SergANT/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
network/mikrotik/base-config/dc01-emer01-terse.rsc

92 lines
8.4 KiB
Plaintext
Raw Blame History

# 2024-09-04 13:07:25 by RouterOS 7.15.3
# software id = 73EZ-45GQ
#
# model = RB750Gr3
# serial number = 6F380862DC41
/interface bridge add name=bridge-local
/interface ethernet set [ find default-name=ether1 ] name=ether1-outside
/interface list add name=interfaces-MAC-MGMT
/interface list add name=interfaces-outside
/ppp profile add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no
/ip smb set enabled=no
/interface bridge port add bridge=bridge-local interface=ether2
/interface bridge port add bridge=bridge-local interface=ether3
/interface bridge port add bridge=bridge-local interface=ether4
/interface bridge port add bridge=bridge-local interface=ether5
/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
/ip settings set tcp-syncookies=yes
/ipv6 settings set disable-ipv6=yes
/interface list member add interface=ether2 list=interfaces-MAC-MGMT
/interface list member add interface=ether3 list=interfaces-MAC-MGMT
/interface list member add interface=ether4 list=interfaces-MAC-MGMT
/interface list member add interface=ether5 list=interfaces-MAC-MGMT
/interface list member add interface=ether1-outside list=interfaces-outside
/interface ovpn-server server set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=emergency enabled=yes mode=ethernet port=40004 protocol=udp require-client-certificate=yes tls-version=only-1.2
/ip address add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120
/ip cloud set update-time=no
/ip dns set servers=8.8.8.8
/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123
/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface-list=interfaces-outside src-address-list=all-bogon
/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface-list=interfaces-outside
/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface-list=interfaces-outside src-address-list=all-bogon
/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface-list=interfaces-outside
/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new in-interface=ether1-outside protocol=icmp
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME OVPN server [UDP:40004]" connection-state=new dst-port=40004 in-interface=ether1-outside protocol=udp
/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=62.212.68.103
/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=213.141.150.29
/ip firewall filter add action=accept chain=input dst-address=172.20.1.0/24 in-interface=bridge-local protocol=icmp src-address=172.20.1.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=172.20.1.0/24
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/ppp secret add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn
/system clock set time-zone-name=Europe/Moscow
/system identity set name=dc01-emer01
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=0.pool.ntp.org
/system ntp client servers add address=1.pool.ntp.org
/system ntp client servers add address=2.pool.ntp.org
/system ntp client servers add address=3.pool.ntp.org
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
/tool mac-server ping set enabled=no
Reference in New Issue View Git Blame Copy Permalink