Download Latest Version gkmtfirewall_rel8.zip (1.6 MB)
Email in envelope

Get an email when there's a new version of mikrotik-ips-ids

Home / release_8
Name Modified Size InfoDownloads / Week
Parent folder
README 2012-12-04 2.9 kB
0
gkmtfirewall_rel8.zip 2012-12-04 1.6 MB
0
Totals: 2 Items   1.6 MB 0 
Prerequisites to work:
1. A Routerboard device (or RouterOS installed on any device) acting as a firewall for your internal network
2. An available linux PC (or server) with libpthread-dev, libopenssh-dev, aggregate packages intalled
3. /ip firewall filter : add your allow rules first and after that drop any connection from outside example:

	1)chain=forward action=accept connection-state=related
	2)chain=input action=accept connection-state=established
	3)chain=input action=accept connection-state=related
	4)chain=forward action=accept connection-state=new src-address-list=internal
	5)chain=forward action=accept protocol=tcp dst-address=192.168.1.10 dst-port=80
	6)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=25
	7)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=110
	8)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=143
	.
	.
	.
	100)chain=forward action=drop dst-address-list=internal

4. Before any other rule in filter add : chain=forward action=drop src-address-list=attackers dst-address-list=internal
5. Before rule 100 add : chain=forward action=log connection-state=new protocol=tcp dst-address-list=internal dst-port=20-35,445,1433,1521,1524,1526,1812,2082,2483,2484,3306,3872 log-prefix="Service Scanner x:" (You can add any ports you want for attacker detection.)
6. Add a new remote logging target at ROS device : /system logging action add name="remotelog" remote=192.168.1.100 remote-port=5555 bsd-syslog=yes target=remote syslog-facility=23 syslog-severity=6
7. Add a new logging /system logging add action=remotelog topics=firewall
8. Checkout source code to your linux machine
9. Compile with : g++ main.cpp attackleases.cpp configfilereader.cpp connection.cpp iplocator.cpp rulefilereader.cpp externalblocklist.cpp -o gkmtfirewall -lpthread -lssh
10. Move the executable to /usr/sbin/.
11. Edit contents of gkmtfirewall.conf to adapt your needs
12. Move gkmtfirewall.conf to /etc/gkmtfirewall.conf
13. Move aggregates.txt to /etc/gkmtfirewall/aggregates.txt
14. Move update.sh to /etc/gkmtfirewall/update.sh
15. Move gkmtfirewall.init to /etc/init.d/gkmtfirewall
16. Move IpToCountry.csv to /etc/gkmtfirewall/IpToCountry.csv (it would be better to download a newer version from http://software77.net/geo-ip/)
17. Move rules to /etc/gkmtfirewall/rules
18. Change rules to adapt your needs (countrycode samePacketScore ipScannerScore portScannerScore unknownScannerScore) If a country is not listed in rules then default scores will be applied
19. Run update.sh from /etc/gkmtfirewall/update.sh
20. Change permissions of /etc/init.d/gkmtfirewall to 755
21. Type /etc/init.d/gkmtfirewall start to start the program
22. Take a look at syslog to determine possible problems
23. !!! Remember to update regularly IpToCountry.csv from http://software77.net/geo-ip/ (restart gkmtfirewall after update this file)
Source: README, updated 2012-12-04