当前位置: 首页 > 图文教程 > 服务器 > Linux服务器 > RouterOS官方防火墙脚本

Linux服务器
手把手安装FreeBSD5.4服务器操作系统
SAMBA服务器配置实例分析
在FreeBSD5.0上配置DNS服务手记
在FreeBSD6.0中设定FTP服务器
Linux网络环境使用新闻组客户端
Linux配置安装Domino服务器
Linux下安全高效Web邮件服务器
Linux与Windows共享建最简Samba
Linux下TCP网络服务器实现源代码
打造基于Linux的VPN服务器
linux服务器-架设安全的CVS服务器
在LINUX系统上建立FTP加密传输
ApacheWeb服务器的完全安装指南
linux服务器-FreeNAS服务器初探
centos配置apache、php、jdk、resin
VSFTPD服务器安装配置
应用程序跟踪对性能改变进行量化分析
构筑LAMP框架之apache
Apache和Subversion搭建安全CVS
Linux架设支持Mysql的动态Web服务器

Linux服务器 中的 RouterOS官方防火墙脚本


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-18   浏览: 52 ::
收藏到网摘: n/a

/ipfirewallconnectiontracking
setenabled=yestcp-syn-sent-timeout=1mtcp-syn-received-timeout=1m\
tcp-established-timeout=1dtcp-fin-wait-timeout=10s\
tcp-close-wait-timeout=10stcp-last-ack-timeout=10s\
tcp-time-wait-timeout=10stcp-close-timeout=10sudp-timeout=10s\
udp-stream-timeout=3micmp-timeout=10sgeneric-timeout=10m
/ipfirewallfilter
addchain=inputconnection-state=establishedaction=acceptcomment="accept\
establishedconnectionpackets"disabled=no
addchain=inputconnection-state=relatedaction=acceptcomment="acceptrelated\

connectionpackets"disabled=no
addchain=inputconnection-state=invalidaction=dropcomment="dropinvalid\
packets"disabled=no
addchain=inputprotocol=tcppsd=21,3s,3,1action=dropcomment="detectand\
dropportscanconnections"disabled=no
addchain=inputprotocol=tcpconnection-limit=3,32src-address-list=black_list\

action=tarpitcomment="suppressDoSattack"disabled=no
addchain=inputprotocol=tcpconnection-limit=10,32\
action=add-src-to-address-listaddress-list=black_list\
address-list-timeout=1dcomment="detectDoSattack"disabled=no
addchain=inputdst-address-type=!localaction=dropcomment="dropallthatis\
nottolocal"disabled=no
addchain=inputsrc-address-type=!unicastaction=dropcomment="dropallthat\
isnotfromunicast"disabled=no
addchain=inputprotocol=icmpaction=jumpjump-target=ICMPcomment="jumpto\
chainICMP"disabled=no
addchain=inputaction=jumpjump-target=servicescomment="jumptochain\
services"disabled=no
addchain=inputaction=loglog-prefix="input"comment=""disabled=yes
addchain=inputaction=dropcomment="dropeverythingelse"disabled=no
addchain=ICMPprotocol=icmpicmp-options=0:0-255limit=5,5action=accept\
comment="0:0andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=3:3limit=5,5action=accept\
comment="3:3andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=3:4limit=5,5action=accept\
comment="3:4andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=8:0-255limit=5,5action=accept\
comment="8:0andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=11:0-255limit=5,5action=accept\
comment="11:0andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpaction=dropcomment="Dropeverythingelse"\
disabled=no
addchain=servicessrc-address=127.0.0.1dst-address=127.0.0.1action=accept\
comment="acceptlocalhost"disabled=no
addchain=servicesprotocol=tcpdst-port=20-21action=acceptcomment="allow\
ftp"disabled=no
addchain=servicesprotocol=tcpdst-port=22action=acceptcomment="allowsftp,\

ssh"disabled=no
addchain=servicesprotocol=tcpdst-port=23action=acceptcomment="allow\
telnet"disabled=no
addchain=servicesprotocol=tcpdst-port=80action=acceptcomment="allowhttp,\

webbox"disabled=no
addchain=servicesprotocol=tcpdst-port=8291action=acceptcomment="Allow\
winbox"disabled=no
addchain=servicesprotocol=udpdst-port=20561action=acceptcomment="allow\
MACwinbox"disabled=no
addchain=servicessrc-address=159.148.172.205protocol=tcpdst-port=7828\
action=acceptcomment="..."disabled=no
addchain=servicesprotocol=tcpdst-port=2000action=acceptcomment="Bandwidth\

