Здравейте колеги, сравнително нов съм в микротик и съжалявам за въпроса, но просто не успявам да го накарам да работи правилно.
Ето и казуса: имам реално ИП на което искам да отговаря RDP от локалната мрежа, но ми е много важно да го лимитирам до определени МАК адреси.
Успях да издокарам порт форлординга, успях да си добавя маковете в алол, но не правилата ми за да дропи всичко останало не сработват. Отдолу ще постна кода, моля за помощ.
# jan/16/2018 09:54:22 by RouterOS 6.41rc34
# software id = 7JV1-98NP
#
# model = RouterBOARD 750 r2
# serial number =
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=drop chain=input comment="Drop Input WAN" src-address=\
XXX.XXX.XXX.XXX
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=WAN
add action=accept chain=input comment="Accept ICMP from LAN" in-interface=\
bridge1 protocol=icmp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="Drop Input Invalid" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment="Drop Forward Invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="Accept established, related" \
connection-state=established,related
add action=accept chain=input comment="Accept established, related" \
connection-state=established,related
add action=accept chain=input disabled=yes src-mac-address=XX:XX:XX:XX:XX:XX
add action=accept chain=input disabled=yes src-mac-address=XX:XX:XX:XX:XX:XX
add action=accept chain=input comment=RDP disabled=yes dst-address=\
XXX.XXX.XXX.XXX dst-port=3389 in-interface=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment="RDP 3389 forward" dst-address=\
XXX.XXX.XXX.XXX dst-port=3389 in-interface=WAN protocol=tcp to-addresses=\
192.168.1.50 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
Question
fail3d
Здравейте колеги, сравнително нов съм в микротик и съжалявам за въпроса, но просто не успявам да го накарам да работи правилно.
Ето и казуса: имам реално ИП на което искам да отговаря RDP от локалната мрежа, но ми е много важно да го лимитирам до определени МАК адреси.
Успях да издокарам порт форлординга, успях да си добавя маковете в алол, но не правилата ми за да дропи всичко останало не сработват. Отдолу ще постна кода, моля за помощ.
# jan/16/2018 09:54:22 by RouterOS 6.41rc34 # software id = 7JV1-98NP # # model = RouterBOARD 750 r2 # serial number = /ip firewall address-list add address=192.168.1.0/24 list=LAN /ip firewall filter add action=drop chain=input comment="Drop Input WAN" src-address=\ XXX.XXX.XXX.XXX add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface=WAN add action=accept chain=input comment="Accept ICMP from LAN" in-interface=\ bridge1 protocol=icmp src-address=192.168.1.0/24 add action=drop chain=input comment="Drop ICMP" disabled=yes protocol=icmp add action=drop chain=input comment="Drop Input Invalid" connection-state=\ invalid disabled=yes add action=drop chain=forward comment="Drop Forward Invalid" \ connection-state=invalid disabled=yes add action=accept chain=forward comment="Accept established, related" \ connection-state=established,related add action=accept chain=input comment="Accept established, related" \ connection-state=established,related add action=accept chain=input disabled=yes src-mac-address=XX:XX:XX:XX:XX:XX add action=accept chain=input disabled=yes src-mac-address=XX:XX:XX:XX:XX:XX add action=accept chain=input comment=RDP disabled=yes dst-address=\ XXX.XXX.XXX.XXX dst-port=3389 in-interface=WAN protocol=tcp /ip firewall nat add action=masquerade chain=srcnat out-interface=WAN add action=dst-nat chain=dstnat comment="RDP 3389 forward" dst-address=\ XXX.XXX.XXX.XXX dst-port=3389 in-interface=WAN protocol=tcp to-addresses=\ 192.168.1.50 to-ports=3389 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes
Благодаря ви предварително за отделеното време.
Link to comment
Share on other sites
2 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now