当前位置: 首页 > 图文教程 > 服务器 > Linux服务器 > RouterOS官方防火墙脚本

Linux服务器
企业IT节能之用好Linux高级电源管理
ubuntu服务器工作记录(远程控制)
Apache虚拟主机快速搭建攻略
Linux服务器的远程控制技术及实战
Ubuntu下配置PHP服务器
Apache下的目录共享访问和认证
linux系统下cron运行php程序
Ubuntu8.04快速搭建nginx+php系统
RHEL5下NFS服务器配置与应用
教你完全免费自建Linux防火墙
一个完备的个人邮件解决方案
网站故障处理记实:apache引起的麻烦
搭建apache+svn+trac平台
Squid代理服务器部署使用攻略
建立可全面监控Squid代理服务器
Ubuntu和DHCP的兼容性问题
OpenSuSE国内最大镜像服务器:lizardsource.cn
Linux系统下如何配置e-mail服务器?
在Linux系统下配置WU-FTP服务器
LinuxApacheWeb服务器配置教程

Linux服务器 中的 RouterOS官方防火墙脚本


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-18   浏览: 65 ::
收藏到网摘: n/a

/ipfirewallconnectiontracking
setenabled=yestcp-syn-sent-timeout=1mtcp-syn-received-timeout=1m\
tcp-established-timeout=1dtcp-fin-wait-timeout=10s\
tcp-close-wait-timeout=10stcp-last-ack-timeout=10s\
tcp-time-wait-timeout=10stcp-close-timeout=10sudp-timeout=10s\
udp-stream-timeout=3micmp-timeout=10sgeneric-timeout=10m
/ipfirewallfilter
addchain=inputconnection-state=establishedaction=acceptcomment="accept\
establishedconnectionpackets"disabled=no
addchain=inputconnection-state=relatedaction=acceptcomment="acceptrelated\

connectionpackets"disabled=no
addchain=inputconnection-state=invalidaction=dropcomment="dropinvalid\
packets"disabled=no
addchain=inputprotocol=tcppsd=21,3s,3,1action=dropcomment="detectand\
dropportscanconnections"disabled=no
addchain=inputprotocol=tcpconnection-limit=3,32src-address-list=black_list\

action=tarpitcomment="suppressDoSattack"disabled=no
addchain=inputprotocol=tcpconnection-limit=10,32\
action=add-src-to-address-listaddress-list=black_list\
address-list-timeout=1dcomment="detectDoSattack"disabled=no
addchain=inputdst-address-type=!localaction=dropcomment="dropallthatis\
nottolocal"disabled=no
addchain=inputsrc-address-type=!unicastaction=dropcomment="dropallthat\
isnotfromunicast"disabled=no
addchain=inputprotocol=icmpaction=jumpjump-target=ICMPcomment="jumpto\
chainICMP"disabled=no
addchain=inputaction=jumpjump-target=servicescomment="jumptochain\
services"disabled=no
addchain=inputaction=loglog-prefix="input"comment=""disabled=yes
addchain=inputaction=dropcomment="dropeverythingelse"disabled=no
addchain=ICMPprotocol=icmpicmp-options=0:0-255limit=5,5action=accept\
comment="0:0andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=3:3limit=5,5action=accept\
comment="3:3andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=3:4limit=5,5action=accept\
comment="3:4andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=8:0-255limit=5,5action=accept\
comment="8:0andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpicmp-options=11:0-255limit=5,5action=accept\
comment="11:0andlimitfor5pac/s"disabled=no
addchain=ICMPprotocol=icmpaction=dropcomment="Dropeverythingelse"\
disabled=no
addchain=servicessrc-address=127.0.0.1dst-address=127.0.0.1action=accept\
comment="acceptlocalhost"disabled=no
addchain=servicesprotocol=tcpdst-port=20-21action=acceptcomment="allow\
ftp"disabled=no
addchain=servicesprotocol=tcpdst-port=22action=acceptcomment="allowsftp,\

ssh"disabled=no
addchain=servicesprotocol=tcpdst-port=23action=acceptcomment="allow\
telnet"disabled=no
addchain=servicesprotocol=tcpdst-port=80action=acceptcomment="allowhttp,\

webbox"disabled=no
addchain=servicesprotocol=tcpdst-port=8291action=acceptcomment="Allow\
winbox"disabled=no
addchain=servicesprotocol=udpdst-port=20561action=acceptcomment="allow\
MACwinbox"disabled=no
addchain=servicessrc-address=159.148.172.205protocol=tcpdst-port=7828\
action=acceptcomment="..."disabled=no
addchain=servicesprotocol=tcpdst-port=2000action=acceptcomment="Bandwidth\

