03 December 2011

Manipulasi Ping DNS di Mikrotik

Manipulasi Ping DNS di Mikrotik

Ping merupakan cara untuk mengecek apakan koneksi jaringan “connected” atau tidak.  Dengan ping ini kita bisa mengecek koneksi antara client ke gateway, gateway ke DNS dan seterusnya. Nah kadang kita atau client menggunakan ping ini untuk terus menerus  menge-ping dns dengan cara ping xxx.xxx.xxx.xxx -t  (xxx adalah ip dns).  Ada pengalaman menarik yang penulis dapatkan selama bertugas di Filipina beberapa waktu lalu. Ceritanya kita akan melakukan Vicon dari Filipina dengan Indonesia- seamolec waktu itu. Kemudian untuk mengecek ip public di indonesia, saya lakukan ping  -t tadi. Tapi apa kata admin disana?? Its not allowed to ping -t, Our Ip will be block by our provider!!!. Weks.. bener juga.. tak berapa lama gak bisa ping lagi ke ip publick indonesia… akhirnya gagal vicon. Usut punya usut ternyata ping -t yang saya lakukan ternyata dideteksi sebagai FLOODING… kenak… deh….
Nah hal ini juga akhirnya saya terapkan untuk client agar tidak di kategorikan sebagai flooding  ping tadi. Ping -t tetap bisa dilakukan akan tetapi time nya menjadi 1ms (1 milisecond) yang normalnya dalah dibawah 600ms, sehingga ping akan menjadi seperti halnya ping ke ip local. Lho kok bisa ??? hehehe ya bisa toohhh kan tak gendongn kemana-mana…  Ini juga bisa menjadi trik para admin yang bermaen di mikrotik untuk membatasi ping dns yang terus menerus. Lalu.. piye carane ???  Langsung menuju ke TKP yaah… tp jangan ke JW Mariot dan Ritzcarlton… ada BOOMM  disana wakakakkaa… gak ada hubungannya mbah mbahhhh…
pict manipulasi ping
Perhatikan gambar di atas.. Dst.Address anda isikan ip dns anda  sedangkan To Address anda isikan ip lokal mikrotik anda.. selebihnya sama. Jika ada 2-3 IP DNS  tinggal  copy paste aja lalu tinggal ganti dns nya .
berikut hasil konfigurasi dan setelah di ping …
ping
Silakan di oprek…


sumber    http://tamampapua.wordpress.com

02 December 2011

DAFTAR ISI

DAFTAR ISI

01 December 2011

squid proxy

squid proxy

ini ada beberapa saran yg bisa dicoba untuk mempercepat Squid. Silahkan komentar-komentar saya dicermati dan bereksperimen sedikit. Saya jamin Squid anda akan bekerja lebih cepat dg hit ratio bisa lebih dari 50%. Mohon teman-teman yg lain dibantu juga. Terima kasih dan jangan kaget kalau kinerja Squid anda naik drastis, he he he ….. Semoga bermanfaat ….

## Jika ada beberapa situs terdekat yg mungkin hanya 1 hop, di-by pass saja supaya kerja Squid benar-benar utk yg jaraknya jauh

hierarchy_stoplist cgi-bin ? localhost domain-anda.com isp-anda.com domainku.web.id
acl QUERY urlpath_regex cgi-bin \? localhost domain-anda.com isp-anda.com domainku.web.id
no_cache deny QUERY

## Dari pengalaman 6 MB akan lebih cepat dan biarkan Squid bekerja lebih keras lagi

cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99

## Maksimum obyek di hardisk dan di memori diupayakan lebih besar shg byte hit lebih tinggi (bisa dinaikkan lagi jika hardisk berkecepatan tinggi dan jumlahnya banyak dg memori yg lebih besar pula)

maximum_object_size 128 MB
maximum_object_size_in_memory 32 KB

## Jika memori 512 MB atau lebih besar silahkan cache diperbesar

ipcache_size 2048
ipcache_low 98
ipcache_high 99

## Utk heap replacement saya memakai LFUDA utk cache hardisk dan GDSF utk cache memori dg alasan di hardisk diprioritaskan obyek yg ukuran besar-besar dan di memori obyek yg ukurannya kecil-kecil utk disimpan

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

## Idealnya ruang di hardisk yg anda pakai hanya sekitar 70% dari total krn semakin penuh Squid akan semakin pelan mencari tempat kosong, mis. utk cache 1 GB maka yg dipakai hanya 700MB (jangan 1GB dipakai semuanya). Jangan lupa hanya 1 direktori per drive krn faktor penghambat adalah kecepatan spindle hardisk lho, bukan terus dg memperbanyak direktori pada 1 hd akan mempercepat (hd orde milidetik, memori orde nanodetik). Jadi mending hardisknya banyak tapi ukurannya kecil-kecil daripada hanya 1 berukuran besar. Terus jika OS-nya Linux pakailah FS-nya Reiser (versi 4 tercepat) dg metode akses aufs. Diskd optimal di FreeBSD tetapi tidak di Linux lho. Jangan lupa di partisi tsb noatime dan notail diaktifkan spy tidak menambah ekstra write saat menulis atau membaca. Intinya hardisk adalah faktor penghambat terbesar di Squid.
## saran kira2 70% dari 16GB

cache_dir aufs /cachez 12000 28 256

atau (utk ruang 4GB-an per hardisk)

cache_dir aufs /cachehardisk1 3000 8 256
cache_dir aufs /cachehardisk2 3000 8 256
cache_dir aufs /cachehardisk3 3000 8 256
cache_dir aufs /cachehardisk4 3000 8 256

atau minimal di bawah ini supaya modifikasi tidak terlalu jauh

cache_dir diskd /cachez 12000 28 256 Q1=72 Q2=88

## Log utk info yg vital saja dan diusahakan file-file log ada di hardisk tersendiri spy tidak mempengaruhi kecepatan direktori cache utamanya

log_fqdn off
log_icp_queries off
cache_log none
cache_store_log none

## Dg ‘menipu’ dan memaksa sedikit supaya akses obyek lebih intensif di lokal Squid dan waktu simpan ditambah sebelum proses validasi terjadi (mis. validasi terjadi per 3 jam dg penyimpanan obyek terlama 3 bulan, utk ftp bisa lebih lama lagi)

refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

## Toleransi aborting dihilangkan saja

quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98

## Mematikan dan merekonfigurasi Squid jangan terlalu cepat krn bisa mengakibatkan integritas file kacau

shutdown_lifetime 10 seconds

## tidak perlu reservasi memori

memory_pools off

## Penting utk relasi dg sibling dg mengukur respons-nya via ICP dan ICMP (tapi ada isp yg tidak mengijinkan lho)

icp_hit_stale on
query_icmp on

## Penting utk meningkatkan refresh pattern lebih lanjut

reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on

## Sekali lagi Squid diperlukan utk mengambil yg jaraknya jauh, jarak dekat langsung saja

acl local-dst dst semuaalamatlokal semuaalamatipygdekat
acl local-domain dstdomain localhost domain-anda.com isp-anda.com domainku.web.id

