beautypg.com

3 filter applications – Allied Telesis AT-WR4500 User Manual

Page 203

background image

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

203

RouterOS v3 Configuration and User Guide

tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match
ack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet
time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets'
arrival time and date or, for locally generated packets, departure time and date

Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules,
since the original packets might be already modified by the NAT

9.1.3

Filter Applications

Protect your RouterOS router

To protect your router, you should not only change admin's password but also set up packet filtering. All
packets with destination to the router are processed against the ip firewall input chain. Note, that the
input chain does not affect packets which are being transferred through the router.

/ ip firewall filter
add chain=input connection-state=invalid action=drop \

comment="Drop Invalid connections"

add chain=input connection-state=established action=accept \

comment="Allow Established connections"

add chain=input protocol=udp action=accept \

comment="Allow UDP"

add chain=input protocol=icmp action=accept \

comment="Allow ICMP"

add chain=input src-address=192.168.0.0/24 action=accept \

comment="Allow access to router from known network"

add chain=input action=drop comment="Drop anything else"

Protecting the Customer's Network

To protect the customer's network, we should check all traffic which goes through router and block
unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted packets:

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"


Block IP addreses called "bogons":

add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

This manual is related to the following products:
See also other documents in the category Allied Telesis Hardware: