MikroTik Router OS V3.0 User Manual

							+
 
 	 	 
	 
  	 

!&%!)(%+%+&1
 	 	
/ip firewall mangle add chain=forward src-address=192.168.0.0/24 \action=mark-connection new-connection-mark=users-con/ip firewall mangle add connection-mark=users-con action=mark-packet \new-packet-mark=users chain=forward
9   	 - 
 $3@ 
  
 	:$  	 
	  

	


	 +   	

	 
 8 
 
 
7

	 
  	
 	 
	 8  	


	

 	 &   
	
 
 
 

!&%!)(%+%+&1  
 
 	
:  
 
	   	 6  	

	 
 8 
 
5


	  
 	 
 
	 8  	    	
 
 *



  
 	 


!&%!)(%+%+&1
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
#
	 	 	 8 
  
	 
	
/queue tree add name=Download parent=Local max-limit=10240000/queue tree add parent=Download queue=pcq-download packet-mark=users
+
  	 
	
/queue tree add name=Upload parent=Public max-limit=2048000/queue tree add parent=Upload queue=pcq-upload packet-mark=users
Page 300 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
6*  *!$ 	


 		

  	  	

  
	  	
  4
 
 8  	
	
 
  
	 	

	 
 
 
 

	
/queue tree add parent=Local queue=pcq-download packet-mark=users/queue tree add parent=Public queue=pcq-upload packet-mark=users
Page 301 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Filter
Document revision 2.8 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
QuickSetupGuide
Specifications
FirewallFilter
Description
PropertyDescription
Notes
FilterApplications
ProtectyourRouterOSrouter
ProtectingtheCustomersNetwork
General Information
Summary
 	 

 	
 

 	
 
 ( 
 


 
	
 	  
 	
	
	
	  
  	
 
 
 
 +
 
 
 9
 + 	
	

 
 ( 	 	 
 
(


 
	
2 	 
 
 	

	 

 	
 
 
 
 	  	 	 
 


 
	
Quick Setup Guide
• 	 	 	    	#,5	
 
	
 	 

 
 
!2*	
 
 
 


  
 
 	

/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop
• 
 	 
 
 
 (	 

 &
 3$ 
 -: 
 
 
 	

/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
• 
 	 

  
	
 < 
	
 



  	  
 

  
 

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32action=drop
Specifications
Packages required:system
License required:level1 (P2P filters limited to 1), level3
Home menu level:/ip firewall filter
Standards and Technologies:IP,RFC2113
Page 302 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Hardware usage:Increases with filtering rules count
Firewall Filter
Home menu level:/ip firewall filter
Description
9
 	  
 
	
 		  

( 	
	 	(		 
 
 

 6
(


 

 	 4
 

 
  		 	 
	
 
	
 
  
   


 	 

  A+9 ! 	7
 	 
 
 (	
 	
	 
 

 	
 

 (		
	
	 
 	
  
  

 	 ( 
 	 #	 	  	 	 	
 
(


  
2
 
 
  


 
 



 
 
 

 $ 

	 	 	   
 

 	
  

 
	
 


 
 ! 	 (  	 

	

 
 	
 


•
	
 	
 



•A	7N 
 



•7
7 
 


•
	 		

 
• +3 	
•*$ 	 &

  
 	
 	 
 &		
 	 
	
 
	
•
  
 	

•*$ 

•
 

 &*3$ 
 	
   3$ 	 *$ 

 	
 !!
•

	 
 	
 	(   
 

•


	  	
 



 	
•5!3$ 

•	
 



•	
 	
  	
 	( 	
 8
 

•	
 2
•	
 	(	 

•	
  M
General Filtering Principles
 	 	
  	
  	  +   	 

(  
 
	
 
 
 

	
 
  
 	 	
	 *$ 	
 F	  

  
 	
 
	
 	 
 	
  	


	  		

 (
 


 	
 
 	

  
 	
 
  
 
 	
 	

 	 	
2 
 	
  

 	
	


Page 303 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							 
 	
 	 
 	
 	


	$	



	
 	 
  
	

  
 	
 
 
 
 
( 9 7
 	
 	
  	 	 
	
!
 
 	
 	( 
 	
 
	 
 	
  

=	
 (	

=

  	 
 
    
 
 	
 	

Filter Chains
+ 


  
 	 

  	  

 
 	
 *
 	 	 	
 
 
	
 		

 
 
 

 
 
 	
 	
 

 	 (  
 		

 

 
 
	 
 	

 	
 # 	 	 	
   	
 		

 
45
P
	    
   	(  	
 	 	
  
45 P
	

	 8 
 
	$	
 
 	 

 	   
 	 
  
	
 	
 
	  	
	
	 *$ 	 /ip firewall filter add src-address=1.1.1.2/32
jump-target=mychain	
 
 	   	
 	 

 ( 
 *$ 	
 
  

	
id est 

 
 	 
  
	
  	

 		

 		
 
 	
 
	 
 
	
 

 
 
 *$ 	
•input- used to process packets entering the router through one of the interfaces with the
destination IP address which is one of the routers addresses. Packets passing through the router
are not processed against the rules of the input chain
•forward- used to process packets passing through the router
•output- used to process packets originated from the router and leaving it through one of the
interfaces. Packets passing through the router are not processed against the rules of the output
chain
 	 
 
 	
  	


  

6
 
 	 	
  	 
	
  
 	
 
 
  
 	 
 
  
 



 * 	 	
 	
 
 
	  
  

 
  	

   
 
 	
 

  	  
 
	
 	
 &
 

  

  	

 * 	 	
 	 

	
 	
  

 
 	
 

 
  	

Property Description
action(accept|add-dst-to-address-list|add-src-to-address-list|drop|jump|log|passthrough|
reject|return|tarpit; default:accept) - action to undertake if the packet matches the rule
•accept- accept the packet. No action is taken, i.e. the packet is passed through and no more
rules are applied to it
•add-dst-to-address-list- adds destination address of an IP packet to the address list specified
by address-list parameter
•add-src-to-address-list- adds source address of an IP packet to the address list specified by
address-list parameter
•drop- silently drop the packet (without sending the ICMP reject message)
•jump- jump to the chain specified by the value of the jump-target parameter
•log- each match with this action will add a message to the system log
•passthrough- ignores this rule and goes on to the next one
•reject- reject the packet and send an ICMP reject message
Page 304 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•return- passes control back to the chain from where the jump took place
•tarpit- captures and holds incoming TCP connections (replies with SYN/ACK to the inbound
TCP SYN packet)
address-list(name) - specifies the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout(time; default:00:00:00) - time interval after which the address will be
removed from the address list specified by address-list parameter. Used in conjunction with
add-dst-to-address-list or add-src-to-address-list actions
•00:00:00- leave the address in the address list forever
chain(forward|input|outputname) - specifies the chain to put a particular rule into. As the
different traffic is passed through different chains, always be careful in choosing the right chain for
a new rule. If the input does not match the name of an already defined chain, a new chain will be
created
comment(text) - a descriptive comment for the rule. A comment can be used to identify rules form
scripts
connection-bytes(integerinteger) - matches packets only if a given amount of bytes has been
transfered through the particular connection
•0- means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit(integernetmask) - restrict connection limit per address or address block
connection-mark(name) - matches packets marked via mangle facility with particular connection
mark
connection-state(estabilished|invalid|new|related) - interprets the connection tracking analysis
data for a particular packet
•estabilished- a packet which belongs to an existing connection, exempli gratia a reply packet
or a packet which belongs to already replied connection
•invalid- a packet which could not be identified for some reason. This includes out of memory
condition and ICMP errors which do not correspond to any known connection. It is generally
advised to drop these packets
•new- a packet which begins a new TCP connection
•related- a packet which is related to, but not part of an existing connection, such as ICMP
errors or a packet which begins FTP data connection (the later requires enabled FTP connection
tracking helper under /ip firewall service-port)
connection-type(ftp|gre|h323|irc|mms|pptp|quake3|tftp) - matches packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content(text) - the text packets should contain in order to match the rule
dscp(integer: 0..63) - DSCP (ex-ToS) IP header field value
dst-address(IP addressnetmaskIP addressIP address) - specifies the address range an IP packet is
destined to. Note that console converts entered address/netmask value to a valid network address,
i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list(name) - matches destination address of a packet against user-defined address list
Page 305 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							dst-address-type(unicast|local|broadcast|multicast) - matches destination address type of the
IP packet, one of the:
•unicast- IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
•local- matches addresses assigned to routers interfaces
•broadcast- the IP packet is sent from one point to all other points in the IP subnetwork
•multicast- this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit(integertimeintegerdst-address|dst-port|src-addresstime) - limits the packet per second
(pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every
destination IP address / destination port has its own limit. The options are as follows (in order of
appearance):
•count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specifies the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
•mode- the classifier(-s) for packet rate limiting
•expire- specifies interval after which recorded IP addresses / ports will be deleted
dst-port(integer: 0..65535integer: 0..65535) - destination port number or range
fragment(yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments
as the system automatically assembles every packet
hotspot(multiple choice: auth|from-client|http|local-dst|to-client) - matches packets received
from clients against various HotSpot conditions. All values can be negated
•auth- true, if a packet comes from an authenticted HotSpotclient
•from-client- true, if a packet comes from any HotSpot client
•http- true, if a HotSpot client sends a packet to the address and port previously detected as his
proxy server (Universal Proxy technique) or if the destination port is 80 and transparent
proxying is enabled for that particular client
•local-dst- true, if a packet has local destination IP address
•to-client- true, if a packet is sent to a client
icmp-options(integerinteger) - matches ICMP Type:Code fields
in-bridge-port(name) - actual interface the packet has entered the router through (if bridged, this
property matches the actual bridge port, while in-interface - the bridge itself)
in-interface(name) - interface the packet has entered the router through (if the interface is bridged,
then the packet will appear to come from the bridge interface itself)
ingress-priority(integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise).
The priority may be derived from either VLAN or WMM priority
ipv4-options(any|loose-source-routing|no-record-route|no-router-alert|no-source-routing|
no-timestamp|none|record-route|router-alert|strict-source-routing|timestamp) - match ipv4
header options
•any- match packet with at least one of the ipv4 options
Page 306 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•loose-source-routing- match packets with loose source routing option. This option is used to
route the internet datagram based on information supplied by the source
•no-record-route- match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
•no-router-alert- match packets with no router alter option
•no-source-routing- match packets with no source routing option
•no-timestamp- match packets with no timestamp option
•record-route- match packets with record route option
•router-alert- match packets with router alter option
•strict-source-routing- match packets with strict source routing option
•timestamp- match packets with timestamp
jump-target(forward|input|outputname) - name of the target chain to jump to, if the
action=jump is used
layer7-protocol(name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu.
Caution: this matcher needs high computational power
limit(integertimeinteger) - restricts packet match rate to a given limit. Usefull to reduce the amount
of log messages
•count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specifies the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
log-prefix(text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
nth(integerinteger: 0..15integer) - match a particular Nth packet received by the rule. One of 16
available counters can be used to count packets
•every- match every every+1th packet. For example, if every=1 then the rule matches every 2nd
packet
•counter- specifies which counter to use. A counter increments each time the rule containing
nth match matches
•packet- match on the given packet number. The value by obvious reasons must be between 0
and every. If this option is used for a given counter, then there must be at least every+1 rules
with this option, covering all values between 0 and every inclusively.
out-bridge-port(name) - actual interface the packet is leaving the router through (if bridged, this
property matches the actual bridge port, while out-interface - the bridge itself)
out-interface(name) - interface the packet is leaving the router through (if the interface is bridged,
then the packet will appear to leave through the bridge interface itself)
p2p(all-p2p|bit-torrent|blubster|direct-connect|edonkey|fasttrack|gnutella|soulseek|warez
|winmx) - matches packets from various peer-to-peer (P2P) protocols
packet-mark(text) - matches packets marked via mangle facility with particular packet mark
packet-size(integer: 0..65535integer: 0..65535) - matches packet of the specified size or size range
in bytes
•min- specifies lower boundary of the size range or a standalone value
Page 307 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•max- specifies upper boundary of the size range
port(port) - matches if any (source or destination) port matches the specified list of ports or port
ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port
matchers)
protocol(ddp|egp|encap|ggp|gre|hmp|icmp|idrp-cmtp|igmp|ipencap|ipip|ipsec-ah|
ipsec-esp|iso-tp4|ospf|pup|rdp|rspf|st|tcp|udp|vmtp|xns-idp|xtpinteger) - matches
particular IP protocol specified by protocol name or number. You should specify this setting if you
want to specify ports
psd(integertimeintegerinteger) - attempts to detect TCP and UDP scans. It is advised to assign
lower weight to ports with high numbers to reduce the frequency of false positives, such as from
passive mode FTP transfers
•WeightThreshold- total weight of the latest TCP/UDP packets with different destination ports
coming from the same host to be treated as port scan sequence
•DelayThreshold- delay for the packets with different destination ports coming from the same
host to be treated as possible port scan subsequence
•LowPortWeight- weight of the packets with privileged (
						

							•rst- drop connection
•syn- new connection
•urg- urgent data
tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet
time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets
arrival time and date or, for locally generated packets, departure time and date
Notes
)	 
 9+  	 	 
 
  
	

 
  
 
 
 
 


  	 

 
 
	 	
 
  		   
 9+
Filter Applications
Protect your RouterOS router
 

  
   

 
 	
 	
% 	 
 	 
  	
 

 +
	
 
 

	

 
 
 
 	  		

 
  	 

 	
 9
 
	
 
 

	
  

 	
 	
  	 
 
	
 
 
 

/ ip firewall filteradd chain=input connection-state=invalid action=drop \comment=Drop Invalid connectionsadd chain=input connection-state=established action=accept \comment=Allow Established connectionsadd chain=input protocol=udp action=accept \comment=Allow UDPadd chain=input protocol=icmp action=accept \comment=Allow ICMPadd chain=input src-address=192.168.0.0/24 action=accept \comment=Allow access to router from known networkadd chain=input action=drop comment=Drop anything else
Protecting the Customers Network
 

 
 
% 

    	 
	   
 
 	
 

	

 #  
  
	   	
 	
     	 
	

 	

/ip firewall filteradd chain=forward protocol=tcp connection-state=invalid \action=drop comment=drop invalid connectionsadd chain=forward connection-state=established action=accept \comment=allow already established connectionsadd chain=forward connection-state=related action=accept \comment=allow related connections
) *$ 	 	 H
H
add chain=forward src-address=0.0.0.0/8 action=dropadd chain=forward dst-address=0.0.0.0/8 action=dropadd chain=forward src-address=127.0.0.0/8 action=drop
Page 309 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.