概述

从我们目前所学到的一切,让我们试着建立一个高级防火墙。在这个防火墙构建示例中,我们将尝试使用尽可能多的防火墙特性来说明它们是如何工作的,以及何时应该正确使用它们。

大多数过滤将在RAW防火墙中完成,常规防火墙将只包含要接受的基本规则集建立相关开始回升的连接以及放弃所有其他不是来自局域网的东西,以充分保护路由器。

接口列表

将使用两个接口列表局域网以方便将来的管理。需要将连接全球internet的接口加入WAN列表,本例中为ether1

/interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN

保护设备

这里的主要目标是只允许从LAN访问路由器,并放弃其他一切。

注意,这里也接受ICMP,它用于接受传递RAW规则的ICMP数据包。

/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol= ICMP add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked " add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!局域网

IPv6部分稍微复杂一些,另外,根据RFC的建议,可以接受UDP traceroute、DHCPv6客户端PD和IPSec (IKE、AH、ESP)。

/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol= ICMPv6 add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked " add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol= UDP add action=accept chain=input comment="defconf: accept UDP traceroute"dst-port=546协议=udp src-address=fe80::/16 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500协议=udp add action=accept chain=input comment="defconf: accept IPSec AH"协议= IPSec - AH add action=accept chain=input comment="defconf: accept IPSec ESP"协议= IPSec - ESP add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!局域网

保护客户

在实际设置规则之前,让我们创建一个必要的地址列表包含所有不能转发的IPv4/6地址。

注意,在此列表中添加了多播地址范围。这是因为在大多数情况下不使用多播。如果您打算使用组播转发,则应该禁用此地址列表项。

/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4 add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4 add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4 add address=255.255.255.255/32 comment="defconf: RFC6890" list=no_forward_ipv4

在IPv6的相同情况下,如果使用组播转发,则组播项应该从地址列表。

/ipv6 firewall address-list add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6 . /

向前Chain将拥有比输入更多的规则:

  • 接受建立,相关开始回升的连接;
  • FastTrack建立了相关的连接(目前只有IPv4);
  • 下降无效的连接;
  • 丢弃坏的转发IP,因为我们不能可靠地确定在RAW链中哪些数据包被转发
  • 丢弃从internet发起的连接(从WAN端发起的连接,而不是目的NAT);
  • 删除不应该转发的虚假IP。

如果攻击者知道内部局域网网络,我们将丢弃所有非目的地IPv4数据包,以保护对客户端的直接攻击。通常这个规则是不必要的,因为RAW过滤器会丢弃这样的数据包,但是,这个规则是为了双重安全而存在的,以防RAW规则不小心弄乱了。

/ip firewall filter add action=accept chain=forward comment="defconf: accept所有匹配的IPSec policy" IPSec -policy=in, IPSec disabled=yes add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related " add action=accept chain=forward comment="defconf: accept established,related,untracked " connection-state=established,related,untracked " add action=drop chain=forward comment="defconf: accept established,related,untracked " add action=drop chain=forward comment="defconf: "drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not stnated " connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=drop chain=forward src-address-list=no_forward_ipv4 comment="defconf: drop bad forward ip " add action=drop chain=forward dst-address-list=no_forward_ipv4 comment="defconf: drop bad forward ip "

IPv6向前除了根据RFC建议和ICMPv6协议接受IPsec和HIP之外,两者非常相似hop-limit = 1被删除。

/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward src-address-list=no_forward_ipv6 comment="defconf: drop forward ip " add action=drop chain=forward st-address-list=no_forward_ipv6 comment="defconf: drop forward ip " add action=drop chain=forward st-address-list=no_forward_ipv6 comment="defconf: drop forward ip " add action=drop chain=forward comment="defconf: drop forward ip "rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept icmpv6 after RAW" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" protocol=udp -port=500,4500 add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept AH"accept ESP" protocol= IPSec - ESP add action=accept chain=forward comment="defconf:接受所有匹配IPSec策略的内容" IPSec -policy=in, IPSec add action=drop chain=forward comment="defconf:删除所有非来自局域网的内容" in-interface-list=!局域网

注意IPsec策略匹配规则。IPsec封装的流量绕过快速通道是非常重要的。这就是为什么我们添加了一个禁用规则来接受与IPsec策略匹配的流量。当在路由器上使用IPsec隧道时,应启用此规则。对于IPv6来说,它要简单得多,因为它没有快速通道支持。

