保护内部网络
保护内部网络-为了保护内部网络,我们检测所有的流经路由器的数据,然后阻断不要想的数据。对于ICMP、TCP、UDP,我们分别各建一个链表。
脚本来自官方文档,可放心使用,有些如网段等参数请酌情修改。
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward connection-state=new action=accept comment="allow new connections"
# 阻止互联网至今未分配的IP地址(也许永久也不会分配的地址,它们是一些特殊用途的IP,至于有什么用途,你自己查吧):
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
#跳转到新链表:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
#创建TCP链表,在此链表中阻止一些TCP端口:
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
#在UDP链表阻止一些UDP端口:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
#在ICMP链表中允许特殊的ICMP代码:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types" 晕。。。只要工作在NAT方式下,就已经对内网保护了。。 {:3_51:} 是保护ros吧 上面这些没有一句是保护ROS的,全部是forward链表,保护路由器的规则全部是在input链表中的。
还有一点要说明,并不是使用了src-nat-masqu伪装内网就安全了。
即使使用了伪装,偶尔还会用到端口映射,被映射的机器还是有被DOS攻击的危险,add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"稍微有点防护能力。
另外即使用了伪装,如果财务的机器中了反弹类木马,数据还是会被窃取。如文章中在forward链表中禁用常见木马的端口还是很有必要的。
页:
[1]