Sunday, April 12, 2020

Securing Mikrotik with Port Knocking

You can make your Mikrotik more secure from outside world / internet by adding port knocking firewall . Add the following commands to new terminal and make some changes according to your setting.

/ip firewall filter
add action=accept chain=input comment="Allow Connection From LAN" in-interface=ether2

add action=add-src-to-address-list address-list=first_greeting address-list-timeout=5m chain=input dst-port=9000 protocol=tcp comment="Port Knocking"

add action=add-src-to-address-list address-list=secure address-list-timeout=1d chain=input dst-port=7000 protocol=tcp src-address-list=first_greeting

add action=accept chain=input comment="Accept Connection From Secure Address" dst-port=8291,80 protocol=tcp src-address-list=secure

add action=accept chain=input comment="Allow Connection via Api service" dst-port=8728 protocol=tcp

add action=drop chain=input comment="Drop Everything Else"

Note :
- ether2        ==> change to your LAN interface.
- 9000,7000  ==> change the port whatever you like ( except 8291 and 80 ). 
- You can disable rule  "Allow Connection via Api service", if you don't want this services to be allowed.

To access your mikrotik from outside world / internet , use winbox and add port after your ip public or domain name like this : 192.168.100.124:9000 or mikrotiktest3.ddns.net:9000. First, use port 9000 then click connect, then change the port to 7000 and hit the connect button again. Last, remove the port and hit connect one more time.


 

2 comments: