Kini awọn ofin ti gbogbo olulana MikroTik yẹ ki o ni, ni àlẹmọ ogiriina, nat, ati bẹbẹ lọ?

Atọka akoonu

FirewallFilter
NAT (Itumọ Adirẹsi Nẹtiwọọki)
Awọn imọran Aabo miiran

Ṣiṣe atunto ogiriina ni deede lori olulana MikroTik jẹ pataki lati daabobo nẹtiwọọki rẹ lati iraye si laigba aṣẹ ati awọn iru awọn irokeke aabo miiran. Botilẹjẹpe awọn ofin kan pato le yatọ si da lori awọn iwulo ati iṣeto ti nẹtiwọọki kọọkan, awọn ofin gbogbogbo ati awọn ipilẹ wa ti a ṣeduro fun ọpọlọpọ awọn agbegbe.

Ni isalẹ wa diẹ ninu awọn ofin ati awọn iṣe ti o dara julọ fun àlẹmọ ogiriina, NAT, ati awọn apakan iṣeto ni ibamu miiran ni MikroTik RouterOS.

FirewallFilter

Idi ti àlẹmọ ogiriina ni lati ṣakoso ijabọ ti o kọja nipasẹ olulana, gbigba ọ laaye lati dina tabi gba laaye ijabọ ti o da lori awọn ibeere kan.

Dina wiwọle laigba aṣẹ si olulana:

Rii daju lati ni ihamọ wiwọle si olulana lati ita nẹtiwọki agbegbe rẹ. Eyi jẹ deede nipasẹ didi awọn ibudo iṣakoso, bii 22 (SSH), 23 (Telnet), 80 (HTTP), 443 (HTTPS), ati 8291 (Winbox).

/ip firewall filter
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=22 comment="Bloquear acceso SSH externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=23 comment="Bloquear acceso Telnet externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=80 comment="Bloquear acceso HTTP externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=443 comment="Bloquear acceso HTTPS externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=8291 comment="Bloquear acceso Winbox externo"

2. Dabobo lodi si awọn ikọlu ti o wọpọ:

Ṣiṣe awọn ofin lati daabobo nẹtiwọki rẹ lọwọ awọn ikọlu ti o wọpọ, gẹgẹbi iṣan omi SYN, iṣan omi ICMP, ati wíwo ibudo.

SYN Ìkún Kọlu

/ip firewall filter
add action=add-src-to-address-list address-list="syn_flooders" address-list-timeout=1d chain=input connection-state=new dst-limit=30,60,src-address/1m protocol=tcp tcp-flags=syn comment="Detectar SYN flood"
add action=drop chain=input src-address-list="syn_flooders" comment="Bloquear SYN flooders"

ICMP Ìkún Kọlu

/ip firewall filter
add action=add-src-to-address-list address-list="icmp_flooders" address-list-timeout=1d chain=input protocol=icmp limit=10,20 comment="Detectar ICMP flood"
add action=drop chain=input protocol=icmp src-address-list="icmp_flooders" comment="Bloquear ICMP flooders"

3. Gba laaye ijabọ pataki:

Ṣe atunto awọn ofin lati gba ijabọ abẹfẹlẹ pataki fun nẹtiwọọki rẹ. Eyi pẹlu ijabọ inu ati ijabọ si ati lati Intanẹẹti ti o da lori awọn iwulo pato rẹ.

A ro pe o fẹ gba wiwọle SSH nikan lati nẹtiwọki agbegbe rẹ:

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=22 src-address=192.168.1.0/24 comment="Permitir acceso SSH interno"

4. Fi ohun gbogbo silẹ:

Gẹgẹbi iṣe aabo, eyikeyi ijabọ ti ko gba laaye ni gbangba tẹlẹ yẹ ki o dina. Eyi ni igbagbogbo ṣe ni ipari awọn ofin àlẹmọ ogiriina rẹ pẹlu ofin ti o kọ tabi ju gbogbo awọn ijabọ miiran silẹ.

Ofin yii yẹ ki o gbe ni opin awọn ofin àlẹmọ rẹ lati ṣe bi eto imulo sẹ aiyipada.

