Basic router protection based on connection state and IP address type by using

Firewall

/ip firewall address-list

add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic

Create firewall filter rules to protect router from incoming (input) connections:

/ip firewall filter

add chain=input comment="Accept established and related packets" connection-
state=established,related
add chain=input comment="Accept all connections from local network" in-
interface=ether2
add action=drop chain=input comment="Drop invalid packets" connection-
state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to
routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast
source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which
should not exist in public network" in-interface=ether1 src-address-list=NotPublic

Create firewall filter rules to protect your local network from passing (forwards)
connections

/ip firewall filter

add chain=forward comment="Accept established and related packets" connection-
state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-
state=invalid
add action=drop chain=forward comment="Drop new connections from internet which
are not dst-natted" connection-nat-state=!dstnat connection-state=new in-
interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet which
should not exist in public network" in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to
internet which should not exist in public network" dst-address-list=NotPublic in-
interface=ether1
add action=drop chain=forward comment="Drop all packets in local network which
does not have local network address" in-interface=ether2 src-address=!
192.168.3.0/24

Block specific domains by using scripts

#Script to add IP addresses for specific domains to address lists
{
#Array of desired domain names
foreach iplist in=("youtube","facebook") do={
{
#Old entries are deleted
/ip firewall address-list remove [find where list=$iplist]
#Dummy variable to not get into loop
global counter true
#Check if IP addresses are not repeating themselves
while ($counter) do={
#Resolve domain
local ip [/resolve ("www.".$iplist.".com")]
#Add IP to address list under specific domain list if it does not already exist
if ([len [/ip firewall address-list find where address=$ip]] = 0) do={
/ip firewall address-list add address=$ip list=$iplist } else={
#If IP already exist in list then stop resolving this domain
set counter false
}
}
}
#If there is no firewall filter rules which blocks this specific domain then add it
if ([:len [/ip firewall filter find where chain=forward && dst-address-
list=$iplist]] = 0) do={
/ip firewall filter add chain=forward action=drop dst-address-list=$iplist
place-before=0 \
comment=("This rule blocks access to " . $iplist)
}
}
}

Port forwarding on RouterOS

/ip firewall nat add chain=dstnat action=dst-nat in-interface=wan_interface dst-

address=x.x.x.x to-addresses=y.y.y.y
2) NAT from local address back to public IP (change source address to public IP for
replies):

/ip firewall nat add chain=srcnat action=masquerade out-interface=wan_interface

or

/ip firewall nat add chain=srcnat action=src-nat src-address=y.y.y.y to-

addresses=x.x.x.x out-interface=wan_interface
3) In case firewall filters are used to drop some traffic you must be sure that
forward packets which belong to natted connection are accepted:

/ip firewall filter add chain=forward action=accept in-interface=wan_interface

connection-nat-state=dstnat connection-state=established,related

Protect local network against attacks from public internet

To protect your local subnet against these attacks very simple firewall filter rule
can be used. This rule will drop all packets which are destined to local network
but are not NATted. NATted connections are allowed because NAT is there for exactly
this purpose - to allow/redirect access from public internet to local address.
Example script which should configure router as explained before (written on 6.34.3
RouterOS):

/ip firewall filter

add action=drop chain=forward comment="Drop new connections from internet which
are not dst-natted" connection-nat-state=!dstnat connection-state=new in-
interface=ether1

Create static bindings for PPP interfaces

If you do not like that your PPP interfaces are dynamic, then you can on PPP
profile execute the on-up script which creates static server binding for each
client.

Example is made for PPPoE interfaces, but it can be easily adjusted for any other
PPP interface types (written on 6.34.3 RouterOS):

if ([/interface pppoe-server print count-only where user=$user && !dynamic] = 0)

do={
log info message=($user . " - is being added as static binding")
/interface pppoe-server add name=$user user=$user service=service1
/ppp active remove [find where name=$user]
}