/ip firewall address-list
add address= list=white
add address= list=white
add address= list=white
add address= list=white
add address= list=white
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
established,related protocol=udp
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=add-src-to-address-list address-list=DNS_FLOOD \
address-list-timeout=none-dynamic chain=input comment=DNS dst-port=53 \
in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=add-src-to-address-list address-list=ddos-blacklist \
address-list-timeout=1d chain=input comment=DDos connection-limit=100,32 \
in-interface=pppoe-out1 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 in-interface=pppoe-out1 \
protocol=tcp src-address-list=ddos-blacklist
add action=jump chain=forward connection-state="" jump-target=SYN-Protect \
protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state="" in-interface=pppoe-out1 \
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Ports Scanners" disabled=yes \
src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input in-interface-list=wan \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Win-box Access" src-address-list=\
"Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" \
address-list-timeout=none-dynamic chain=input connection-state=new \
dst-port=8291 in-interface=pppoe-out1 log=yes log-prefix="BLACK WINBOX" \
protocol=tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
address-list-timeout=1m chain=input connection-state="" dst-port=8291 \
in-interface=pppoe-out1 protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface=pppoe-out1 protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=\
tcp
add action=accept chain=forward comment="Permit all PPP" in-interface=all-ppp
add action=accept chain=forward out-interface=all-ppp
add action=accept chain=input protocol=icmp
add action=accept chain=input port=500,1701,4500 protocol=udp
add action=accept chain=input comment=ovpn dst-port=1194 in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=input comment=l2tp dst-port=1701 in-interface=\
pppoe-out1 protocol=tcp
add action=drop chain=input comment="all drop" in-interface=pppoe-out1
/ip firewall mangle
add action=jump chain=input comment="add to HoneyPot list" connection-state=\
new dst-port=21,22,23,1194,3389 in-interface-list=wan jump-target=\
honeypot-detect log-prefix="-> HoneyPot detect -" protocol=tcp \
src-address-list=!white
add action=add-src-to-address-list address-list=honeypot-drop-list \
address-list-timeout=4w2d chain=honeypot-detect src-address-list=\
honeypot-list-stage1
add action=add-src-to-address-list address-list=honeypot-list-stage1 \
address-list-timeout=1d chain=honeypot-detect src-address-list=!white
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat comment=rdp_1c disabled=yes dst-port=52147 \
in-interface=pppoe-out1 protocol=tcp to-addresses= to-ports=\
3389
add action=dst-nat chain=dstnat comment=wg dst-port=44443 in-interface=\
pppoe-out1 protocol=udp to-addresses= to-ports=44443
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=netmap chain=dstnat dst-port=8000 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.180 to-ports=8000
add action=netmap chain=dstnat dst-port=554 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.180 to-ports=554
add action=netmap chain=dstnat dst-address=190.190.190.190 dst-port=554 \
in-interface=bridge-lan protocol=tcp src-address=192.168.1.0/24 \
to-addresses=192.168.1.180 to-ports=554
add action=dst-nat chain=dstnat dst-port=3389 in-interface=bridge-lan \
protocol=udp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=all protocol=\
tcp src-address=0.0.0.0 to-addresses=192.168.1.240
/ip firewall raw
add action=drop chain=prerouting comment="drop HoneyPot list" \
in-interface-list=wan src-address-list=honeypot-drop-list