Sunday, August 19, 2012

MikroTik Tips

Some tips about the configuration of a MikroTik router.

1. Starting the graphical configuration application

Althought MikroTik has a web interface, the desktop configuration application is much more advanced. In Linux it can be started through wine (Windows Emulator), like this:
sudo apt-get install wine
wine winbox.exe

2. How to backup the configuration

A full, binary backup of the router can be done like this:
ssh admin@
/ system backup save name=mikrotik-20120130

lftp admin@
get mikrotik-20120130.backup
In case that someting goes wrong, restore it with:
/ system backup load name=mikrotik-20120130
If neeeded, you can reset the router before restoring the backup.
Another option is to export/import several parts (or the whole) of the router configuration. Its format is text, in the for of the commands that are needed to accomplish the configuration.

3. How to correct the date and time

The MikroTik router does not have an internal clock. So, after it is rebooted, it has no idea of what time is it. It has to get the correct time from internet, using the NTP protocol.
The commands look like these:
/ system clock print
/ system clock set date=jan/30/2012 time=9:45:00 time-zone-name=Europe/Tirane

/ system ntp client print
/ system ntp client set enabled=yes mode=unicast \
         primary-ntp= secondary-ntp=

4. How to add DNAT rules

If we want to forward ports 80 and 443 (HTTP and HTTPS) to a local webserver (with IP, say192.168.10.46), we can do it like this:
/ip firewall nat add chain=dstnat \
    dst-address= protocol=tcp dst-port=80 \
    action=dst-nat to-addresses= to-ports=80
/ip firewall nat add chain=dstnat \
    dst-address= protocol=tcp dst-port=443 \
    action=dst-nat to-addresses= to-ports=443

5. Set up packet filtering

These are some example commands that I could find in internet, about hardening the firewall of MikroTik. I don't understand all of them, but I don't have to. They don't need to be customized and can be applied simply with copy/paste.
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=udp action=accept comment="UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings" 
add chain=input src-address= comment="From our private LAN"
add chain=input protocol=tcp dst-port=22 src-address= comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 src-address= comment="winbox" 
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward protocol=udp dst-port=69 action=drop comment="Blocking UDP Packets"                   
add chain=forward protocol=udp dst-port=111 action=drop                                 
add chain=forward protocol=udp dst-port=135 action=drop      
add chain=forward protocol=udp dst-port=137-139 action=drop 
add chain=forward protocol=udp dst-port=2049 action=drop       
add chain=forward protocol=udp dst-port=3133 action=drop    
add chain=forward protocol=tcp dst-port=69 action=drop comment="Blocking TCP Packets"      
add chain=forward protocol=tcp dst-port=111 action=drop                                  
add chain=forward protocol=tcp dst-port=119 action=drop 
add chain=forward protocol=tcp dst-port=135 action=drop  
add chain=forward protocol=tcp dst-port=137-139 action=drop 
add chain=forward protocol=tcp dst-port=445 action=drop       
add chain=forward protocol=tcp dst-port=2049 action=drop   
add chain=forward protocol=tcp dst-port=12345-12346 action=drop     
add chain=forward protocol=tcp dst-port=20034 action=drop           
add chain=forward protocol=tcp dst-port=3133 action=drop     
add chain=forward protocol=tcp dst-port=67-68 action=drop    
/ip firewall filter print stats
/ip firewall filter reset-counters-all
/log print
/log print follow

No comments:

Post a Comment