FIREWALL
Default firewall rules for RouterOS.
Opinionated, well-explained .rsc snippets covering the input chain,
forward chain, and IPv6. Each rule has a rationale, when you'd want to disable
it, and references. Authored for both RouterOS v6 and v7 — toggle the version
in the header to see the syntax that matches your router.
Topics
- Quickstart Harden a fresh router in about 10 minutes with the stepped paste-along.
- Input chain Traffic destined for the router itself. Drop invalid + scanners, accept established/related, restrict management ports.
- Forward chain Traffic transiting the router. FastTrack established connections, drop invalid, block new WAN ingress without a NAT rule.
- Output chain Rarely customised. Two legitimate cases: block outbound SMTP as a tripwire, rate-limit a public DNS resolver.
- IPv6 IPv6-specific rules. Diverges substantially between RouterOS v6 (separate package) and v7 (integrated).
- Winbox / SSH hardening Restrict the two main admin surfaces: source-IP allow-list, off-default ports, key-only SSH, replace the default admin.
- Services hardening Disable telnet/ftp/api, restrict the rest by source IP, put a real cert on Webfig HTTPS.
- NAT Masquerade for SOHO, dst-nat / port forwarding, and hairpin NAT for "reach my public IP from inside the LAN."
Before you start
Get console access to your router before pasting any of these scripts. The Winbox/SSH hardening rules can lock out a remote management session if you're on the wrong source IP — fixable with a console serial cable, painful without.