/ip firewall filter
add action=drop chain=input comment="Descartar el resto de tráfico no permitido"

NAT (Itumọ Adirẹsi Nẹtiwọọki)

NAT jẹ lilo nigbagbogbo lati tumọ awọn adirẹsi IP ikọkọ lori nẹtiwọọki agbegbe rẹ si adiresi IP ti gbogbo eniyan fun iraye si Intanẹẹti.

Paja:
- Lo igbese naa masquerade ninu pq srcnat lati gba awọn ẹrọ pupọ laaye lori nẹtiwọọki agbegbe rẹ lati pin adiresi IP ti gbogbo eniyan fun iraye si Intanẹẹti. Eyi ṣe pataki fun awọn nẹtiwọọki ti o wọle si Intanẹẹti nipasẹ ọna asopọ gbohungbohun pẹlu IP ti gbogbo eniyan kan.
DNAT fun awọn iṣẹ inu:
- Ti o ba nilo lati wọle si awọn iṣẹ inu lati ita nẹtiwọki rẹ, o le lo Nla NAT (DNAT) lati ṣe atunṣe ijabọ ti nwọle si awọn IPs ikọkọ ti o baamu. Rii daju pe o ṣe eyi nikan fun awọn iṣẹ to ṣe pataki ki o gbero awọn ilolu aabo.

Awọn imọran Aabo miiran

Awọn imudojuiwọn sọfitiwia:
- Jeki olulana MikroTik rẹ ni imudojuiwọn pẹlu ẹya tuntun ti RouterOS ati famuwia lati daabobo lodi si awọn ailagbara ti a mọ.
Layer 7 Aabo:
- Fun ijabọ-pato ohun elo, o le tunto awọn ofin Layer 7 lati dènà tabi gba awọn ijabọ ti o da lori awọn ilana ni awọn apo data.
Idiwọn IP Adirẹsi Range:
- Ṣe ihamọ iraye si awọn iṣẹ olulana kan si awọn sakani adiresi IP kan pato, nitorinaa idinku eewu wiwọle laigba aṣẹ.

Ranti pe iwọnyi jẹ awọn itọnisọna gbogbogbo nikan. Iṣeto ogiriina kan pato yẹ ki o da lori igbelewọn alaye ti awọn iwulo aabo rẹ, awọn ilana nẹtiwọọki, ati awọn ero ṣiṣe. Ni afikun, o ni imọran lati ṣe idanwo aabo nẹtiwọki nigbagbogbo lati ṣe idanimọ ati dinku awọn ailagbara ti o pọju.

Ko si awọn afi fun ifiweranṣẹ yii.

Njẹ akoonu yii ṣe iranlọwọ fun ọ?

Awọn iwe aṣẹ miiran ni ẹka yii

Awọn asọye 2 lori “Kini awọn ofin ti gbogbo olulana MikroTik yẹ ki o ni, ni àlẹmọ ogiriina, nat, ati bẹbẹ lọ?”

jose
Oṣu Kẹta Ọjọ 23, Ọdun 2024 ni 12:29 irọlẹ

Alaye ti o wa ni apakan yii ko dara pupọ, Mo ro pe Emi yoo gba alaye alaye pupọ ṣugbọn daradara ko si nkankan lati tẹsiwaju wiwa lori intanẹẹti

idahun
1. Mauro Escalante
  Oṣu Kẹta Ọjọ 23, Ọdun 2024 ni 3:01 irọlẹ
  
  José, asọye rẹ jẹ deede, nitorinaa Mo ti tẹsiwaju lati faagun ati ṣe imudojuiwọn awọn iwe.
  Mo dupẹ lọwọ esi rẹ pupọ ati pe Mo nireti pe o sọ awọn iyemeji rẹ kuro ni bayi.
  
  idahun

Fi esi silẹ Fagilee esi

Awọn olukọni wa ni MikroLABs

Ko si Awọn iṣẹ-ẹkọ ti a rii!

