Ejercicios de Routerboard de MikroTik: permitir y bloquear la conexión SSH en el Firewall de MikroTik | Operating systems, scripting, PowerShell and security

Red

Contenidos

Ayuda

Ayuda

Firewall con ejemplos

Connection tracking: permite visualizar las conexiones en las que interviene nuestro equipo.

[admin@MikroTik] > ip firewall connection print
Flags: S - seen reply, A - assured

 #    PROTOCOL  SRC-ADDRESS           DST-ADDRESS       TCP-STATE     TIMEOUT
0 SA  tcp       192.168.88.4:34838    192.168.88.1:23   established   21h54m32s
1 SA  tcp       192.168.4.254:48101   192.168.4.1:8291  established   23h59m59s
2     udp       192.168.4.1:123       163.10.0.84:123                 8s
3 SA  tcp       192.168.4.254:51654   192.168.4.1:23    established   4m59s

[admin@MikroTik] > ip firewall connection print

Flags: S - seen reply, A - assured

# PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp 192.168.88.4:34838 192.168.88.1:23 established 21h54m32s

1 SA tcp 192.168.4.254:48101 192.168.4.1:8291 established 23h59m59s

2 udp 192.168.4.1:123 163.10.0.84:123 8s

3 SA tcp 192.168.4.254:51654 192.168.4.1:23 established 4m59s

Reglas generales

Escritura de firewall: siempre conviene empezar con las reglas de estado, para ahorrar procesamiento y acelerar las conexiones ya establecidas y las relativas.

[admin@MikroTik] > ip firewall filter add connection-state=established action=accept chain=input
[admin@MikroTik] > ip firewall filter add connection-state=related action=accept chain=input
[admin@MikroTik] > ip firewall filter add connection-state=invalid action=drop  chain=input
[admin@MikroTik] > ip firewall filter add protocol=tcp src-port=8291 in-interface=!wlan1 action=accept chain=input comment="DENIEGA WINBOX DESDE LA WIRELESS"

[admin@MikroTik] > ip firewall filter add connection-state=established action=accept chain=input

[admin@MikroTik] > ip firewall filter add connection-state=related action=accept chain=input

[admin@MikroTik] > ip firewall filter add connection-state=invalid action=drop chain=input

[admin@MikroTik] > ip firewall filter add protocol=tcp src-port=8291 in-interface=!wlan1 action=accept chain=input comment="DENIEGA WINBOX DESDE LA WIRELESS"

Aceptar conexiones VPN:

[admin@MikroTik] > ip firewall filter add protocol=gre action=accept chain=input
[admin@MikroTik] > ip firewall filter add protocol=tcp dst-port=1723 action=accept chain=input comment="ACEPTO CONEXIONES VPN"

1 2	[admin@MikroTik] > ip firewall filter add protocol=gre action=accept chain=input [admin@MikroTik] > ip firewall filter add protocol=tcp dst-port=1723 action=accept chain=input comment="ACEPTO CONEXIONES VPN"

Denegar ping y loguear los intentos de ping:

[admin@MikroTik] > ip firewall filter add protocol=icmp chain=input action=log log-prefix="PING DENEGADO"
[admin@MikroTik] > ip firewall filter add protocol=icmp action=accept chain=input comment="DENIEGO ICMP"
[admin@MikroTik] > log print
23:34:12 firewall,info PING DENEGADO input: in:ether1 out:(none), src-mac 00:21:70:fd:e3:25, proto ICMP (type 8, code 0), 192.168.4.254->192.168.4.1, len 64

[admin@MikroTik] > ip firewall filter add protocol=icmp chain=input action=log log-prefix="PING DENEGADO"

[admin@MikroTik] > ip firewall filter add protocol=icmp action=accept chain=input comment="DENIEGO ICMP"

[admin@MikroTik] > log print

23:34:12 firewall,info PING DENEGADO input: in:ether1 out:(none), src-mac 00:21:70:fd:e3:25, proto ICMP (type 8, code 0), 192.168.4.254->192.168.4.1, len 64

Uso de listas

Las listas contienen direcciones IP para las que podemos tomar determinadas acciones. De esta manera, mantenemos una única lista de direcciones y la invocamos en el firewall.

Crear una lista especificando desde dónde permitimos conexiones SSH

[admin@MikroTik] > ip firewall address-list add list=ssh-permitido address=192.168.1.2/32 comment="MAQUINA DEL ADMINISTRADOR"
[admin@MikroTik] > ip firewall filter add src-address-list=!ssh-permitido protocol=tcp dst-port=22 action=drop chain=input comment="ACEPTO SSH DESDE LAS MAQUINAS EN LA LISTA ssh-permitido"

[admin@MikroTik] > ip firewall address-list add list=ssh-permitido address=192.168.1.2/32 comment="MAQUINA DEL ADMINISTRADOR"

[admin@MikroTik] > ip firewall filter add src-address-list=!ssh-permitido protocol=tcp dst-port=22 action=drop chain=input comment="ACEPTO SSH DESDE LAS MAQUINAS EN LA LISTA ssh-permitido"

Publicado el día 15 de enero de 2021

CATEGORÍAS

Red

Cookie	Duración	Descripción
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.