Nieco som pripravil (zatial netestovane)
ip firewall filter
1 add chain=input action=accept protocol=icmp comment="povolit_ping"
2 add chain=input action=accept connection-state=established,related comment="povolit_nadviazane_spojenia_mk"
3 add chain=forward action=accept connection-state=established,related comment="povolit_nadviazane_spojenia_lan"
4 add chain=input action=accept dst-port=53 in-interface=!pppoe-out1 protocol=udp comment="povolit_dns_udp_okrem_wan"
5 add chain=input action=accept dst-port=53 in-interface=!pppoe-out1 protocol=tcp comment="povolit_dns_tcp_okrem_wan"
6 add chain=input action=drop dst-port=53 in-interface=pppoe-out1 protocol=udp comment="zahodit_dns_udp_wan"
7 add chain=input action=drop dst-port=53 in-interface=pppoe-out1 protocol=tcp comment="zahodit_dns_tcp_wan"
8 add chain=forward action=accept out-interface=pppoe-out1 src-mac-address=AA:1D:7D:A9:A1:CC comment="moj_pc"
9 add chain=forward action=accept out-interface=pppoe-out1 src-mac-address=BB:50:99:36:9A:DD comment="server"
10 add chain=forward action=accept dst-port=1194 protocol=tcp comment="openvpn_tcp"
11 add chain=input action=accept dst-port=21 protocol=tcp src-address=192.168.1.2 comment="ftp_z_mojho_pc"
12 add chain=input action=accept dst-port=161 in-interface=!pppoe-out1 protocol=udp comment="povolit_snmp"
13 add chain=forward action=drop connection-state=invalid comment="zahodit_neplatne_spojenia"
14 add chain=forward action=drop src-address=213.81.214.130 comment="blokovanie_ip_adresy"
15 add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1 comment="zahodit_vsetko_ostatne_z_wan_na_dstnat"
16 add chain=input action=drop connection-state=invalid comment="zahodit_neplatne_spojenia"
17 add chain=input action=drop in-interface=pppoe-out1 comment="zahodit_vsetko_ostatne"
pravidlo:
1 povolit ping
2. spojenie ktore nadviazalo mk uz nepreverovat
3. spojenia, ktore nadviazal niekto z lan uz nepreverovat
4,5 povolit dns resolver v LAN
6,7 zahodit pakety, ktore pridu na resolver z wan
8,9 povolit v LAN pristup z konkretnej MAC na wan interface
10. povolit v LAN ovpn
11. povolit ftp z konkretnej IP na mikrotik
12 povolit port SNMP (napr. zber dat na server)
13 neplatne spojenia zahodit (toto pravidlo neviem presne co znamena, ale v roznych navodoch je vzdy na zaciatku filtra)
14 blokovanie IP adresy
15 vsetko co pride z wan na dstnat zahodit
16 vid 13 ale input
17 ine pakety, ktore nevyhoveju predoslym pravidlam, zahodit bez odpovede
a nat
ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 comment="snat_wan"
add action=masquerade chain=srcnat out-interface=ovpn-out1 comment="snat_ovpn"
add action=dst-nat chain=dstnat comment=ovpn_na_linux_servery_tcp dst-port=1194 in-interface=pppoe-out1 log=yes protocol=tcp to-addresses=192.168.1.3 to-ports=1194
add action=dst-nat chain=dstnat comment=virtualhost_z_vonku disabled=yes dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment=virtualhost_z_vonku_kvm disabled=yes dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.100 to-ports=80
add action=dst-nat chain=dstnat comment=virtualhost_z_vonku_ssl_443 dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.3 to-ports=443
Zatial to neviem vyskusat (so mimo mk). Do komentarov som dal popis. Myslim si, ze by to mohlo byt OK. Ak je tam nieco blbo, tak dajte vediet