MikroTik RouterOS/ROS 配置 IPv6 防火墙安全脚本

上一篇mikrotik ipv6开启后,意味着内网的所有设备已经全端口开放在公网。这一篇提供一份脚本,来解决安全问题。

这个防火墙脚本的核心功能是增强IPv6网络的安全性,具体分为以下几个方面:

  1. 定义和标记“无效”IPv6地址
    • 使用address-list将常见的无效、保留或专用IPv6地址(例如::1fec0::/10等)添加到bad_ipv6列表,以便后续规则直接引用。
  2. 输入链(Input Chain)规则
    • 允许特定流量
      • 接受已建立或相关的连接(如ESTABLISHED、RELATED)。
      • 接受有效的ICMPv6流量、UDP路由跟踪和DHCPv6客户端流量。
      • 开放特定管理端口(Winbox、Webfig)和DNS服务。
      • 接受IPSec相关协议和策略匹配的流量。
    • 拒绝非法或异常流量
      • 丢弃无效连接和来自非局域网(LAN)的其他流量。
  3. 转发链(Forward Chain)规则
    • 允许特定流量
      • 接受已建立或相关的连接,ICMPv6流量,IPSec协议及策略匹配的流量。
    • 丢弃非法或异常流量
      • 丢弃源地址或目标地址为bad_ipv6列表的流量。
      • 拒绝ICMPv6跳数限制为1的流量(RFC 4890)。
      • 阻止未通过目标地址转换(dstnat)且不来自局域网的其他流量。
  4. 全局安全策略
    • 确保防火墙的默认策略是“拒绝除明确允许之外的所有流量”,从而减少未授权访问的可能性。

简要结论
该脚本通过定义无效地址列表、允许合法的IPv6协议和管理流量,同时丢弃异常流量,实现了全面的IPv6防火墙安全配置。


/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
#放行winbox和网页管理入口和其它intput端口的白名单
add action=accept chain=input comment="accept winbox+webfig" dst-port=\
    8291,80 log=yes protocol=tcp
add action=accept chain=input comment="accept wg" dst-port=3003,3005 log=yes \
    protocol=udp
add action=accept chain=input comment="accept DNS from LAN" dst-port=53 \
    in-interface-list=LAN log=yes protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \
    dst-port=3389 protocol=tcp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" connection-nat-state=\
    !dstnat in-interface-list=!LAN