Some tips about the configuration of a MikroTik router.
1. Starting the graphical configuration application
Althought MikroTik has a web interface, the desktop configuration application is much more advanced. In Linux it can be started through wine (Windows Emulator), like this:
sudo apt-get install wine wine winbox.exe
2. How to backup the configuration
A full, binary backup of the router can be done like this:
Another option is to export/import several parts (or the whole) of the router configuration. Its format is text, in the for of the commands that are needed to accomplish the configuration.
Referencies:
ssh admin@192.168.1.1 / system backup save name=mikrotik-20120130 exit lftp admin@192.168.1.1 get mikrotik-20120130.backup quitIn case that someting goes wrong, restore it with:
/ system backup load name=mikrotik-20120130If neeeded, you can reset the router before restoring the backup.
Another option is to export/import several parts (or the whole) of the router configuration. Its format is text, in the for of the commands that are needed to accomplish the configuration.
Referencies:
3. How to correct the date and time
The MikroTik router does not have an internal clock. So, after it is rebooted, it has no idea of what time is it. It has to get the correct time from internet, using the NTP protocol.
The commands look like these:
The commands look like these:
/ system clock print
/ system clock set date=jan/30/2012 time=9:45:00 time-zone-name=Europe/Tirane
/ system ntp client print
/ system ntp client set enabled=yes mode=unicast \
primary-ntp=130.88.200.4 secondary-ntp=129.6.15.28
Referencies:4. How to add DNAT rules
If we want to forward ports 80 and 443 (HTTP and HTTPS) to a local webserver (with IP, say
192.168.10.46), we can do it like this:/ip firewall nat add chain=dstnat \
dst-address=109.69.41.70 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.10.46 to-ports=80
/ip firewall nat add chain=dstnat \
dst-address=109.69.41.70 protocol=tcp dst-port=443 \
action=dst-nat to-addresses=192.168.10.46 to-ports=443
5. Set up packet filtering
These are some example commands that I could find in internet, about hardening the firewall of MikroTik. I don't understand all of them, but I don't have to. They don't need to be customized and can be applied simply with copy/paste.
/ ip firewall filter add chain=input connection-state=established comment="Accept established connections" add chain=input connection-state=related comment="Accept related connections" add chain=input connection-state=invalid action=drop comment="Drop invalid connections" add chain=input protocol=udp action=accept comment="UDP" disabled=no add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" add chain=input protocol=icmp action=drop comment="Drop excess pings" add chain=input src-address=192.168.1.0/24 comment="From our private LAN" add chain=input protocol=tcp dst-port=22 src-address=192.168.1.0/24 comment="SSH for secure shell" add chain=input protocol=tcp dst-port=8291 src-address=192.168.1.0/24 comment="winbox" add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" add chain=input action=drop comment="Drop everything else"
add chain=forward protocol=udp dst-port=69 action=drop comment="Blocking UDP Packets" add chain=forward protocol=udp dst-port=111 action=drop add chain=forward protocol=udp dst-port=135 action=drop add chain=forward protocol=udp dst-port=137-139 action=drop add chain=forward protocol=udp dst-port=2049 action=drop add chain=forward protocol=udp dst-port=3133 action=drop add chain=forward protocol=tcp dst-port=69 action=drop comment="Blocking TCP Packets" add chain=forward protocol=tcp dst-port=111 action=drop add chain=forward protocol=tcp dst-port=119 action=drop add chain=forward protocol=tcp dst-port=135 action=drop add chain=forward protocol=tcp dst-port=137-139 action=drop add chain=forward protocol=tcp dst-port=445 action=drop add chain=forward protocol=tcp dst-port=2049 action=drop add chain=forward protocol=tcp dst-port=12345-12346 action=drop add chain=forward protocol=tcp dst-port=20034 action=drop add chain=forward protocol=tcp dst-port=3133 action=drop add chain=forward protocol=tcp dst-port=67-68 action=drop
/ip firewall filter print stats /ip firewall filter reset-counters-all /log print /log print follow
No comments:
Post a Comment