Форум OlegON > Компьютеры и Программное обеспечение > Сеть > Сетевое оборудование > MikroTik

Фильтры BGP для исключения bogon-подсетей : MikroTik

30.12.2024 20:19


06.08.2024 15:53
Под ROS 6
Код:
/routing filter
add action=reject chain=anti-in comment=Yandex prefix=185.71.76.0/22 prefix-length=22-32
add action=reject chain=anti-in comment=Yandex prefix=77.75.152.0/21 prefix-length=21-32
add action=reject chain=anti-in comment=Unblock prefix=51.75.66.20 prefix-length=32
add action=jump chain=anti-in jump-target=drop.bogon.nets
add action=accept chain=anti-in prefix-length=0-32
add action=discard chain=drop.bogon.nets prefix=0.0.0.0/8 prefix-length=8-32
add action=discard chain=drop.bogon.nets prefix=10.0.0.0/8 prefix-length=8-32
add action=discard chain=drop.bogon.nets prefix=100.64.0.0/10 prefix-length=10-32
add action=discard chain=drop.bogon.nets prefix=127.0.0.0/8 prefix-length=8-32
add action=discard chain=drop.bogon.nets prefix=169.254.0.0/16 prefix-length=16-32
add action=discard chain=drop.bogon.nets prefix=172.16.0.0/12 prefix-length=12-32
add action=discard chain=drop.bogon.nets prefix=192.0.0.0/24 prefix-length=24-32
add action=discard chain=drop.bogon.nets prefix=192.0.2.0/24 prefix-length=24-32
add action=discard chain=drop.bogon.nets prefix=192.88.99.0/24 prefix-length=24-32
add action=discard chain=drop.bogon.nets prefix=192.168.0.0/16 prefix-length=16-32
add action=discard chain=drop.bogon.nets prefix=198.18.0.0/15 prefix-length=15-32
add action=discard chain=drop.bogon.nets prefix=198.51.100.0/24 prefix-length=24-32
add action=discard chain=drop.bogon.nets prefix=203.0.113.0/24 prefix-length=24-32
add action=discard chain=drop.bogon.nets prefix=224.0.0.0/4 prefix-length=4-32
add action=discard chain=drop.bogon.nets prefix=240.0.0.0/4 prefix-length=4-32
add action=discard chain=drop.bogon.nets prefix=255.255.255.255 prefix-length=32
add action=return chain=drop.bogon.nets
Под ROS 7
Код:
/routing filter rule
add chain=discard disabled=no rule="reject;"
add chain=anti-in disabled=no rule="jump bogon-in "
add chain=anti-in disabled=no rule="if (dst in 77.75.152.0/21 && dst-len >= 21) {set comment YooKassa; set distance +235; reject;}"
add chain=anti-in disabled=no rule="if (dst in 185.71.76.0/22 && dst-len >= 22) {set comment YooKassa; set distance +235; reject;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:100) {set comment POZOR-BLOCK; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:101) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:102) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:103) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:104) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:105) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:106) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:107) {set comment POZOR-BLOCK-SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:110) {set comment POZOR-BLOCK; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:200) {set comment IP_List; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:210) {set comment IP_List; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:300) {set comment IP_SUMM; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:600) {set comment Block_In_UA; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:700) {set comment Instagram_FaceBook; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:710) {set comment Twitter; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:720) {set comment Netflix; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:730) {set comment Amazon-CloudFront; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:740) {set comment Microsoft; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:750) {set comment Amazon; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:760) {set comment ChatGPT; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:770) {set comment YouTube; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65444:780) {set comment Google; accept;}"
add chain=anti-in disabled=no rule="if (bgp-communities includes 65445:643) {set comment Russia; accept;}"
add chain=anti-in disabled=no rule="accept;"
add chain=bogon-in comment=BOGONS disabled=no rule="if (dst in 0.0.0.0/8 && dst-len >= 8) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 10.0.0.0/8 && dst-len >= 8) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 100.64.0.0/10 && dst-len >= 10) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 127.0.0.0/8 && dst-len >= 8) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 169.254.0.0/16 && dst-len >= 16) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 172.16.0.0/12 && dst-len >= 12) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 192.0.0.0/24 && dst-len >= 24) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 192.0.2.0/24 && dst-len >= 24) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 192.88.99.0/24 && dst-len >= 24) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 192.168.0.0/16 && dst-len >= 16) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 198.18.0.0/15 && dst-len >= 15) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 198.51.100.0/24 && dst-len >= 24) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 203.0.113.0/24 && dst-len >= 24) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 224.0.0.0/4 && dst-len >= 4) { reject }"
add chain=bogon-in disabled=no rule="if (dst in 240.0.0.0/4 && dst-len >= 4) { reject }"
add chain=bogon-in disabled=no rule="if (dst == 255.255.255.255/32 ) { reject }"
add chain=bogon-in disabled=no rule="return;"
06.08.2024 15:55
* Организация Meta, а также её продукты Instagram и Facebook, на которые мы ссылаемся в этой статье, признаны экстремистскими на территории РФ.

Вот еще один фильтр, использовать с осторожностью, ресурсоемкий.
https://storage.olegon.ru/supermag/u...filters.rsc.7z
(0.03Мб)
Часовой пояс GMT +3, время: 20:19.

Форум на базе vBulletin®
Copyright © Jelsoft Enterprises Ltd.
В случае заимствования информации гипертекстовая индексируемая ссылка на Форум обязательна.