/ip firewall filter
add action=accept chain=input comment=established-related-connections connection-state=established,related
add action=drop chain=input comment=invalid-connections connection-state=invalid
add action=add-src-to-address-list address-list=syn-flood address-list-timeout=30m chain=input comment=syn-flood connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment=syn-flood src-address-list=syn-flood
add action=add-src-to-address-list address-list=scanner-detect address-list-timeout=1h chain=input comment=scanner-detect protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=scanner-detect src-address-list=scanner-detect
add action=reject chain=input comment=bgp dst-port=179 protocol=tcp reject-with=tcp-reset src-address-list=!bgp-accept
add action=drop chain=input comment=snmp dst-port=161 protocol=udp src-address=!93.155.130.11
add action=drop chain=input comment=without-whitelist dst-port=53 protocol=udp src-address-list=!whitelist
add action=reject chain=input comment=without-whitelist dst-port=53,2000,2222,8291 protocol=tcp reject-with=tcp-reset src-address-list=!whitelist
add action=drop chain=input comment=blacklist src-address-list=blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input comment="ssh brute force" connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage
add action=add-src-to-address-list address-list=ssh_stage address-list-timeout=1m chain=input comment="ssh brute force" connection-state=new dst-port=2222 protocol=tcp
add action=drop chain=input comment="ssh brute force" dst-port=2222 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=1d chain=input comment="winbox brute force" connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1m chain=input comment="winbox brute force" connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m chain=input comment="winbox brute force" connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=1m chain=input comment="winbox brute force" connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=input comment="winbox brute force" dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=drop chain=input comment="pptp brute force" src-address-list=pptp_blacklist_DROP
add action=add-dst-to-address-list address-list=pptp_blacklist_DROP address-list-timeout=10m chain=output comment="pptp brute force" content="bad username or password" dst-address-list=pptp_blacklist_stage_2 protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_2 address-list-timeout=1m chain=output comment="pptp brute force" content="bad username or password" dst-address-list=pptp_blacklist_stage_1 protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_1 address-list-timeout=1m chain=output comment="pptp brute force" content="bad username or password" protocol=gre
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward comment="invalid packet flags" protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward comment=drop_port_0 protocol=tcp src-port=0
add action=drop chain=forward comment=drop_port_0 dst-port=0 protocol=tcp
add action=drop chain=forward comment=drop_port_0 protocol=udp src-port=0
add action=drop chain=forward comment=drop_port_0 dst-port=0 protocol=udp
add action=accept chain=forward comment=established-related-connections connection-state=established,related
add action=drop chain=forward comment=invalid-connections connection-state=invalid in-interface=vlan149
add action=drop chain=forward comment=invalid-connections connection-state=invalid out-interface=vlan149
add action=drop chain=forward comment=invalid-connections connection-state=invalid in-interface=vlan1701
add action=drop chain=forward comment=invalid-connections connection-state=invalid out-interface=vlan1701
add action=drop chain=forward comment=invalid-connections connection-state=invalid in-interface=vlan1702
add action=drop chain=forward comment=invalid-connections connection-state=invalid out-interface=vlan1702
add action=drop chain=forward comment=invalid-connections connection-state=invalid in-interface=vlan2017
add action=drop chain=forward comment=invalid-connections connection-state=invalid out-interface=vlan2017
add action=drop chain=forward comment=telnet dst-port=23 protocol=tcp src-address-list=!telnet-accept
add action=drop chain=forward comment=ssh dst-address-list=ssh-drop dst-port=22 protocol=tcp src-address-list=!ssh-accept
add action=drop chain=forward comment=blacklist src-address-list=blacklist
add action=drop chain=forward comment=blacklist dst-address-list=blacklist
add action=drop chain=forward comment=samba dst-port=111,135,137-139,445 protocol=tcp
add action=drop chain=forward comment=samba dst-port=111,135,137-139,445 protocol=udp
add action=add-src-to-address-list address-list=spam address-list-timeout=3h chain=forward comment=spam connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp src-address-list=!mail-servers
add action=drop chain=forward comment=spam dst-port=25,587 protocol=tcp src-address-list=spam
add action=drop chain=forward comment=CountryIPBlocks protocol=icmp src-address-list=CountryIPBlocks
add action=drop chain=forward comment=CountryIPBlocks dst-port=20,21,22,23,25,53,1723,3128,8080 protocol=tcp src-address-list=CountryIPBlocks
add action=drop chain=forward comment=CountryIPBlocks dst-port=53,161 protocol=udp src-address-list=CountryIPBlocks
add action=accept chain=forward comment=echo-reply icmp-options=0:0 protocol=icmp
add action=accept chain=forward comment=net-unreachable icmp-options=3:0 protocol=icmp
add action=accept chain=forward comment=host-unreachable icmp-options=3:1 protocol=icmp
add action=accept chain=forward comment=host-unreachable-fragmentation-required icmp-options=3:4 protocol=icmp
add action=accept chain=forward comment=source-quench icmp-options=4:0 protocol=icmp
add action=accept chain=forward comment=echo-request icmp-options=8:0 protocol=icmp
add action=accept chain=forward comment=parameter-bad icmp-options=12:0 protocol=icmp
add action=accept chain=forward comment=time-exceed icmp-options=11:0 protocol=icmp
add action=drop chain=forward comment=other-types protocol=icmp
add action=accept chain=output comment=established-related-connections connection-state=established,related
add action=drop chain=output comment=invalid-connections connection-state=invalid