server"disabled=yes
addchain=servicesprotocol=udpdst-port=5678action=acceptcomment="MT\
DiscoveryProtocol"disabled=yes
addchain=servicesprotocol=tcpdst-port=53action=acceptcomment="allowDNS\
request"disabled=yes
addchain=servicesprotocol=udpdst-port=53action=acceptcomment="AllowDNS\
request"disabled=yes
addchain=servicesprotocol=udpdst-port=1701action=acceptcomment="allow\
L2TP"disabled=yes
addchain=servicesprotocol=tcpdst-port=1723action=acceptcomment="allow\
PPTP"disabled=yes
addchain=servicesprotocol=greaction=acceptcomment="allowPPTPandEoIP"\
disabled=yes
addchain=servicesprotocol=ipencapaction=acceptcomment="allowIPIP"\
disabled=yes
addchain=servicesprotocol=udpdst-port=1900action=acceptcomment="UPnP"\
disabled=yes
addchain=servicesprotocol=tcpdst-port=2828action=acceptcomment="UPnP"\
disabled=yes
addchain=servicesprotocol=udpdst-port=67-68action=acceptcomment="allow\
DHCP"disabled=yes
addchain=servicesprotocol=tcpdst-port=8080action=acceptcomment="allowWeb\

Proxy"disabled=yes
addchain=servicesprotocol=tcpdst-port=123action=acceptcomment="allowNTP"\

disabled=yes
addchain=servicesprotocol=tcpdst-port=161action=acceptcomment="allow\
SNMP"disabled=yes
addchain=servicesprotocol=tcpdst-port=443action=acceptcomment="allow\
httpsforHotspot"disabled=yes
addchain=servicesprotocol=tcpdst-port=1080action=acceptcomment="allow\
SocksforHotspot"disabled=yes
addchain=servicesprotocol=udpdst-port=500action=acceptcomment="allow\
IPSecconnections"disabled=yes
addchain=servicesprotocol=ipsec-espaction=acceptcomment="allowIPSec"\
disabled=yes
addchain=servicesprotocol=ipsec-ahaction=acceptcomment="allowIPSec"\
disabled=yes
addchain=servicesprotocol=tcpdst-port=179action=acceptcomment="AllowBGP"\

disabled=yes
addchain=servicesprotocol=udpdst-port=520-521action=acceptcomment="allow\
RIP"disabled=yes
addchain=servicesprotocol=ospfaction=acceptcomment="allowOSPF"\
disabled=yes
addchain=servicesprotocol=udpdst-port=5000-5100action=accept\
comment="allowBGP"disabled=yes
addchain=servicesprotocol=tcpdst-port=1720action=acceptcomment="allow\
Telephony"disabled=yes
addchain=servicesprotocol=udpdst-port=1719action=acceptcomment="allow\
Telephony"disabled=yes
addchain=servicesprotocol=vrrpaction=acceptcomment="allowVRRP"\
disabled=yes
addchain=virusprotocol=tcpdst-port=135-139action=dropcomment="Drop\
BlasterWorm"disabled=no
addchain=virusprotocol=udpdst-port=135-139action=dropcomment="Drop\
MessengerWorm"disabled=no
addchain=virusprotocol=tcpdst-port=445action=dropcomment="DropBlaster\
Worm"disabled=no
addchain=virusprotocol=udpdst-port=445action=dropcomment="DropBlaster\
Worm"disabled=no
addchain=virusprotocol=tcpdst-port=593action=dropcomment="________"\
disabled=no
addchain=virusprotocol=tcpdst-port=1024-1030action=dropcomment="________"\

disabled=no
addchain=virusprotocol=tcpdst-port=1080action=dropcomment="DropMyDoom"\
disabled=no
addchain=virusprotocol=tcpdst-port=1214action=dropcomment="________"\
disabled=no
addchain=virusprotocol=tcpdst-port=1363action=dropcomment="ndmrequester"\

disabled=no
addchain=virusprotocol=tcpdst-port=1364action=dropcomment="ndmserver"\
disabled=no
addchain=virusprotocol=tcpdst-port=1368action=dropcomment="screencast"\
disabled=no
addchain=virusprotocol=tcpdst-port=1373action=dropcomment="hromgrafx"\
disabled=no
addchain=virusprotocol=tcpdst-port=1377action=dropcomment="cichlid"\
disabled=no
addchain=virusprotocol=tcpdst-port=1433-1434action=dropcomment="Worm"\
disabled=no
addchain=virusprotocol=tcpdst-port=2745action=dropcomment="BagleVirus"\
disabled=no
addchain=virusprotocol=tcpdst-port=2283action=dropcomment="DropDumaru.Y"\

disabled=no
addchain=virusprotocol=tcpdst-port=2535action=dropcomment="DropBeagle"\
disabled=no
addchain=virusprotocol=tcpdst-port=2745action=dropcomment="Drop\
Beagle.C-K"disabled=no
addchain=virusprotocol=tcpdst-port=3127-3128action=dropcomment="Drop\
MyDoom"disabled=no
addchain=virusprotocol=tcpdst-port=3410action=dropcomment="DropBackdoor\
OptixPro"disabled=no
addchain=virusprotocol=tcpdst-port=4444action=dropcomment="Worm"\
disabled=no
addchain=virusprotocol=udpdst-port=4444action=dropcomment="Worm"\
disabled=no
addchain=virusprotocol=tcpdst-port=5554action=dropcomment="DropSasser"\
disabled=no
addchain=virusprotocol=tcpdst-port=8866action=dropcomment="DropBeagle.B"\

disabled=no
addchain=virusprotocol=tcpdst-port=9898action=dropcomment="Drop\
Dabber.A-B"disabled=no
addchain=virusprotocol=tcpdst-port=10000action=dropcomment="Drop\
Dumaru.Y"disabled=no
addchain=virusprotocol=tcpdst-port=10080action=dropcomment="Drop\
MyDoom.B"disabled=no
addchain=virusprotocol=tcpdst-port=12345action=dropcomment="DropNetBus"\
disabled=no
addchain=virusprotocol=tcpdst-port=17300action=dropcomment="DropKuang2"\
disabled=no
addchain=virusprotocol=tcpdst-port=27374action=dropcomment="Drop\
SubSeven"disabled=no
addchain=virusprotocol=tcpdst-port=65506action=dropcomment="DropPhatBot,\

Gaobot"disabled=no
addchain=forwardconnection-state=establishedaction=acceptcomment="accept\
establishedpackets"disabled=no
addchain=forwardconnection-state=relatedaction=acceptcomment="accept\
relatedpackets"disabled=no
addchain=forwardconnection-state=invalidaction=dropcomment="dropinvalid\
packets"disabled=no
addchain=forwardsrc-address-type=!unicastaction=dropcomment="dropallthat\

isnotfromunicast"disabled=no
addchain=forwardin-interface=internetsrc-address-list=not_in_internet\
action=dropcomment="dropdatafrombogonIP's"disabled=no
addchain=forwardin-interface=!internetdst-address-list=not_in_internet\
action=dropcomment="dropdatatobogonIP's"disabled=no
addchain=forwardprotocol=icmpaction=jumpjump-target=ICMPcomment="jumpto\
chainICMP"disabled=no
addchain=forwardaction=jumpjump-target=viruscomment="jumptoviruschain"\
disabled=no
addchain=forwardaction=acceptcomment="Accepteverythingelse"disabled=no
addchain=outputconnection-state=invalidaction=dropcomment="dropinvalid\
packets"disabled=no
addchain=outputconnection-state=relatedaction=acceptcomment="accept\
relatedpackets"disabled=no
addchain=outputconnection-state=establishedaction=acceptcomment="accept\
establishedpackets"disabled=no
addchain=outputaction=dropcomment="Dropallconnectionsfromthisrouter"\
disabled=no
/ipfirewalladdress-list
addlist=not_in_internetaddress=0.0.0.0/8comment=""disabled=no
addlist=not_in_internetaddress=172.16.0.0/12comment=""disabled=no
addlist=not_in_internetaddress=192.168.0.0/16comment=""disabled=no
addlist=not_in_internetaddress=10.0.0.0/8comment=""disabled=no
addlist=not_in_internetaddress=169.254.0.0/16comment=""disabled=no
addlist=not_in_internetaddress=127.0.0.0/8comment=""disabled=no
addlist=not_in_internetaddress=224.0.0.0/3comment=""disabled=no
/ipfirewallservice-port
setftpports=21disabled=no
settftpports=69disabled=no
setircports=6667disabled=no
seth323disabled=yes
setquake3disabled=no
setmmsdisabled=no
setgredisabled=yes
setpptpdisabled=yes