Mikrotik firewall default config

/ip firewall filter

add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

add chain=input action=drop   connection-state=invalid comment="defconf: drop invalid"

add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"

add chain=input action=accept connection-state=new dst-port=22 protocol=tcp comment="defconf: accept SSH"

add chain=input action=drop   in-interface-list=!LAN comment="defconf: drop all not coming from LAN"



add chain=forward action=accept comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add chain=forward action=accept comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add chain=forward action=fasttrack-connection comment="defconf: fasttrack" connection-state=established,related

add chain=forward action=accept comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add chain=forward action=drop comment="defconf: drop invalid" connection-state=invalid

add chain=forward action=drop comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN



/ip firewall nat

add chain=srcnat action=masquerade comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN



add action=dst-nat chain=dstnat protocol=tcp in-interface-list=WAN dst-port=<WAN_port> to-addresses=<LAN_address> to-ports=<LAN_port>