Step 1: Check the countries you want included in the address list. Your own custom rules to block certain countries. This tool will help you create some basic firewalls for MikroTik routers as well as a stand alone address list that you can use with | Public IP Firewall | Instructions Firewall Tool
You can add or remove anything else according to your needs.IP-Firewall-Address-List Generator Address List | Masquerading Firewall ip firewall filterĪdd action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \Ĭomment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=synĪdd action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_FlooderĪdd action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\Īdd action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_ScannerĪdd action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmpĬomment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\ĭisabled=yes dst-port=8291 protocol=tcp src-address-list=!supportĪdd action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmpĪdd action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogonsĪdd action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\Ĭonnection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcpĪdd action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammersĪdd action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udpĪdd action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcpĪdd action=accept chain=input comment="Accept to established connections" connection-state=established\Īdd action=accept chain=input comment="Accept to related connections" connection-state=related disabled=noĪdd action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=supportĪdd action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\Īdd action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" disabled=no icmp-options=8:0 limit=2,5 protocol=icmpĪdd action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmpĪdd action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmpĪdd action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmpĪdd action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmpĪdd action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmpĪdd action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and much more. ip firewall address-listĪdd address=0.0.0.0/8 comment="Self-Identification " disabled=no list=bogonsĪdd address=10.0.0.0/8 comment="Private - CLASS A # Check if you need this subnet before enable it"\Īdd address=127.0.0.0/8 comment="Loopback " disabled=no list=bogonsĪdd address=169.254.0.0/16 comment="Link Local " disabled=no list=bogonsĪdd address=172.16.0.0/12 comment="Private - CLASS B # Check if you need this subnet before enable it"\Īdd address=192.168.0.0/16 comment="Private - CLASS C # Check if you need this subnet before enable it"\Īdd address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogonsĪdd address=192.88.99.0/24 comment="6to4 Relay Anycast " disabled=no list=bogonsĪdd address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogonsĪdd address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogonsĪdd address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogonsĪdd address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\
ip firewall address-list add address=x.x.x.x/x disabled=no list=supportīelow we have the bogon list.
This subnet will have full access to the router. Pay attention for all comments before apply each DROP rules.įirst we need to create our ADDRESS LIST with all IPs we will use most timesīelow you need to change x.x.x.x/x for your technical subnet. This script has basic rules to protect your router and avoid some unnecessary forwarding traffic. This is a basic firewall that can be applied to any Router.