MikroTik Setup

Initial Firewall Rules

Connection State Rules (put these first)

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established/related"
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=accept connection-state=established,related comment="Forward established/related"
add chain=forward action=drop connection-state=invalid comment="Drop invalid forward"

Basic Input Rules

/ip firewall filter
add chain=input action=accept protocol=icmp comment="Accept ICMP"
add chain=input action=accept in-interface=bridge-local comment="Accept from LAN"
add chain=input action=drop in-interface=ether1-wan comment="Drop all from WAN"

Brute-Force Prevention

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh-blacklist action=drop comment="Drop blacklisted SSH"
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-stage3 action=add-src-to-address-list address-list=ssh-blacklist address-list-timeout=10d comment="Stage 3 -> blacklist"
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-stage2 action=add-src-to-address-list address-list=ssh-stage3 address-list-timeout=1m
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-stage1 action=add-src-to-address-list address-list=ssh-stage2 address-list-timeout=1m
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh-stage1 address-list-timeout=1m

Apply similar rules for Winbox port (8291) and web management (80/443).