解决IPsec问题的另一种方法是添加RAW规则,我们将在后面的RAW部分讨论这种方法

假面舞会本地网络

为了使路由器后面的本地设备能够访问互联网,必须伪装本地网络。在大多数情况下,建议使用src-nat而不是masquerade,但是在这种情况下,当WAN地址是动态的时,它是唯一的选择。

/ip firewall nat add action=accept chain=srcnat comment="defconf: accept所有匹配的IPSec策略" IPSec -policy=out, IPSec disabled=yes add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

注意已禁用的策略匹配规则,与防火墙过滤器一样,必须将IPSec流量排除在NAT外(IPSec策略配置为匹配NAT地址的特定场景除外)。因此,每当在路由器上使用IPsec隧道时,必须启用此规则。

生的过滤

IPv4地址列表

在设置RAW规则之前,让我们创建过滤策略所需的一些地址列表。RFC 6890将被用作参考。

首先,地址列表包含所有不能用作src/dst/forwarded等的IPv4地址(如果看到这样的地址将立即删除)

/ip firewall address-list add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4 add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4 add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4 add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4 add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4

另一个地址列表包含所有不能全局路由的IPv4地址。

/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4 add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4 add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4 add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4 add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4 add address=192.0.0.0/29 comment="defconf:RFC6890" list=not_global_ipv4 add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4 add address=198.18.0.0/15 comment="defconf: RFC6890" list=not_global_ipv4 add address=255.255.255.255/32 comment="defconf: RFC6890" list=not_global_ipv4

最后两个地址列表用于不能作为目的地址或源地址的地址。

/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4 add address=255.255.255.255/32 comment="defconf: RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4 add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4

IPv4 RAW规则

原始IPv4规则将执行以下操作:

  • 添加禁用的“接受”规则-可以用来快速禁用RAW过滤,而不禁用所有RAW规则;
  • 接受DHCP发现-大多数DHCP数据包不会被IP防火墙看到,但其中一些可以,因此确保它们被接受;
  • 下降使用bogon IP的数据包;
  • 下降从无效的SRC和DST IP;
  • 下降全球不可路由的IP来自广域网;
  • 下降来自局域网的源地址不等于192.168.88.0/24(默认IP范围)的数据包;
  • 下降来自WAN的数据包被转发到192.168.88.0/24网络,如果攻击者知道内部网络,这将防止攻击;
  • 下降错误的ICMP、UDP和TCP;
  • 接受所有来自WAN和LAN的东西;
  • 下降确保任何新添加的接口(如PPPoE连接到服务提供商)都受到保护,防止意外的错误配置。
/ip firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bogon ip " src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon ip "删除bogon IP的" st-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf:删除bogon IP的" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf:删除bogon IP的" st-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf:从WAN删除非全局" src-address-list=not_global_ipv4 in-interface-list=WAN添加动作=drop chain=prerouting comment="defconf:从WAN删除非全局"从WAN转发到本地lan " in-interface-list=WAN st-address=192.168.88.0/24 add action=drop chain=prerouting comment="defconf:从默认IP范围内删除本地" in-interface-list= lan src-address=!192.168.88.0/24 add action=drop chain=prerouting comment="defconf:删除坏UDP" port=0协议= UDP add action=jump chain=prerouting comment="defconf:跳转到ICMP链" jump-target=icmp4协议= ICMP add action=jump chain=prerouting comment="defconf:跳转到ICMP链"跳转到TCP链" jump-target=bad_tcp协议= TCP add action=accept chain=prerouting comment="defconf:接受来自LAN的一切" in-interface-list=LAN add action=accept chain=prerouting comment="defconf:接受来自WAN的一切" in-interface-list=WAN add action=drop chain=prerouting comment="defconf:放弃其他"

注意,我们使用了一些可选的链,第一个TCP链条掉落TCP已知的数据包无效的。

/ip firewall raw add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol= TCP TCP -flags=!fin,!syn,!rst,!Ack add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: tcp port 0 drop" port=0 protocol=tcp

另一条链ICMP。注意,如果你想要一个非常严格的防火墙,那么这样严格ICMP过滤可以使用,但在大多数情况下,这是不必要的,只会给路由器的CPU增加更多的负载。在大多数情况下,ICMP速率限制也是不必要的,因为Linux内核已经将ICMP数据包限制为100pps。

