chain=forward connection-state=established,related,untracked action=accept comment="transito valido"
add chain=forward connection-state=invalid action=drop comment="transito invalido"
add chain=forward src-address-list=ipv6_invalid action=drop comment="origen invalido"
add chain=forward dst-address-list=ipv6_invalid action=drop comment="destino invalido"
add chain=forward protocol=icmpv6 hop-limit=equal:1 action=drop comment="hop-limit 1"
add chain=forward protocol=icmpv6 action=accept comment="icmpv6 forwarding"
add chain=forward protocol=139 action=accept comment="hip"
add chain=forward protocol=udp dst-port=500,4500 action=accept comment="ike forwarding"
add chain=forward protocol=ipsec-ah action=accept comment="ah forwarding"
add chain=forward protocol=ipsec-esp action=accept comment="esp forwarding"
add chain=forward ipsec-policy=in,ipsec action=accept comment="ipsec forwarding"
add chain=forward in-interface-list=!LAN action=drop comment="bloquear forwarding no-LAN"

Etiquetas: RouterOS Mikrotik firewall iptables IPv6

Publicado el 6-27 22:26

Etiquetas populares

©2026 Friki Work