How to Protect your MikroTik RouterOS??

Description

To protect your MikroTik RouterOS?, you should not only change admin's password but also set up packet filtering. All packets with destination to the router are processed against the ip firewall input chain. Note, that the input chain does not affect packets which are being transferred through the router.

You can add following rules under /ip firewall rule input (just 'copy and paste' to the router using Terminal Console or configure the relevant arguments in WinBox):

/ip firewall rule input add connection-state=invalid action=drop
	comment="Drop invalid connections"
/ip firewall rule input add connection-state=established
	comment="Allow established connections"
/ip firewall rule input add connection-state=related
	comment="Allow related connections"
/ip firewall rule input add protocol=udp comment="Allow UDP"
/ip firewall rule input add protocol=icmp comment="Allow ICMP Ping"
/ip firewall rule input add src-address=10.0.0.0/24
	comment="Allow access from our local network. Edit this!"
/ip firewall rule input add src-address=192.168.0.0/24
    protocol=tcp dst-port=8080
	comment="This is web proxy service for our customers. 
Edit this!"
/ip firewall rule input add action=drop log=yes
	comment="Log and drop everything else"

Use /ip firewall rule input print packets command to see how many packets have been processed against these rules. Use reset-counters command to reset the counters. Examine the system log file /log print to see the packets which have been dropped.

You may need to include additional rules to allow access from certain hosts, etc. Remember that firewall rules are processed in the order they appear on the list. After a rule matches the packet, no more rules are processed for it. After adding new rules, move them up using the move command.