always_direct allow localhost local-dst local-domain
always_direct deny all

## Tidak begitu diperlukan

##ie_refresh on

================================================================================================================

saya mencoba proxy squid di fedora/redhat dengan konfigurasi sebagai berikut :

isi file squid.conf :

http_port 3128
icp_port 3130

tcp_outgoing_address 0.0.0.0
udp_incoming_address 0.0.0.0
udp_outgoing_address 0.0.0.0

cache_mem 16 MB
maximum_object_size 128 MB

cache_dir ufs /misc/squid/c1 7000 8 128
cache_dir ufs /misc/squid/c2 7000 8 128
cache_dir ufs /misc/squid/c3 7000 8 128

cache_access_log /var/log/squid/access.log

cache_log /dev/null
cache_store_log /dev/null

logfile_rotate 4
memory_pools_limit 8 MB
redirect_rewrites_host_header on
#replacement_policy GDSF
half_closed_clients on

request_header_max_size 128 KB
request_body_max_size 5 MB

dns_nameservers 192.168.0.200

quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
connect_timeout 120 seconds
peer_connect_timeout 30 seconds
#siteselect_timeout 4 seconds
read_timeout 15 minutes
request_timeout 5 minutes
client_lifetime 1 day

#———–transparent proxy ———–
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#——————————————-

#Script Membuka/Menutup akses sex
acl sex url_regex -i “/etc/squid/sex”
acl blok-website url_regex -i “/etc/squid/blok-website”

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

client_netmask 255.255.255.255

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.0/255.255.255.0
acl lan_ku src 192.168.0.0/255.255.255.0
acl images urlpath_regex -i \.gif$ \.png$ \.jpg$ \.jpeg$
acl Safe_ports port 80 21 443 563 70 210 8888 1025-9000 6661-7000
acl CONNECT method CONNECT

#http_access allow localhost CONNECT
#http_access allow internet CONNECT

#akses sex ditutup
#——————–
http_access deny sex
http_access deny blok-website


http_access allow CONNECT
http_access allow localhost
http_access allow all
http_access allow lan_ku
http_access allow Safe_ports

http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all


refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#—————- administration info ————
cache_mgr [EMAIL PROTECTED]
cache_effective_user squid
cache_effective_group squid
#log_icp_queries off
#cachemgr_passwd mypassword all
#forwarded_for off
#buffered_logs on
visible_hostname gw.net


dan saya isi file rc.local :

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/etc/rc.d/init.d/routerrh

lalu isi file routerrh :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE -o eth0
iptables -A FORWARD -s 192.168.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.200 -p tcp –dport 80 -j DNAT –to 192.168.0.200:3128

nah bagaimana menurut teman-teman ?
kok masih kurang kencang jalan internetnya, client saya memiliki 150 komputer ?

salam…..sys tunggu tanggapannya !!


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
http://sahir.dozer.or.id/wp/2005/07/11/setting-router-warnet/


             |eth0
             |
            |——-|
            | MGW |
            |—|—|
             |
             |eth1
             |
             |
|——————–hub———————-|
|             |             |
|             |             |
|             |             |
|———|     |———|     |———|
|Client 01|     |Client 02|     |Client 03|
|———|     |———|     |———|

Pertama yang harus di lakukan adalah mensetting mgw(main gateway)
supaya bisa connect ke internet
Sebelum Mensetting :
1.Minta IP public ke ISP lengkap dengan netmask,broadcast dan dns nya
misalnya :
RANGE    : 202.159.121.0/29
IP    : 202.159.121.2
GATEWAY : 202.159.121.1
Nemast    : 255.255.255.248
broadcast : 202.159.121.7
DNS1    : 202.159.0.10
DNS2    : 202.159.0.20
berarti kita mendapatkan ip 5 buah dari 202.159.121.2 – 202.159.121.6

2.Menentukan IP local yang akan kita gunakan buat client

Setting IP MGW :
1.[root@mgw cachak]$ vi /etc/sysconfig/network
lalu isi dengan :

NETWORKING=yes
HOSTNAME=mgw.domain.com
GATEWAY=202.159.121.1

lalu simpen dengan menekan :wq

2.Menconfigurasi IP eth0(default)

[root@mgw root]$ vi /etc/sysconfig/network-scripts/ifcfg-eth0
lalu isi dengan :

DEVICE=eth0
BOOTPROTO=static
IPADDR=202.159.121.2
BROADCAST=202.159.121.7
NETMASK=255.255.255.249
ONBOOT=yes
USERCTL=no

lalu simpen dengan menekan :wq

3.Setting dns resolve

[root@mgw root]$ vi /etc/resolv.conf
lalu isi dengan nameserver dari isp kita tadi :

nameserver 202.159.0.10
nameserver 202.159.0.20

lalu simpen dengan menekan :wq

4.Setting ip_forwarding

[root@mgw cachak]$ vi /etc/sysctl.conf

rubah net.ipv4.ip_forward = 0 menjadi net.ipv4.ip_forward = 1
atau kalau gak ada net.ipv4.ip_forward = 0 tambahin net.ipv4.ip_forward = 1

simpen dengan menekan :wq

5.restart network
[root@mgw cachak]$ /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]

[root@www root]#chkconfig –level 2345 network on
[root@www root]#

6.testing dengan ngeping ke default gateway 202.159.121.1

[root@mgw cachak]$ ping 202.159.121.1
PING 202.159.121.1 (202.159.121.1) 56(84) bytes of data.
64 bytes from 202.159.121.1: icmp_seq=1 ttl=63 time=0.356 ms
64 bytes from 202.159.121.1: icmp_seq=2 ttl=63 time=0.269 ms
64 bytes from 202.159.121.1: icmp_seq=3 ttl=63 time=0.267 ms
64 bytes from 202.159.121.1: icmp_seq=4 ttl=63 time=0.268 ms

— 202.159.121.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.267/0.290/0.356/0.038 ms

7.testing untuk ngeping google.com untuk ngecek dns nya
kalau muncul :
PING google.com (216.239.39.99) 56(84) bytes of data.
berarti dns kita untuk mgw dah bekerja, tapi kalau muncul :
ping: unknown host google.com
berarti dns yang kita isikan di /etc/resolve.conf masih salah,
silahkan cek lagi ke ISP nya :)

nah bereskan sudah setting IP untuk mgw nya :)
supaya mgw ini bisa sekaligus di gunakan sebagai ns server
oleh client maka harus di install daemon bind atau
daemon nameserver yang lain
ataukalau sudah ada tinggal idupin Bind nya

[root@www root]# /etc/init.d/named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@www root]#chkconfig –level 2345 named on
[root@www root]#

misalnya ip ke client adalah :
192.168.0.1/24
IP : 192.168.0.1
netmask : 255.255.255.0
broadcast : 192.168.0.255
RANGE IP CLIENT : 192.168.0.2-192.168.0.254

Setting ip untuk eth1 (yang ke client)
1.memberi IP 192.168.0.1 di eth1
[root@mgw cachak]$ vi /etc/sysconfig/network-scripts/ifcfg-eth1
lalu isi dengan :

DEVICE=eth1
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
BROADCAST=192.168.0.255
ONBOOT=yes
USERCTL=no

lalu simpen dengan menekan :wq

2.Restart networknya

[root@mgw root]$ /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1: [ OK ]

3.Testing dengan cara ping ip eth1
[root@mgw cachak]$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=0.356 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=0.269 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=63 time=0.267 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=63 time=0.268 ms

— 192.168.0.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.267/0.290/0.356/0.038 ms

Tinggal Setting IP computer client dengan ketentuan di bawah ini :

IP        : 192.168.0.2 – 192.168.0.254
GATEWAY        : 192.168.0.1
NETMASK        : 255.255.255.0
BROADCAST    : 192.168.0.255
NAMESERVER    : 192.168.0.1

misal :

Client01
===============================
IP        : 192.168.0.2
GATEWAY        : 192.168.0.1
NETMASK        : 255.255.255.0
BROADCAST    : 192.168.0.255
NAMESERVER    : 192.168.0.1

Client02
===============================
IP        : 192.168.0.3
GATEWAY        : 192.168.0.1
NETMASK        : 255.255.255.0
BROADCAST    : 192.168.0.255
NAMESERVER    : 192.168.0.1

dan seterusnya sesuai banyaknya client,yang berubah hanya IP
untuk client windows maka setting IP
di bagian Start Menu/Setting/Control Panel/Network

setelah di setting ip client, maka coba ping ke 192.168.0.1
dari client,kalau berhasil berarti client dan MGW nya sudah tersambung.

Setting MGW supaya client bisa internat dengan menggunakan NAT

1.Matikan iptablesnya

[root@mgw root]# /etc/init.d/iptables stop
Flushing all chains: [ OK ]
Removing user defined chains: [ OK ]
Resetting built-in chains to the default ACCEPT policy: [ OK ]
[root@mgw root]#

2.Tambahkan iptables untuk Source NAt sesuai dengan ip di eth0
[root@mgw root]# /sbin/iptables -t nat -A POSTROUTING
-o eth0 -s 192.168.0.0/24 -j SNAT –to-source 202.159.121.2
[root@mgw root]# /sbin/iptables-save > /etc/sysconfig/iptables
[root@mgw root]# /etc/init.d/iptables restart
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: [ OK ]
[root@mgw root]# iptables-save

SNAT sudah,SNAT disini standar sekali dan gak ada proteksi
untuk mengetest nya kita browser di client lalau buka google.com,
kalau jalan berati kita sudah berhasil


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hallo Linuxer …

Saya bikin proxy pake Squid versi 2.5.STABLE2. Udah bisa jalan dengan sukses. Thanks buat Mas Hanny Wijaya (hanny@rsds.or.id) *****)

Cuman ada masalah sama ISP, katanya broadcast saya kegedean sampe bikin flooding di jaringan dan bikin ping ke ISP nyampe 6000ms lebih. (O ya, koneksi saya ke ISP pake wireless)

Paket yang dikirim itu ICMP (Internet Control Message Protocol) yang kalau nggak salah itu adalah sejenis ping gitu..

Lha, ini konfigurasi saya :

#—————————————————————–
#NETWORK OPTIONS

#—————————————————————–
#NEIGHBOR SELECTION ALGORITHM

cache_peer rtp.us.ircache.net parent 3128 3130 login=xxx@xxx.com:xxxx
cache_peer sd.us.ircache.net sibling 3128 4827 login=xxx@xxx.com:xxxx
cache_peer pb.us.ircache.net sibling 3128 0 no-query default login=xxx@xxx.com:xxxx

icp_query_timeout 0
maximum_icp_query_timeout 2000
dead_peer_timeout 10 seconds

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#—————————————————————–
#CACHE SIZE

cache_mem 256 MB
cache_swap_low 80
cache_swap_high 95
memory_replacement_policy lru

#—————————————————————–
#LOGFILE PATHNAMES AND CACHE DIRECTORIES

cache_dir diskd /usr/local/squid/var/logs 4000 16 256 Q1=64 Q2=72

#—————————————————————–
#EXTERNAL SUPPORT PROGRAMS

#Banner Blocker :
redirect_program /usr/local/squid/bannerfilter-1.21/redirector.pl

#—————————————————————–
#TUNING THE CACHE

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#—————————————————————–
#TIMEOUTS

#—————————————————————–
#ACCESS CONTROLS

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# IIX network :

acl IIX dst_as 7597 7713 4795 4622 4787 4800

acl AA src 192.168.1.0/27
acl BB src 192.168.2.0/28

acl free_network url_regex -i 192.168.
acl 4user_only browser [-i] regexp opera OPERA Opera
acl 60user_only src 192.168.1.0/255.255.255.224

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access allow localhost
http_access deny manager

http_access allow AA
http_access allow BB
http_access deny all

http_reply_access allow all

icp_access deny all

#—————————————————————–
#OWN RULES TO ALLOW ACCESS FROM CLIENTS

#—————————————————————–
#ADMINISTRATIVE PARAMETERS

cache_effective_user squid
cache_effective_group squid

visible_hostname xxxx–

#—————————————————————–
#CACHE REGISTRATION SERVICE

#—————————————————————–
#HTTPD ACCELERATOR

#—————————————————————–
#MICELLANEOUS

always_direct allow IIX

#—————————————————————–
#DELAY POOLS PARAMETERS

delay_pools 3

#pool no1 unlimited bandwith
delay_class 1 3
delay_access 1 allow free_network
delay_parameters 1 -1/-1 -1/-1 -1/-1
delay_access 1 deny all

#pool no2 limit bandwith 4kbits per second
delay_class 2 3
delay_access 2 allow 4user_only
delay_parameters 2 500/500 500/500 500/500
delay_access 2 deny all

#pool no3 limit bandwith 60kbits per second
delay_class 3 3
delay_access 3 allow 60user_only
delay_parameters 3 7500/7500 7500/7500 7500/7500
delay_access 3 deny all

#—————————————————————–
# TO ADD LATER :

#Porn Filter :
#acl porn url_regex “/usr/local/squid/etc/porn.txt”
#http_access deny porn


Kira-kira apa yang salah ya ..
Tolongin ya ..

THANKS A LOT !!


==============================================================================================================

lha, kok ujug2 pake eth1? btw, di pc nya ada brp NIC?
sshd nya listen ke ip apa aja?
coba pastein output dari ip addr sh

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Btw, ini pake distro apa?
Ini saya kasih contoh skrip firewall sederhana (allow all in/out) yg cocok dipasang di mesin dgn distro turunan redhat.
(alasannya sih cuman karena ada bbrp program yg output/path nya beda di distro lain)
Cat: disini saya menggunakan iptables versi 1.3.8 dan kernel yg sudah memungkinkan utk meload modul” iptables secara otomatis

ada 3 file disini yg akan dipake. File tsb adalah interfaces, firewall, dan firewallku sbg file skrip iptablesnya sendiri

Di skrip ini, anda cuman ngedit file interfaces nya aja. Di file ini, anda cuman menentukan interface mana yg dipake utk ke internet dan interface mana yg akan dipake utk ke lan. Parameter” selebihnya akan diambil dari file firewall.
Pastikan anda mempunyai program sed, awk, ip (dari paket iproute2) dan ipcalc yg dari redhat atau turunannya.
(soalnya ada perbedaan antara output ipcalc yg versi redhat ama output ipcalc yg versi debian, shg harus ada modifikasi dikit kalo mau diterapin di mesin” debian)

Utk file interfaces, isinya sbb: (ntar file ini ditaruh di /etc/default/)
    Code:
    NETnic=ppp0
LANnic=eth1


Utk file firewall, isinya kurang lbh spt ini: (file ini jg ditaruh di /etc/default/)
    Code:
    # path ke executablenya iptables, diisi manual jg boleh
IPT=$(type -P iptables)

NETIP=$(ifconfig $NETnic |grep -w inet |cut -f2 -d”:” |cut -f1 -d” “)
LANIP=$(ifconfig $LANnic |grep -w inet |cut -f2 -d”:” |cut -f1 -d” “)

NETW=$(ipcalc -n $(ip addr sh $LANnic |grep -w inet |awk ‘{print $2}’) |cut -f2 -d”=”)
PREF=$(ipcalc -p $(ip addr sh $LANnic |grep -w inet |awk ‘{print $2}’) |cut -f2 -d”=”)
LAN=$NETW/$PREF

basic-tables(){
$IPT -F && $IPT -X && $IPT -t nat -F && $IPT -t nat -X && $IPT -t mangle -F && $IPT -t mangle -X
$IPT -I INPUT -i lo -s 0/0 -j ACCEPT && $IPT -I OUTPUT -o lo -d 0/0 -j ACCEPT
}

base_policy(){
local policy=$1
for base_policy in INPUT OUTPUT FORWARD; do $IPT -P $base_policy $policy; done
}

nat_policy(){
local policy=$1
for nat_policy in PREROUTING POSTROUTING OUTPUT; do $IPT -t nat -P $nat_policy $policy; done
}

mangle_policy(){
local policy=$1
for mangle_policy in PREROUTING OUTPUT; do $IPT -t mangle -P $mangle_policy $policy; done
}



isi file skrip iptables firewallku sbb: (jgn lupa diset executable, chmod u+x)
    Code:
    #!/bin/bash
. /etc/default/interfaces && . /etc/default/firewall
# bersihin dulu rule” sebelumnya, trus set default policy utk tabel filter, nat dan mangle
basic-tables && base_policy ACCEPT && nat_policy ACCEPT && mangle_policy ACCEPT
$IPT -t nat -A POSTROUTING -o $NETnic -s $LAN -j SNAT –to $NETIP
$IPT -A OUTPUT -o $NETnic -s $NETIP -d 0/0 -j ACCEPT
$IPT -A INPUT -i $NETnic -s 0/0 -d $NETIP -j ACCEPT
$IPT -A FORWARD -i $LANnic -o $NETnic -s $LAN -d 0/0 -j ACCEPT
$IPT -A FORWARD -i $NETnic -o $LANnic -s 0/0 -d $LAN -j ACCEPT
$IPT -A INPUT -i $LANnic -s $LAN -d $LANIP -j ACCEPT
$IPT -A OUTPUT -o $LANnic -s $LANIP -d $LAN -j ACCEPT

=================================================================================================================

saya pake fedora core 5, dengan kernel 2.6.16-1.2111_FC5

nah untuk script yang mas kasih bisa nih….trus saya juga punya script iptables lagi, klo script iptables yg ini bisa jalan, lancar, ini scriptnya :
    Code:
    
#!/bin/bash

# Deklarasi variabel
LOKAL=”10.1.1.0/24″
BEBAS=”0.0.0.0/0″

# Interfaces
MASUK=”eth1″
KELUAR=”eth0″
# meload modul untuk iptables
/sbin/modprobe ip_tables
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT

case “$1″ in
start)
echo “Menjalankan FIREWALL…”
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -X -t nat
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Transparent proxy
/sbin/iptables -t nat -A PREROUTING -i $MASUK -p tcp -s $LOKAL –dport 80 -j REDIRECT –to-port 8080

# NAT
/sbin/iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o $KELUAR -j SNAT –to-source 192.168.1.109

# Larang paket dari luar jaringan untuk akses sharing
/sbin/iptables -A FORWARD -i $KELUAR -p tcp -s 0/0 –dport 137:139 -j REJECT –reject-with icmp-host-unreachable
/sbin/iptables -A FORWARD -i $KELUAR -p udp -s 0/0 –sport 137:139 -j REJECT –reject-with icmp-host-unreachable
/sbin/iptables -A FORWARD -i $KELUAR -p tcp -s 0/0 –dport 445 -j REJECT –reject-with icmp-host-unreachable
/sbin/iptables -A FORWARD -i $KELUAR -p udp -s 0/0 –sport 445 -j REJECT –reject-with icmp-host-unreachable
/sbin/iptables -A INPUT -i $KELUAR -s 10.1.1.0/24 -p all -j REJECT –reject-with icmp-host-unreachable
/sbin/iptables -A INPUT -i $KELUAR -s $BEBAS -p tcp –dport 22 -j REJECT –reject-with icmp-host-unreachable
/sbin/iptables -A FORWARD -i $MASUK -s $LOKAL -j ACCEPT
/sbin/iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

# Ngeblock P2P
/sbin/iptables -A FORWARD -m ipp2p –kazaa –bit –gnu -j DROP
/sbin/iptables -A FORWARD -p tcp -m ipp2p –bit -j DROP
/sbin/iptables -A FORWARD -p udp -m ipp2p –bit -j DROP
/sbin/iptables -A FORWARD -p tcp -m ipp2p –gnu -j DROP
/sbin/iptables -A FORWARD -p udp -m ipp2p –gnu -j DROP
/sbin/iptables -A FORWARD -p tcp -m ipp2p –kazaa -j DROP
/sbin/iptables -A FORWARD -p udp -m ipp2p –kazaa -j DROP

sleep 2
echo
;;
stop)
echo “Mematikan FIREWALL…”
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -X -t nat
echo “Firewall OFF… [OK]”
echo
;;
restart)
echo “Merestart FIREWALL…”
$0 stop
sleep 3
$0 start
echo
;;
esac


yang bikin bingung nih, kenapa script yang satunya ga jalan, walaupun policy setiap chain udah saya buat ACCEPT semua

===================================================================================================================

Ini output dari iptables-save dari skrip anda yg pertama yg saya edit sedikit Very Happy
Coba anda load pake iptables-restore.

    Code:
    ## mangle table
*mangle
:P REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:P OSTROUTING ACCEPT [0:0]
-A PREROUTING -j ACCEPT
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -j ACCEPT
COMMIT
#
## filter table
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LAN_INTERNET – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 137:139 -j REJECT –reject-with icmp-host-unreachable
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -j REJECT –reject-with icmp-host-unreachable
-A INPUT -i eth0 -p tcp -m tcp –dport 445 -j REJECT –reject-with icmp-host-unreachable
-A FORWARD -j LAN_INTERNET
-A FORWARD -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -m limit –limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK RST -m limit –limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m icmp –icmp-type 8 -m limit –limit 1/sec -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p udp -m udp –dport 53 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -d 10.1.1.0/255.255.255.0 -i eth0 -o eth1 -p udp -m udp –sport 53 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m tcp –dport 80 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -d 10.1.1.0/255.255.255.0 -i eth0 -o eth1 -p tcp -m tcp –sport 80 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m tcp –dport 443 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -d 10.1.1.0/255.255.255.0 -i eth0 -o eth1 -p tcp -m tcp –sport 443 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m tcp –dport 110 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m tcp –dport 25 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -d 10.1.1.0/255.255.255.0 -i eth0 -o eth1 -p tcp -m tcp –sport 25 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m tcp –dport 143 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -d 10.1.1.0/255.255.255.0 -i eth0 -o eth1 -p tcp -m tcp –sport 143 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -s 10.1.1.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m tcp –dport 5050 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -d 10.1.1.0/255.255.255.0 -i eth0 -o eth1 -p tcp -m tcp –sport 5050 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A LAN_INTERNET -j RETURN
COMMIT
#
## nat table
*nat
:P REROUTING ACCEPT [0:0]
:P OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth0 -j SNAT –to-source 192.168.1.109
COMMIT
#



TAMBAHAN
#iptables -A POSTROUTING -s ip_lokal_anda/24 -o eth1 -p tcp -m tcp –dport 5050 -j SNAT –to-source ip_internet_anda

# id squid == > ada nggak ?
kalau tidak ada
# groupadd squid
# useradd -g squid squid

# vi /etc/squid.conf

cache_effective_user squid
cache_effetive_group squid <== sudah seperti inikah ?

ubah permission
# chown -R squid:squid /pathkesquid

partisi cache di ubah permisssionnya juga
# chown -R squid:squid /usr/local/cache

kalau partisinya terpisah di mount dulu

# /pathkesquid/squid -z ( buat direktori swap )
# /pathkesquid/squid

# netstat -nlp | grep squid <=== hasilnya apa ?

ngomong2 lebih flexibel kalau installasi squid-nya dari tarball saja



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


# WELCOME TO SQUID 2.6.STABLE12
# —————————-

# NETWORK OPTIONS
# —————————————————————————–

http_port 8080
http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

maximum_object_size 256 KB

cache_replacement_policy lru
memory_replacement_policy lru

cache_dir diskd /cache/cache1 10000 46 256
cache_dir diskd /cache/cache2 10000 46 256

access_log /cache1/access.log squid
cache_log /cache1/cache.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
cache_store_log none

log_mime_hdrs off

diskd_program /usr/libexec/diskd-daemon

##refresh Pattern ——-
############################################################################
refresh_pattern -i \.gif$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.jpg$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.jpeg$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.png$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.bmp$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.swf$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.co$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.GIF$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.JPG$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.JPEG$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.PNG$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.BMP$ 10080 88% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.avi$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.cab$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.mov$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.mp3$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.mpg$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.mpeg$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.aif$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.ra$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.rm$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.zip$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.rar$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.arj$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.tgz$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.exe$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.rpm$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.ace$ 20160 100% 40320 reload-into-ims override-expire override-lastmod
refresh_pattern -i \.tar\.gz$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.z$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.cue$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.tar\.gz$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.z$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.cue$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.msi$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.wsz$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.js$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.swf$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.txt$ 20160 100% 40320 override-lastmod
refresh_pattern -i \.exe$ 20160 100% 40320 override-lastmod
# —– Refresh Pattern untuk iklan
refresh_pattern -i .*banner.* 20160 100% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i .*ads.* 20160 100% 80640 reload-into-ims override-expire override-lastmod
refresh_pattern -i .*advert.* 20160 100% 43200 override-expire
refresh_pattern -i .*popups.* 20160 100% 43200 override-expire
refresh_pattern -i .*iklan.* 20160 100% 43200 override-expire
refresh_pattern -i .*art.* 20160 100% 43200 override-expire
refresh_pattern -i .*advertising\.com.* 20160 100% 43200 override-expire
refresh_pattern -i ^http://.*\.doubleclick\.net 10080 300% 40320 override-expire override-lastmod override-expire ignore-reload
refresh_pattern -i .*doubleclick\.net.* 20160 100% 43200 override-expire
refresh_pattern -i .*atwola\.com.* 20160 100% 43200 override-expire
refresh_pattern -i .*qksrv\.net.* 20160 100% 43200 override-expire
refresh_pattern -i .*burstnet\.com.* 20160 100% 43200 override-expire
refresh_pattern -i .*ad-images.* 20160 100% 43200 reload-into-ims override-expire override-lastmod
refresh_pattern -i .*yimg\.com/* 20160 100% 43200 override-expire
refresh_pattern -i .*img.* 20160 100% 43200 override-expire
refresh_pattern -i .*images.* 20160 100% 43200 override-expire
refresh_pattern -i .*photo.* 20160 100% 43200 override-expire
refresh_pattern -i .*advertising\.com.* 20160 100% 43200 override-expire
refresh_pattern -i .*static.* 20160 100% 43200 override-expire
refresh_pattern -i .*\.com\.com.* 20160 100% 43200 override-expire
refresh_pattern -i .*akamai\.net.* 10080 100% 20160 override-expire

# —— Refresh Pattern untuk News Sites ———–
refresh_pattern ^http://.*\.cnn\.com 360 50% 4320 override-lastmod override-expire ignore-reload
refresh_pattern ^http://news\.bbc\.co\.uk 360 50% 4320 override-lastmod override-expire ignore-reload
refresh_pattern ^http://.*\.ananova\.com 360 50% 4320 override-lastmod override-expire ignore-reload
refresh_pattern ^http://.*\.reuters\.com 360 50% 4320 override-lastmod override-expire ignore-reload
refresh_pattern ^http://.*\.astaga\.com 360 50% 4320 override-lastmod override-expire ignore-reload
refresh_pattern ^http://.*detik\.com.* 360 50% 4320 override-lastmod override-expire ignore-reload

# Inefficient sites
refresh_pattern microsoft 1080 150% 10080 override-expire override-lastmod override-expire
refresh_pattern msn\.com 4320 150% 10080 override-expire override-lastmod override-expire
refresh_pattern -i .*detik\.com.* 360 100% 10080 override-lastmod

efresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .jpg 10000 30% 24000
refresh_pattern .png 10000 30% 24000
refresh_pattern . 0 20% 4320

quick_abort_min 16 KB
quick_abort_max 128 KB
quick_abort_pct 85
read_ahead_gap 16 KB
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
range_offset_limit 4096 KB

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localmachine src xxx.xxx.xxx.0/24
acl localbackup src xxx.xxx.xxx.xxx/29
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl post method POST

http_access allow manager localmachine localhost localbackup
http_access deny manager

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl ip_client src xxx.xxx.xxx.0/24
http_access allow ip_client

acl ip_backup src xxx.xxx.xxx.xxx/29
http_access allow ip_backup

http_access allow localhost
http_access deny all

http_reply_access allow all

never_direct allow all

cache_effective_user squid
cache_effective_group squid

cache_mgr servas@servas-on.net
visible_hostname proxy.servas-on.net

forwarded_for on
log_icp_queries on
icp_hit_stale off
query_icmp off

coredump_dir /var/spool/squid

client_persistent_connections on
server_persistent_connections on
Tutorial Mikrotik Load Balancing full

Tutorial Mikrotik Load Balancing full

Konsep awal :



Di beberapa daerah, model internet seperti ini adalah bentuk yang paling ekonomis dan paling memadai, karena dibeberapa daerah tidak mungkin untuk menggunakan jenis koneksi internet lain, karena cost yang akan di keluarkan untuk biaya operasional akan menjadi sangat besar.

Lalu bagai mana dengan solusinya ? apakah kita bisa menggunakan beberapa line untuk menunjang kehidupan ber-internet ? Bisa, tapi harus di gabung.

Contoh topologi yang tidak di gabung :



Ini adalah contoh topologi yang tidak di gabung. Di perusahaan ini menerapkan 3 koneksi internet, dengan 3 modem yang berbeda, akan tetapi mereka di pecah, seakan2 mereka mempunyai 3 gerbang internet yang berbeda. Dengan topologi seperti ini, load internet tidak akan tergabung.

Model seperti ini kurang ideal untuk disebutkan sebagai load balancing.

Load Balancing
Topologi load balancing :



Dengan topologi seperti diatas, maka terjadi yang namanya Load Balancing. Jadi pada site ini, akan menggunakan 3 koneksi internet (baik itu dari ISP yang sama maupun yg berbeda) dan juga baik itu menggunakan jenis koneksi yg sama maupun yg berbeda (wireless, adsl, dialup).

Dan semua client yang ada di jaringan, akan memiliki satu gateway, dan gateway itu yang akan menentukan packetnya akan lewat ISP yang mana.

Konsep LoadBalancing (di Mikrotik)

1. Paket data masuk dari interface network

2. Paket data akan di berikan tanda pemisah (mangle). MIsalnya di bagi jadi 3 group. :
• paket 1 masuk group 1,
• paket 2 masuk group 2,
• paket 3 masuk group 3,
• paket 4 masuk group 1,
• paket 5 masuk group 2,
• paket 6 masuk group 3,
• dsb

3. Setelah paket di pisahkan, kita atur NATnya
a. group 1, maka akan keluar melalui interface 1,
b. group 2 akan keluar melalui interface 2,
c. group 3 akan keluar melalui interface 3.

4. Begitu juga dengan routingnya.



Konfigurasi Load Balancing
Topologi lengkap :




Preparation
1. Configure modem-modem yg ada dengan IP management seperti yang ada di topologi
• Modem hijau : 192.168.10.2 / 24
• Modem biru : 192.168.20.2 / 24
• Modem merah : 192.168.30.2 / 24
2. Configure PC Workstation yang ada di dalam jaringan dengan IP sebagai berikut :
• IP : 192.168.1.x ( x, dari 2 – 254, karena 1 untuk gateway)
• Netmask : 255.255.255.0
• Gateway : 192.168.1.1

Set IP Address Interface Mikrotik (IP > Address)
3. Konfigurasi IP address mikrotik dengan IP sebagai berikut :
Ether1 : 192.168.1.1 /24
Ether2 : 192.168.10.1/24 (interface ke modem hijau)
Ether3 : 192.168.20.1/24 (interface ke modem biru)
Ether4 : 192.168.30.1/24 (interface ke modem merah)



Note :
Setelah melakukan konfigurasi IP Address pada mikrotik, cek kembali konektifitas antara modem dengan mikrotik.
ping 192.168.10.2
ping 192.168.20.2
ping 192.168.30.2

Mangling (IP > Firewall > Mangle)

Mangle ada proses pemisahan. Pada proses mangle, sebenarnya tidak terjadi perubahan apa-apa pada paket atau data yang akan kita kirimkan, tapi pada proses ini paket hanya di berikan tanda.

Connection Mark
Pertama kita akan lakukan connection mark.
1. General
• Add chain : prerouting
• In Interface : Eth 1 (interface jaringan local)
• Connection State : new



2. Extra - nth
• Nth
a. Every : 3
b. Packet : 1



Note :
Bagian Nth ini yang menentukan apakah paket akan masuk ke group 1, group 2 atau group 3. Untuk 3 line, maka nanti akan di buat 3 rule dengan Nth 31, 32 dan 33.


3. Action
• Action : mark connection
• New Connection mark : conn_1
• Passtrough : yes



Note :
Pada bagian ini kita akan memberi nama koneksi kita. Conn_1 adalah koneksi pertama, Conn_2, untuk koneksi kedua, dan Conn_3 untuk koneksi ke 3.


Note :
Lakukan connection marking ini sebanyak 3 kali, masing2 dengan NTH 31, 32 dan 33, dengan nama Conn_1, Conn_2 dan Conn_3


Route Mark
4. General
• Add chain : prerouting
• In Interface : Eth 1 (interface jaringan local)
• Connection mark : conn_1




5. Action
• Action : mark routing
• New Connection mark : route_1
• Passtrough : no



Note :
Pada bagian ini kita akan memberi nama pada routing kita. route_1 adalah route pertama, route_2, untuk route kedua, dan route_3 untuk routing ke 3.


Note :
Lakukan routing marking ini sebanyak 3 kali, masing2 untuk Conn_1, Conn_2 dan Conn_3, dengan nama route_1, route_2 dan route_3



NAT (IP > Firewall > NAT)


NAT, Network Address Translation, adalah suatu proses perubahan pengalamatan. Ada beberapa jenis NAT, yang akan digunakan pada proses ini adalah src-nat (source nat).

Src-nat adalah perubahan pada bagian source dari suatu paket.

1. General
• Chain : src nat
• In Interface : Eth 1 (interface jaringan local)
• Connection mark : conn_1



2. Action
• Action : src nat
• To address : 192.168.10.1




Note :
Lakukan src-nat ini sebanyak 3 kali dengan rule sebagai berikut :
Conn_1 == > 192.168.10.1
Conn_2 == > 192.168.20.1
Conn_3 == > 192.168.30.1


Routing Policy (IP > Route)


Routing policy adalah bagian pengaturan routing. Pada bagian ini diatur gateway atau jalur keluar untuk setiap group

1. General
• gateway : 192.168.10.2
• Routing mark : route_1





Note :
Lakukan src-nat ini sebanyak 4 kali dengan rule sebagai berikut :
route_1 == > 192.168.10.2
route_2 == > 192.168.20.2
route_3 == > 192.168.30.2
default == > 192.168.10.2



sumber | kaskus

Redirect Mikrotik ke Squidbox linux

Assalamu'alaikum...

[Image: pic-squidbox.jpg]


Banyak persoalan yg sering dialami pada web proxy di mikrotik, yaitu diantaranya tidak bisa di opreknya squid di mikrotik ini.
Disini saya akan mencoba berbagi ilmu, dan mohon koreksi bila ada yang salah. Ok..

Mikrotik
Public = 202.134.1.100
LAN = 192.168.0.1

di asumsikan bahwa sebelum adanya squidbox terpisah ini, mikrotik server anda telah berjalan dengan sempurna..

dan squidbox linux sudah terinstall


tambahkan pada box mikrotik seperti berikut :
1.
Code:
/ip firewall nat chain=dstnat in-interface=LAN src-address=!192.168.0.254 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.254 to-ports=3121

dari input diatas bahwa src-address atau sumbernya dari ip address mana saja kecuali ip squuidbox itu sendiri. dengan tujuan port 80 atau browsing. akan dialihkan ke ip squidbox dengan port squidbox adalah 3121 (port di squid linux).
Tambahkan juga di mikrotik

2.
Code:
/ip firewall nat chain=dstnat in-interface=LAN src-address=!192.168.0.254 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.254 to-ports=3121

3.
Code:
/ip firewall nat chain=srcnat out-interface=LAN src-address=192.168.0.0/24 action=src-nat to-addresses=192.168.0.1 to-ports=0-65535

nb: aslinya pakai konfigurasi no 1 dan 3 aja juga bisa kok.

selamat mencoba, mudah2an berhasil...

bila ada salah mohon koreksinya.

Wassalamu'alaikum...

Setting Optional-LoadBalance

Contoh 2 ISP load balance
interface ethernet set ether4 name=LAN
interface ethernet set ether3 name=WAN1
interface ethernet set ether2 name=WAN2
interface ethernet set ether1 name=WAN3
/ ip address
add address=10.1.0.1/27 network=10.1.0.0 broadcast=10.1.0.31 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.4/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="Fastnet A1/17" disabled=no
add address=10.112.0.2/29 network=10.112.0.0 broadcast=10.112.0.7 interface=WAN2 comment="Fastnet A1/1" disabled=no
ip dns set primary-dns=202.73.99.8 allow-remote-request=no
ip dns set secondary-dns=61.247.0.8 allow-remote-request=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=2,2 action=mark-connection new-connection-mark=odd passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.112.0.6 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.111.0.6 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 comment="" disabled=no
/ip pool add name=dhcp-pool ranges=192.168.0.31-192.168.0.100
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.2
/ip dhcp-server add interface=LAN address-pool=dhcp-pool

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh 3 koneksi load balance

/ ip address
add address=172.15.15.1/25 network=172.15.15.0 broadcast=172.15.15.127 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.2/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="WAN1" disabled=no
add address=172.16.1.15/24 network=172.16.1.0 broadcast=172.16.1.255 interface=WAN2 comment="Fastnet Dari PERAK" disabled=no
add address=172.15.15.2/29 network=172.15.15.0 broadcast=172.15.15.7 interface=WAN3 comment="Fastnet Dari TP" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,0 action=mark-connection new-connection-mark=odd passthrough=yes comment="” disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,3,2 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=172.15.15.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=172.16.1.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.113.0.2 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=172.15.15.1 scope=7 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=172.16.1.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.113.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
****add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh mengabungkan 5 koneksi speedy

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-1 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-2 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-3 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-4 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-5 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ADSL-1 passthrough=yes connection-state=new in-interface=HotSpot nth=5,1 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-1 passthrough=no in-interface=HotSpot connection-mark=ADSL-1 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-2 passthrough=yes connection-state=new in-interface=HotSpot nth=5,2 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-2 passthrough=no in-interface=HotSpot connection-mark=ADSL-2 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-3 passthrough=yes connection-state=new in-interface=HotSpot nth=5,3 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-3 passthrough=no in-interface=HotSpot connection-mark=ADSL-3 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-4 passthrough=yes connection-state=new in-interface=HotSpot nth=5,4 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-4 passthrough=no in-interface=HotSpot connection-mark=ADSL-4 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-5 passthrough=yes connection-state=new in-interface=HotSpot nth=5,5 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-5 passthrough=no in-interface=HotSpot connection-mark=ADSL-5 comment="" disabled=no
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-1] to-ports=0-65535 connection-mark=ADSL-1 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-2] to-ports=0-65535 connection-mark=ADSL-2 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-3] to-ports=0-65535 connection-mark=ADSL-3 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-4] to-ports=0-65535 connection-mark=ADSL-4 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-5] to-ports=0-65535 connection-mark=ADSL-5 comment="" disabled=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1 routing-mark=ADSL-1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-2 routing-mark=ADSL-2
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-3 routing-mark=ADSL-3
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-4 routing-mark=ADSL-4
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-5 routing-mark=ADSL-5
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Filtering Virus

/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
/ip firewall filter
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=””
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=””
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=””
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2”
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”

Another Port Filtering

/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan

ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop

Setup Web proxy

/ ip web-proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set hostname=”proxy.xps”
set transparent-proxy=yes
set parent-proxy=0.0.0.0:0
set cache-administrator=”progtel2004@yahoo.com”
set max-object-size=4096KiB
set cache-drive=system
set max-cache-size=unlimited
set max-ram-cache-size=unlimited
add nat for redirect port for squid to make transparant
/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade comment="" disabled=no
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 action=redirect to-ports=8080 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Pemisahan IIX dan IX

# Script untuk menambahkan IP Address BGP yang terdaftar di Router INDO(OIXP)
# ke RouterOS dalam ADDRESS-LIST dengan nama "indo"
/sys note set show-at-login=yes note="XP Solution Surabaya "
/ip firewall address-list
add list=indo address="1.2.3.4"
rem [find list=indo]
add list=indo address="167.205.0.0/16"
add list=indo address="222.124.0.0/16"
add list=indo address="61.94.0.0/16"
add list=indo address="125.162.0.0/16"
add list=indo address="125.163.0.0/16"
add list=indo address="125.160.0.0/16"
add list=indo address="125.161.0.0/16"
add list=indo address="125.164.0.0/16"
/ ip firewall mangle
add chain=forward src-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia source connection traffic” disabled=no
add chain=forward dst-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia destination connection traffic” disabled=no
add chain=forward src-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas source connection traffic” disabled=no
add chain=forward dst-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas destination connection traffic” disabled=no
add chain=prerouting connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia passthrough=yes comment=”mark all Indonesia traffic” disabled=no
add chain=prerouting connection-mark=mark-con-overseas action=mark-packet new-packet-mark=overseas passthrough=yes comment=”mark all overseas traffic” disabled=no