8.99 USD

MikroLabs nipasẹ Academy Xperts. Igbesẹ-nipasẹ-Igbese MikroTik iṣeto ni awọn fidio tutorial

(ML-007) Awọn solusan adaṣe lati mu awọn amayederun nẹtiwọọki pọ si: Awọn ilana Subnetting, Ipa-ọna ati laasigbotitusita NAT

Wo diẹ ẹ sii

10.99 USD

(ML-003) Itọsọna lati tunto awọn ipa-ọna ijade Intanẹẹti pẹlu awọn olupese meji tabi diẹ sii (ikuna ati isọdọtun ni iwọntunwọnsi PCC)

Wo diẹ ẹ sii

9.99 USD

(ML-002) Awọn ọna lati fi awọn adirẹsi IP ti gbogbo eniyan si awọn alabara pẹlu MikroTik

Wo diẹ ẹ sii

8.99 USD

(ML-001) Bii o ṣe le ṣakoso daradara ọpọlọpọ awọn IP ti gbogbo eniyan tabi ikọkọ lori olulana eti

Wo diẹ ẹ sii

Fifuye siwaju sii Tutorial

Awọn iwe-iwe (eBooks) MikroTik ni ede Spani

Awọn imọran ipilẹ

To ti ni ilọsiwaju Traffic Iṣakoso

Alailowaya to ti ni ilọsiwaju

Ilana IPv6

Olumulo Alakoso

To ti ni ilọsiwaju Aabo

To ti ni ilọsiwaju afisona

Nẹtiwọki

Yipada & Nsopọ

MikroTik eBooks ni English

Nẹtiwọọki pẹlu MikroTik RouterOS:

Ilana IPv6

Olumulo Alakoso

To ti ni ilọsiwaju Aabo

To ti ni ilọsiwaju afisona

Nẹtiwọki

Yipada & Nsopọ

Academy Xperts OnLine Awọn iwe-ẹri

NASNetwork Administration Specialist

NAS-DAR

NAS-CBR

UASUbiquiti Administration Specialist

Ubiquiti UniFi

UAS-UNI-CAD

UAS-UNI-PDE

Ubiquiti airMAX

UAS-AIR-INT gratis

UAS-AIR-CPM

UAS-AIR-FPD

SIWAJUMikroTik Administration Specialist

MAS-DOC titun - RouterOS v7

MAS-KAP

MAS-ROS gratis

MAS-WOS gratis

MAS-HSM

NAANetwork Administration Specialist

NAE-TCP-A01

NAE-TCP-A02

MAMikroTik Isakoso ẹlẹrọ

Yipada & Nsopọ

MAE-SWI-BON free - titun

MAE-SWI-VLN titun - RouterOS v7

Awön ikanni

MAE-VPN-ZET free - titun

MAE-VPN-PPP

MAE-VPN-IPS

Iṣakoso ijabọ

MAE-CTT-QoS (RouterOS v7)

MAE-CTT-BCA (RouterOS v7)

Ilana

MAE-ADM-UMR

MAE-ADM-UMH

Huawei

Iṣeto ni ti Huawei Yipada ati awọn olulana titun

MAMikroTik Isakoso ẹlẹrọ

Ilana IPv6

MAE-IP6-ROS gratis

MAE-IP6-MED

MAE-IP6-AVN

To ti ni ilọsiwaju afisona

MAE-RAV-ROS gratis

MAE-RAV-VRP free - titun

MAE-RAV-OSPF (RouterOS v7)

MAE-RAV-BGP (RouterOS v7)

IDAJO awọn iwe-ẹri titun

Academy Xperts OnLine Awọn iwe-ẹri

Aabo

Aabo Cybers

CSE-PMI titun!

CSE-HPP Nbọ laipẹ

Aabo IT

SIA-HPP Nbọ laipẹ

Aabo ti alaye

SIN-NSI Nbọ laipẹ

Academy Xperts OnLine Awọn iwe-ẹri

data Science

Python

DS-PYT-BAS titun!

DS-PYT-INT Nbọ laipẹ

NAS
Network Administration Specialist

UAS
Ubiquiti Administration Specialist

SIWAJU
MikroTik Administration Specialist

NAA
Network Administration Specialist

MA
MikroTik Isakoso ẹlẹrọ

MA
MikroTik Isakoso ẹlẹrọ