mikrotik-ips-ids - Browse /release

The interactive file manager requires Javascript. Please enable it or use sftp or scp.
You may still browse the files here.

Name	Modified	Size	InfoDownloads / Week
Parent folder
README	2012-11-29	2.7 kB	0
gkmtfirewall_rel7.zip	2012-11-29	1.5 MB	0
Totals: 2 Items		1.5 MB	0

Prerequisites to work:
1. A Routerboard device (or RouterOS installed on any device) acting as a firewall for your internal network
2. An available linux PC (or server)
3. /ip firewall filter : add your allow rules first and after that drop any connection from outside example:

	1)chain=forward action=accept connection-state=related
	2)chain=input action=accept connection-state=established
	3)chain=input action=accept connection-state=related
	4)chain=forward action=accept connection-state=new src-address-list=internal
	5)chain=forward action=accept protocol=tcp dst-address=192.168.1.10 dst-port=80
	6)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=25
	7)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=110
	8)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=143
	.
	.
	.
	100)chain=forward action=drop dst-address-list=internal

4. Before any other rule in filter add : chain=forward action=drop src-address-list=attackers dst-address-list=internal
5. Before rule 100 add : chain=forward action=log connection-state=new protocol=tcp dst-address-list=internal dst-port=20-35,445,1433,1521,1524,1526,1812,2082,2483,2484,3306,3872 log-prefix="Service Scanner x:" (You can add any ports you want for attacker detection.)
6. Add a new remote logging target at ROS device : /system logging action add name="remotelog" remote=192.168.1.100 remote-port=5555 bsd-syslog=yes target=remote syslog-facility=23 syslog-severity=6
7. Add a new logging /system logging add action=remotelog topics=firewall
8. Checkout source code to your linux machine
9. Compile with : g++ main.cpp attackleases.cpp configfilereader.cpp connection.cpp iplocator.cpp rulefilereader.cpp -o gkmtfirewall -lpthread -lssh
10. Move the executable to /usr/sbin/.
11. Edit contents of gkmtfirewall.conf to adapt your needs
12. Move gkmtfirewall.conf to /etc/gkmtfirewall.conf
13. Move gkmtfirewall.init to /etc/init.d/gkmtfirewall
14. Move IpToCountry.csv to /etc/gkmtfirewall/IpToCountry.csv (it would be better to download a newer version from http://software77.net/geo-ip/)
15. Move rules to /etc/gkmtfirewall/rules
16. Change rules to adapt your needs (countrycode samePacketScore ipScannerScore portScannerScore unknownScannerScore) If a country is not listed in rules then default scores will be applied
17. Change permissions of /etc/init.d/gkmtfirewall to 755
18. Type /etc/init.d/gkmtfirewall start to start the program
19. Take a look at syslog to determine possible problems
20. !!! Remember to update regularly IpToCountry.csv from http://software77.net/geo-ip/ (restart gkmtfirewall after update this file)

Source: README, updated 2012-11-29

mikrotik-ips-ids Files

IDS + IPS for RouterOS (mikrotik)