server"disabled=yes
addchain=servicesprotocol=udpdst-port=5678action=acceptcomment="MT\
DiscoveryProtocol"disabled=yes
addchain=servicesprotocol=tcpdst-port=53action=acceptcomment="allowDNS\
request"disabled=yes
addchain=servicesprotocol=udpdst-port=53action=acceptcomment="AllowDNS\
request"disabled=yes
addchain=servicesprotocol=udpdst-port=1701action=acceptcomment="allow\
L2TP"disabled=yes
addchain=servicesprotocol=tcpdst-port=1723action=acceptcomment="allow\
PPTP"disabled=yes
addchain=servicesprotocol=greaction=acceptcomment="allowPPTPandEoIP"\
disabled=yes
addchain=servicesprotocol=ipencapaction=acceptcomment="allowIPIP"\
disabled=yes
addchain=servicesprotocol=udpdst-port=1900action=acceptcomment="UPnP"\
disabled=yes
addchain=servicesprotocol=tcpdst-port=2828action=acceptcomment="UPnP"\
disabled=yes
addchain=servicesprotocol=udpdst-port=67-68action=acceptcomment="allow\
DHCP"disabled=yes
addchain=servicesprotocol=tcpdst-port=8080action=acceptcomment="allowWeb\

Proxy"disabled=yes
addchain=servicesprotocol=tcpdst-port=123action=acceptcomment="allowNTP"\

disabled=yes
addchain=servicesprotocol=tcpdst-port=161action=acceptcomment="allow\
SNMP"disabled=yes
addchain=servicesprotocol=tcpdst-port=443action=acceptcomment="allow\
httpsforHotspot"disabled=yes
addchain=servicesprotocol=tcpdst-port=1080action=acceptcomment="allow\
SocksforHotspot"disabled=yes
addchain=servicesprotocol=udpdst-port=500action=acceptcomment="allow\
IPSecconnections"disabled=yes
addchain=servicesprotocol=ipsec-espaction=acceptcomment="allowIPSec"\
disabled=yes
addchain=servicesprotocol=ipsec-ahaction=acceptcomment="allowIPSec"\
disabled=yes
addchain=servicesprotocol=tcpdst-port=179action=acceptcomment="AllowBGP"\

disabled=yes
addchain=servicesprotocol=udpdst-port=520-521action=acceptcomment="allow\
RIP"disabled=yes
addchain=servicesprotocol=ospfaction=acceptcomment="allowOSPF"\
disabled=yes
addchain=servicesprotocol=udpdst-port=5000-5100action=accept\
comment="allowBGP"disabled=yes
addchain=servicesprotocol=tcpdst-port=1720action=acceptcomment="allow\
Telephony"disabled=yes
addchain=servicesprotocol=udpdst-port=1719action=acceptcomment="allow\
Telephony"disabled=yes
addchain=servicesprotocol=vrrpaction=acceptcomment="allowVRRP"\
disabled=yes
addchain=virusprotocol=tcpdst-port=135-139action=dropcomment="Drop\
BlasterWorm"disabled=no
addchain=virusprotocol=udpdst-port=135-139action=dropcomment="Drop\
MessengerWorm"disabled=no
addchain=virusprotocol=tcpdst-port=445action=dropcomment="DropBlaster\
Worm"disabled=no
addchain=virusprotocol=udpdst-port=445action=dropcomment="DropBlaster\
Worm"disabled=no
addchain=virusprotocol=tcpdst-port=593action=dropcomment="________"\
disabled=no
addchain=virusprotocol=tcpdst-port=1024-1030action=dropcomment="________"\

disabled=no
addchain=virusprotocol=tcpdst-port=1080action=dropcomment="DropMyDoom"\
disabled=no
addchain=virusprotocol=tcpdst-port=1214action=dropcomment="________"\
disabled=no
addchain=virusprotocol=tcpdst-port=1363action=dropcomment="ndmrequester"\

disabled=no
addchain=virusprotocol=tcpdst-port=1364action=dropcomment="ndmserver"\
disabled=no
addchain=virusprotocol=tcpdst-port=1368action=dropcomment="screencast"\
disabled=no
addchain=virusprotocol=tcpdst-port=1373action=dropcomment="hromgrafx"\
disabled=no
addchain=virusprotocol=tcpdst-port=1377action=dropcomment="cichlid"\
disabled=no
addchain=virusprotocol=tcpdst-port=1433-1434action=dropcomment="Worm"\
disabled=no
addchain=virusprotocol=tcpdst-port=2745action=dropcomment="BagleVirus"\
disabled=no
addchain=virusprotocol=tcpdst-port=2283action=dropcomment="DropDumaru.Y"\

disabled=no
addchain=virusprotocol=tcpdst-port=2535action=dropcomment="DropBeagle"\
disabled=no
addchain=virusprotocol=tcpdst-port=2745action=dropcomment="Drop\
Beagle.C-K"disabled=no
addchain=virusprotocol=tcpdst-port=3127-3128action=dropcomment="Drop\
MyDoom"disabled=no
addchain=virusprotocol=tcpdst-port=3410action=dropcomment="DropBackdoor\
OptixPro"disabled=no
addchain=virusprotocol=tcpdst-port=4444action=dropcomment="Worm"\
disabled=no
addchain=virusprotocol=udpdst-port=4444action=dropcomment="Worm"\
disabled=no
addchain=virusprotocol=tcpdst-port=5554action=dropcomment="DropSasser"\
disabled=no
addchain=virusprotocol=tcpdst-port=8866action=dropcomment="DropBeagle.B"\

disabled=no
addchain=virusprotocol=tcpdst-port=9898action=dropcomment="Drop\
Dabber.A-B"disabled=no
addchain=virusprotocol=tcpdst-port=10000action=dropcomment="Drop\
Dumaru.Y"disabled=no
addchain=virusprotocol=tcpdst-port=10080action=dropcomment="Drop\
MyDoom.B"disabled=no
addchain=virusprotocol=tcpdst-port=12345action=dropcomment="DropNetBus"\
disabled=no
addchain=virusprotocol=tcpdst-port=17300action=dropcomment="DropKuang2"\
disabled=no
addchain=virusprotocol=tcpdst-port=27374action=dropcomment="Drop\
SubSeven"disabled=no
addchain=virusprotocol=tcpdst-port=65506action=dropcomment="DropPhatBot,\

Gaobot"disabled=no
addchain=forwardconnection-state=establishedaction=acceptcomment="accept\
establishedpackets"disabled=no
addchain=forwardconnection-state=relatedaction=acceptcomment="accept\
relatedpackets"disabled=no
addchain=forwardconnection-state=invalidaction=dropcomment="dropinvalid\
packets"disabled=no
addchain=forwardsrc-address-type=!unicastaction=dropcomment="dropallthat\

isnotfromunicast"disabled=no
addchain=forwardin-interface=internetsrc-address-list=not_in_internet\
action=dropcomment="dropdatafrombogonIP's"disabled=no
addchain=forwardin-interface=!internetdst-address-list=not_in_internet\
action=dropcomment="dropdatatobogonIP's"disabled=no
addchain=forwardprotocol=icmpaction=jumpjump-target=ICMPcomment="jumpto\
chainICMP"disabled=no
addchain=forwardaction=jumpjump-target=viruscomment="jumptoviruschain"\
disabled=no
addchain=forwardaction=acceptcomment="Accepteverythingelse"disabled=no
addchain=outputconnection-state=invalidaction=dropcomment="dropinvalid\
packets"disabled=no
addchain=outputconnection-state=relatedaction=acceptcomment="accept\
relatedpackets"disabled=no
addchain=outputconnection-state=establishedaction=acceptcomment="accept\
establishedpackets"disabled=no
addchain=outputaction=dropcomment="Dropallconnectionsfromthisrouter"\
disabled=no
/ipfirewalladdress-list
addlist=not_in_internetaddress=0.0.0.0/8comment=""disabled=no
addlist=not_in_internetaddress=172.16.0.0/12comment=""disabled=no
addlist=not_in_internetaddress=192.168.0.0/16comment=""disabled=no
addlist=not_in_internetaddress=10.0.0.0/8comment=""disabled=no
addlist=not_in_internetaddress=169.254.0.0/16comment=""disabled=no
addlist=not_in_internetaddress=127.0.0.0/8comment=""disabled=no
addlist=not_in_internetaddress=224.0.0.0/3comment=""disabled=no
/ipfirewallservice-port
setftpports=21disabled=no
settftpports=69disabled=no
setircports=6667disabled=no
seth323disabled=yes
setquake3disabled=no
setmmsdisabled=no
setgredisabled=yes
setpptpdisabled=yes