Protecting your customers

To protect the customer's network, we should check all traffic which goes through router and block
unwanted. For icmp, tcp, udp traffic we will create chains, where all unwanted packets will be
dropped. For the beginning, we can copy and paste the following commands into RouterOS terminal
console:
/ip firewall filter
add chain=forward connection-state=established comment="allow established
connections"
add chain=forward connection-state=related comment="allow related
connections"
add chain=forward connection-state=invalid action=drop comment="drop
invalid connections"

Here, the first two rules deal with packets of already opened or related connections. We assume that
those are okay. We do not like invalid connection packets, therefore they are dropped.

Next, we should filter out and drop all unwanted packets that look like coming from virus infected
hosts. Instead of adding those rules to the forward chain, we create a new chain for all unwanted
netbios and similar traffic. We can give the chain a descriptive name, say, "virus" when adding the
following rules to the ip firewall filter (you can copy and paste these rules into the terminal window, if
you are in the /ip firewall filter menu):
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop
Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop
Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster
Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster
Worm"

add chain=virus protocol=tcp dst-port=593 action=drop comment="________"

add chain=virus protocol=tcp dst-port=1024-1030 action=drop
comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop
MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm
requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen
cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle
Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop
Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop
Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop
Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop
MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop
Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop
Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop
Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop
Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop
Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop
MyDoom.B"

add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop

NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop
Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop
SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop
PhatBot, Agobot, Gaobot"

Here, we list all those well known "bad" protocols and ports, used by various trojans and viruses
when they take over your computer. This list is incomplete; we should add more rules to it! We can
jump to this list from the forward chain by using a rule with action=jump:
add chain=forward action=jump jump-target=virus comment="jump to the virus
chain"

The forward chain looks now as follows:

If the packet does not match any of the rules in the virus chain, the processing is returned back to
the forward chain.
At this point we are left with various options, and you should explore this more thoroughly by reading
the manual.
For the purposes of this example we want to block all traffic except that which we explicitly allow to
pass through. For example we wish to allow HTTP Traffic and SMTP Traffic as well as some TCP
and UDP packets and ICMP (Ping).
We can now simply add rules allowing the traffic that we want and then drop everything else (this is
the part where we block all traffic):

add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow

HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow
SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

NOTE THAT THE LAST RULE WILL BLOCK OR DROP ALL TRAFFIC THAT IS NOT EXPLICITLY
ALLOWED THROUGH BY PREVIOUS RULES!