/ip firewall filter
add action=accept chain=input comment="Allow Connection From LAN" in-interface=ether2
add action=add-src-to-address-list address-list=first_greeting address-list-timeout=5m chain=input dst-port=9000 protocol=tcp comment="Port Knocking"
add action=add-src-to-address-list address-list=secure address-list-timeout=1d chain=input dst-port=7000 protocol=tcp src-address-list=first_greeting
add action=accept chain=input comment="Accept Connection From Secure Address" dst-port=8291,80 protocol=tcp src-address-list=secure
add action=accept chain=input comment="Allow Connection via Api service" dst-port=8728 protocol=tcp
add action=drop chain=input comment="Drop Everything Else"
add action=accept chain=input comment="Allow Connection From LAN" in-interface=ether2
add action=add-src-to-address-list address-list=first_greeting address-list-timeout=5m chain=input dst-port=9000 protocol=tcp comment="Port Knocking"
add action=add-src-to-address-list address-list=secure address-list-timeout=1d chain=input dst-port=7000 protocol=tcp src-address-list=first_greeting
add action=accept chain=input comment="Accept Connection From Secure Address" dst-port=8291,80 protocol=tcp src-address-list=secure
add action=accept chain=input comment="Allow Connection via Api service" dst-port=8728 protocol=tcp
add action=drop chain=input comment="Drop Everything Else"
Note :
- ether2 ==> change to your LAN interface.
- 9000,7000 ==> change the port whatever you like ( except 8291 and 80 ).
- You can disable rule "Allow Connection via Api service", if you don't want this services to be allowed.
To access your mikrotik from outside world / internet , use winbox and add port after your ip public or domain name like this : 192.168.100.124:9000 or mikrotiktest3.ddns.net:9000. First, use port 9000 then click connect, then change the port to 7000 and hit the connect button again. Last, remove the port and hit connect one more time.
No comments:
Post a Comment