There are quite a few Mikrotik routers on the wug that don't have proper firewalls from the internet to protect the router from login attempts. This is a basic set of instructions to protect the router from the internet.
If you router logs look like this you need this:
- This assumes you have an internet interface called
internet. Edit if different e.g. pppoe-out or whatever.
- This assume you do not wish to access the rb from the internet. This will block all access to the router from the internet.
- This assumes you have NAT running from the internet interface to allow access from your PCs etc.
- This assume you have no existing firewall rules on the rb.
Firewall rules to fix the above
The rules below drop any access on the
input chain from the internet, but allows connections outbound from the router. This protects the router from any access from the internet.
The rules do the following to all connection on the
input chain (to the router itself) coming from the
- Drop invalid connections.
- Accept established connections (typically outbound connections established by the router or a client of the router).
- Accept related connections to the point above.
- Drop any other connection.
To implement the rules below please do:
- Copy the rules below into to a text editor
- In your text editor replace
in-interface=internet with your internet interface name e.g.
in-interface=mweb or whatever it's called.
- Open a terminal on your rb (via winbox or ssh or telnet)
- Copy the rules from your text editor.
- Right click on your terminal and select paste to paste them into your terminal. I
/ip firewall filter
add action=drop chain=input comment="drop invalid connections from internet" connection-state=invalid in-interface=internet
add chain=input comment="accept established connections from internet" connection-state=established in-interface=internet
add chain=input comment="accept related connections from internet" connection-state=related in-interface=internet
add action=drop chain=input comment="drop all else from internet" in-interface=internet
Be careful when you implement the above. Do not implement this on an interface where you are access the rb as you may lock yourself out of the rb.
Want access to the router from the internet
You may need to open specific ports (e.g. ssh or web port) to allow access. Do so by adding an
allow rule before the final drop rule above. For example:
/ip firewall filter
add chain=input comment="allow ssh from internet" dst-port=22 in-interface=internet protocol=tcp
After adding the above you may wish to move the rule such that it appears just before the final "drop all else from the internet" rule above.
This post is a wiki to allow anyone to edit and improve.