Início
/ip address
add address=192.168.254.1/30 interface=Lan
add address=189.85.19.226/28 interface=wan1
add address=10.2.2.2/24 interface=wan2
add address=10.2.3.2/24 interface=wan3
/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.254.0/30 in-interface=Lan
add action=accept chain=prerouting comment="" disabled=no dst-address=189.85.19.224/28 in-interface=Lan
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.2.0/24 in-interface=Lan
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.3.0/24 in-interface=Lan
add action=mark-connection chain=input comment="" disabled=no in-interface=wan1 new-connection-mark=mark_wan1 passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wan2 new-connection-mark=mark_wan2 passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wan3 new-connection-mark=mark_wan3 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=mark_wan1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0 src-address=192.168.254.0/30
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=mark_wan2 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1 src-address=192.168.254.0/30
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=mark_wan3 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2 src-address=192.168.254.0/30
add action=mark-routing chain=prerouting comment="" connection-mark=mark_wan1 disabled=no new-routing-mark=route_wan1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=mark_wan2 disabled=no new-routing-mark=route_wan2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=mark_wan3 disabled=no new-routing-mark=route_wan3 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=mark_wan1 disabled=no new-routing-mark=route_wan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=mark_wan2 disabled=no new-routing-mark=route_wan2 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=mark_wan3 disabled=no new-routing-mark=route_wan3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan3
add action=dst-nat chain=dstnat comment="Abre porta claudio viana" dst-port=7070 protocol=tcp to-addresses=192.168.254.2 to-ports=7070
add action=dst-nat chain=dstnat dst-port=4550 protocol=tcp to-addresses=192.168.254.2 to-ports=4550
add action=dst-nat chain=dstnat dst-port=7550 protocol=tcp to-addresses=192.168.254.2 to-ports=7550
add action=dst-nat chain=dstnat dst-port=7500 protocol=tcp to-addresses=192.168.254.2 to-ports=7500
/ip firewall filter
add action=accept chain=forward comment="Aceita DNS" disabled=no protocol=udp src-port=53
add action=accept chain=forward disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Aceita DNS" disabled=no protocol=udp src-port=53
add action=accept chain=input disabled=no dst-port=53 protocol=udp
add chain=input connection-state=invalid action=drop comment="Broqueio conexoes invilidas"
add chain=input connection-state=established action=accept comment="Permitir conexoes estabelecidas"
add chain=input protocol=icmp action=accept comment="Permitir ICMP"
add action=drop chain=input comment="Broqueio ssh,telnet e ftp" disabled=no dst-port=21-23 protocol=tcp
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="Broqueio de Bongos"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp connection-state=invalid action=drop comment="Broqueio conexoes invilidas"
add chain=forward connection-state=established action=accept comment="Permitir conexoes estabelecidas"
add chain=forward connection-state=related action=accept comment="permitir conexões relacionadas"
add action=accept chain=input comment="Aceitar todas conexoes concentrador" disabled=no src-address=192.168.254.0/30
add chain=forward protocol=tcp action=jump jump-target=tcp comment="Mark Jump TCP,UDP,ICMP"
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="negar todos os outros tipos de icmp"
add action=accept chain=forward comment="Libera udp e tcp" disabled=no protocol=tcp
add action=accept chain=forward disabled=no protocol=udp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=189.85.19.225 routing-mark=route_wan1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-mark=route_wan2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.3.1 routing-mark=route_wan3 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=189.85.19.225 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.1 scope=30 target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=10.2.3.1 scope=30 target-scope=10
add address=192.168.254.1/30 interface=Lan
add address=189.85.19.226/28 interface=wan1
add address=10.2.2.2/24 interface=wan2
add address=10.2.3.2/24 interface=wan3
/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.254.0/30 in-interface=Lan
add action=accept chain=prerouting comment="" disabled=no dst-address=189.85.19.224/28 in-interface=Lan
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.2.0/24 in-interface=Lan
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.3.0/24 in-interface=Lan
add action=mark-connection chain=input comment="" disabled=no in-interface=wan1 new-connection-mark=mark_wan1 passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wan2 new-connection-mark=mark_wan2 passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wan3 new-connection-mark=mark_wan3 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=mark_wan1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0 src-address=192.168.254.0/30
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=mark_wan2 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1 src-address=192.168.254.0/30
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=mark_wan3 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2 src-address=192.168.254.0/30
add action=mark-routing chain=prerouting comment="" connection-mark=mark_wan1 disabled=no new-routing-mark=route_wan1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=mark_wan2 disabled=no new-routing-mark=route_wan2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=mark_wan3 disabled=no new-routing-mark=route_wan3 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=mark_wan1 disabled=no new-routing-mark=route_wan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=mark_wan2 disabled=no new-routing-mark=route_wan2 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=mark_wan3 disabled=no new-routing-mark=route_wan3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan3
add action=dst-nat chain=dstnat comment="Abre porta claudio viana" dst-port=7070 protocol=tcp to-addresses=192.168.254.2 to-ports=7070
add action=dst-nat chain=dstnat dst-port=4550 protocol=tcp to-addresses=192.168.254.2 to-ports=4550
add action=dst-nat chain=dstnat dst-port=7550 protocol=tcp to-addresses=192.168.254.2 to-ports=7550
add action=dst-nat chain=dstnat dst-port=7500 protocol=tcp to-addresses=192.168.254.2 to-ports=7500
/ip firewall filter
add action=accept chain=forward comment="Aceita DNS" disabled=no protocol=udp src-port=53
add action=accept chain=forward disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Aceita DNS" disabled=no protocol=udp src-port=53
add action=accept chain=input disabled=no dst-port=53 protocol=udp
add chain=input connection-state=invalid action=drop comment="Broqueio conexoes invilidas"
add chain=input connection-state=established action=accept comment="Permitir conexoes estabelecidas"
add chain=input protocol=icmp action=accept comment="Permitir ICMP"
add action=drop chain=input comment="Broqueio ssh,telnet e ftp" disabled=no dst-port=21-23 protocol=tcp
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="Broqueio de Bongos"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp connection-state=invalid action=drop comment="Broqueio conexoes invilidas"
add chain=forward connection-state=established action=accept comment="Permitir conexoes estabelecidas"
add chain=forward connection-state=related action=accept comment="permitir conexões relacionadas"
add action=accept chain=input comment="Aceitar todas conexoes concentrador" disabled=no src-address=192.168.254.0/30
add chain=forward protocol=tcp action=jump jump-target=tcp comment="Mark Jump TCP,UDP,ICMP"
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="negar todos os outros tipos de icmp"
add action=accept chain=forward comment="Libera udp e tcp" disabled=no protocol=tcp
add action=accept chain=forward disabled=no protocol=udp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=189.85.19.225 routing-mark=route_wan1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-mark=route_wan2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.3.1 routing-mark=route_wan3 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=189.85.19.225 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.1 scope=30 target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=10.2.3.1 scope=30 target-scope=10
