Сообщество IT-специалистов
Ответы на любые вопросы об IT
Профессиональное развитие в IT
Удаленная работа для IT-специалистов
add chain=input comment="accept remote winbox" disabled=yes in-interface=ether1-WAN port=8291,80 protocol=tcp
add chain=input comment="accept PPTP tunels" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input comment="accept l2tp tunels" port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow related connections" connection-state=related
add chain=input comment="allow established connections" connection-state=established
add chain=input in-interface=!ether1-WAN src-address=192.168.0.0/24
add chain=output comment="accept everything to internet" out-interface=ether1-WAN
add chain=output comment="accept everything to non internet" out-interface=!ether1-WAN
add chain=output comment="accept everything"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface=ether1-WAN