/
firewall.rsc
26 lines (26 loc) · 2.24 KB
/
firewall.rsc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
*********************************************************
* Mikrotik L2TP protection. *
* https://github.com/Onoro/Mikrotik/ *
* *
*********************************************************
/ip firewall filter
add action=drop chain=input comment="L2TP brutforce IP IPSec drop" connection-state=new log=yes protocol=ipsec-esp src-address-list=\
l2tp-brutforce
add action=drop chain=input comment="L2TP brutforce IP drop" connection-state=new dst-port=1701,500,4500 log=yes protocol=udp src-address-list=\
l2tp-brutforce
add action=add-src-to-address-list address-list=l2tp-brutforce address-list-timeout=2w chain=input comment="L2TP brutforce IP to list" \
connection-state=new dst-port=1701 protocol=udp src-address-list=probe2
add action=add-src-to-address-list address-list=probe2 address-list-timeout=1m chain=input comment="L2TP brutforce protection stage 2" \
connection-state=new dst-port=1701 protocol=udp src-address-list=probe1
add action=add-src-to-address-list address-list=probe1 address-list-timeout=1m chain=input comment="L2TP brutforce protection stage 1" \
connection-state=new dst-port=1701 protocol=udp
add action=add-dst-to-address-list address-list=l2tp-brutforce address-list-timeout=1m chain=output comment="L2TP-brutforce protection stage 3 v2" \
content="M=bad" dst-address-list=l2tp-brutforce-level2
add action=add-dst-to-address-list address-list=l2tp-brutforce-level2 address-list-timeout=1m chain=output comment=\
"L2TP-brutforce protection stage 2 v2" content="M=bad" dst-address-list=l2tp-brutforce-level1
add action=add-dst-to-address-list address-list=l2tp-brutforce-level1 address-list-timeout=1m chain=output comment=\
"L2TP-brutforce protection stage 1 v2" content="M=bad"
add action=accept chain=input comment="L2TP allow only with IPsec" dst-port=1701 in-interface=ether1-WAN ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="Drop L2TP without IPsec" dst-port=1701 in-interface=ether1-WAN protocol=udp
add action=accept chain=input comment="L2TP allow" dst-port=500,4500 in-interface=ether1-WAN protocol=udp
add action=accept chain=input comment="IPSec enable" in-interface=ether1-WAN protocol=ipsec-esp