SergANT/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix firewall input from localhost to localhost

Browse Source
This commit is contained in:
Sergei Bobkov 2025-01-02 22:38:18 +03:00
parent 4f74be9369
commit 36d8ab2e0e
5 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
mikrotik/base-config/dc01-ccr01-terse.rsc
View File

@ -96,6 +96,7 @@
/ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp /ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp
/ip firewall filter add action=accept chain=allow-default-buh protocol=icmp /ip firewall filter add action=accept chain=allow-default-buh protocol=icmp
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks /ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""

1
mikrotik/base-config/dc01-emer01-terse.rsc
View File

@ -57,6 +57,7 @@
/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=213.141.150.29 /ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=213.141.150.29
/ip firewall filter add action=accept chain=input dst-address=172.20.1.0/24 in-interface=bridge-local protocol=icmp src-address=172.20.1.0/24 /ip firewall filter add action=accept chain=input dst-address=172.20.1.0/24 in-interface=bridge-local protocol=icmp src-address=172.20.1.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=172.20.1.0/24 /ip firewall filter add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=172.20.1.0/24
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""

1
mikrotik/base-config/dc01-gw01-terse.rsc
View File

@ -128,6 +128,7 @@
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic protocol=tcp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""

1
mikrotik/base-config/dc01-sw01-terse.rsc
View File

@ -56,6 +56,7 @@
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""

1
mikrotik/base-config/dc01-sw02-terse.rsc
View File

@ -56,6 +56,7 @@
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""