/ip firewall raw add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp add action=accept chain=icmp4 comment="defconf: net不可达" icmp-options=3:0 protocol=icmp add action=accept chain=icmp4 comment="defconf: host不可达" icmp-options=3:1 protocol=icmp add action=accept chain=icmp4 comment="defconf: protocol不可达" icmp-options=3:2 protocol=icmp add action=accept chain=icmp4 comment="defconf: protocol不可达"端口不可达" icmp-options=3:3 protocol=icmp add action=accept chain=icmp4 comment="defconf: fragment needed" icmp-options=3:4 protocol=icmp add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp

IPv6地址列表

应该立即丢弃的IPv6地址列表

/ipv6 firewall address-list add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6 add address=::ffff:0:0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6 add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6 add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6 add address=::/96 comment="defconf: RFC6890 compat" list= "defconf: IPv4 compat" list=bad_ipv6

不可全局路由的IPv6地址列表

/ipv6 firewall address-list add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6 add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6 add address=2001::/ 48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6 add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6



作为无效目的地址的地址列表

/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6

作为无效源地址的地址列表

/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6 add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6

IPv6 RAW规则

原始IPv6规则将执行以下操作:

  • 添加禁用接受规则-可以用来快速禁用RAW过滤,而不禁用所有RAW规则;
  • 下降使用bogon ip的数据包;
  • 下降从无效的SRC和DST ip;
  • 下降全球不可路由的ip来自广域网;
  • 下降坏ICMP;
  • 接受所有来自WAN和LAN的东西;
  • 下降确保任何新添加的接口(如PPPoE连接到服务提供商)都受到保护,防止意外的错误配置。
/ipv6 firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" src-address=::/128 dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: "drop bogon IP's" dst-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" SRC -address-list=bad_src_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non - global from WAN" SRC -address-list=not_global_ipv6 in-interface-list=WAN add action=jump chain=prerouting comment="defconf: drop non - global from WAN" SRC -address-list=not_global_ipv6 in-interface-list=WAN add action=jump chain=prerouting comment="defconf:jump-target=icmp6 protocol= ICMPv6 add action=accept chain=prerouting comment="defconf:接受本地组播范围" st-address=ff02::/16 add action=drop chain=prerouting comment="defconf:放弃其他组播目的地" st-address=ff00::/8 add action=accept chain=prerouting comment="defconf:接受WAN的所有内容" in-interface-list=WAN add action=accept chain=prerouting comment="defconf:接受WAN的所有内容" in-interface::in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest"

注意,可选的ICMP链条被使用。如果你想要一个非常严格的防火墙,那么就这么严格ICMP过滤可以使用,但在大多数情况下,这是不必要的,只会给路由器的CPU增加更多的负载。在大多数情况下,ICMP速率限制也是不必要的,因为Linux内核已经将ICMP数据包限制为100pps

请注意,不同的操作系统发出的数据包具有不同的默认TTL值add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit! "=255" DST -address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: DST不可达" icmp-options=1:0-255 protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: limit exceeded"icmp-options=4:0-2 protocol=icmpv6 add action=接受chain=icmp6 comment="defconf:移动家庭代理地址发现" icmp-options=144:0-255 protocol=icmpv6 add action=接受chain=icmp6 comment="defconf:移动家庭代理地址发现" icmp-options=145:0-255 protocol=icmpv6 add action=接受chain=icmp6 comment="defconf:移动家庭代理地址发现" icmp-options=146:0-255 protocol=icmpv6 add action=接受chain=icmp6 comment="defconf:移动前缀solic" icmp-options=146:0-255 protocol=icmpv6 add action=接受chain=icmp6 comment="defconf:移动家庭代理地址发现"移动前缀广告" icmp-options=147:0-255协议=icmpv6添加动作=接受链=icmp6评论="defconf: echo请求限制5,10" icmp-options=128:0-255限制=5,10:报文协议=icmpv6添加动作=接受链=icmp6评论="defconf: echo应答限制5,10" icmp-options=129:0-255限制=5,10:报文协议=icmpv6添加动作=接受链=icmp6评论="defconf: echo应答限制5,10"rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 = local " hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment="defconf:rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advertise limit 5,10 = local " hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment="defconf:rfc4890逆ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment="defconf: rfc4890逆ND advert limit 5,10 = local " hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6 add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
  • 没有标签