Queing

/ queue simple
add name=”RTRW Net” target-addresses=10.111.0.2/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia direction=both priority=8 queue=default/default limit-at=0/0 maxlimit=
256000/256000 total-queue=default disabled=no
add name=”Laptop Acer Intl” target-addresses=192.168.2.0/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas direction=both priority=8 queue=default/default limit-at=0/0
max-limit=128000/128000 total-queue=default disabled=no

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Script untuk melakukan Reset Mikrotik

system script add name=destroy source={system reset}
system scheduler add name=ancur on-event=destroy start-date=masukkin_tanggalnya
start-time=masukiin_jamnya

Backup, Restore, Export dan Import Setting
Backup berlaku untuk semua setting yang ada saat itu.
>system backup save name=backup_setting
Restore berlaku untuk semua setting yang ada saat itu.
>system backup load name=backup_setting
Export berlaku untuk semua setting pada directory aktif saat itu. Contoh : bila aktif pada directory simple queue, maka hanya directory tersebut yang disimpan ke file. Sehingga, bila aktif pada directory
root “/” maka semua setting akan diexport.
>queue simple export file=simple_queue
Import hanya berjalan dari root “/” dan hanya berlaku untuk file dengan ext .rsc.
>import simple_queue.rsc
Perbedaan export dan backup terletak pada file hasil, dimana file hasil dari backup berupa file binary dan file dari proses export berupa text file, dan hal itu merupakan suatu kelebihan, misal bisa dicetak
untuk dokumentasi dsb.

Script dan Schedule
Setting schedule auto shutdown. Pertama buat script shutdown dalam contoh ini diberi nama “autodown”.
>system script add name=”autodown” source=”system shutdown”
Kemudian buat schedule untuk shutdown.
>system scheduler add name=”mikrotikdown” on-event=autodown start-date=nov/19/2007 start-time=18:10:00 interval=1d
Untuk memudahkan backup, selain disimpan pada server mikrotik sendiri, perlu juga di simpan pada komputer, lain, salah satu alternatif pengiriman file otomatis adalah menggunakan email, selain itu,
bisa juga dilakukan dengan menggunakan ftp.
>system script add name=”autobackup” source”/ export file=backup_setting\n/ tool e-mail send to=progtel2004@yahoo.co subject=”backup setting mikrotik” from=007@yahoo.com body=”file backup
setting mikrotik” server=192.168.1.103 file=”backup_setting.rsc”
Kemudian buat schedule untuk backup mingguan.
>system scheduler add name=”mikrotikbackup” on-event=autobackup start-date=dec/10/2007 start-time=08:30:00 interval=1w

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Simple Queue VS Que Tree :

/queue simple
add name=”XPS” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small disabled=no
add name=”USER” target-addresses=192.168.0.2/32,192.168.0.3/32,192.168.0.4/32,192.168.0.5/32,192.168.0.6/32,192.168.0.7/32 192.168.0.8/32,192.168.0.9/32,192.168.0.10/32 dst-address=0.0.0.0/0
interface=all parent=XPS direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=384000/384000 total-queue=default-small disabled=no
add name=”Client-1″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=Lan parent=USER direction=both priority=8 queue=default-small/default-small limit-at=16000/16000 maxlimit=
32000/64000 total-queue=default-small disabled=no
Contoh configurasi Queue Tree:
Mangle
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward protocol=icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-icmp passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
Queue-tree:
/queue tree
add name=”upload” parent=ether1 packet-mark=”" limit-at=0 queue=default priority=1 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmd-upload” parent=upload packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-upload” parent=upload packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-upload” parent=upload packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”download” parent=global-out packet-mark=”" limit-at=0 queue=default priority=1 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmp-download” parent=download packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-download” parent=download packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-download” parent=download packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

Another simple queue

Konfigurasi Simple queues dan Que tree mudah mudahan bisa menjadi referensi untuk anda yang akan menggunakan limiter bandwith with mikrotik.
Configurasi Simple Queue:
Anda bisa membuat kelompok (parent) untuk client-kusus dengan bandwith 256kbps yang didalamnya terdiri dari 3 user sehingga bandwith 256 tadi akan di share untuk 3 user tesebut, dan parent2 yang
lainpun bisa anda buat sesuai keinginan anda.

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan

/queue simple
add name=”CLIENT” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small
add name=”Client-kusus” target-addresses=192.168.0.1/32,192.168.0.2/32,192.168.0.3/32,dst-address=0.0.0.0/0 interface=all parent=CUSTOMER direction=both priority=8 queue=defaultsmall/
default-small limit-at=0/0 max-limit=256000/256000 total-queue=default-small
add name=”mylove” target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000 maxlimit=
32000/56000 total-queue=default-small
add name=”myfriend” target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000
max-limit=32000/56000 total-queue=default-small
add name=”maymay” target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/0 maxlimit=
32000/56000 total-queue=default-small
Contoh configurasi Queue Tree:
Mangle :
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward dst-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward protocol=icmp connection-mark=local action=mark-packet new-packet-mark=local-icmp passthrough=no
add chain=forward src-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward dst-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward src-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
add chain=forward dst-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
Queue-Tree :
/queue tree
add name=”upload” parent=[int-ke-internet] packet-mark=”” priority=1 max-limit=256K
add name=”icmp-upload” parent=upload packet-mark=”local-icmp” priority=3 max-limit=32K
add name=”local-1-upload” parent=upload packet-mark=”local-1″ priority=5 max-limit=64K
add name=”local-2-upload” parent=upload packet-mark=”local-2″ priority=5 max-limit=64K
add name=”download” parent=[int-ke-local] packet-mark=”” priority=1 max-limit=512K
add name=”icmp-download” parent=download packet-mark=”local-icmp” priority=3 max-limit=64K
add name=”local-1-download” parent=download packet-mark=”local-1″ priority=5 max-limit=128K
add name=”local-2-download” parent=download packet-mark=”local-2″ priority=5 max-limit=128

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Memanipulasi ToS ICMP & DNS di MikroTik

Tujuan :
* Memperkecil delay ping dari sisi klien ke arah Internet.
* Mempercepat resolving hostname ke ip address.
Asumsi : Klien-klien berada pada subnet 10.10.10.0/28
1. Memanipulasi Type of Service untuk ICMP Packet :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
add chain=prerouting packet-mark=ICMP-PM action=change-dscp new-dscp=0
2. Memanipulasi Type of Service untuk DNS Resolving :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting src-address=0.0.0.0 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
add chain=prerouting packet-mark=DNS-PM action=change-dscp new-dscp=0
3. Menambahkan Queue Type :
/queue type add name="PFIFO-64” kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
/queue tree add name=ICMP parent=WAN packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
/queue tree add name=DNS parent=WAN packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
New Load Balance
/ip firewall mangle
add chain=prerouting src-address=10.1.0.1-10.1.0.6 action=mark-routing new-routing-mark=GroupA comment="IP 10.1.0.2-10.1.0.6"
add chain=prerouting src-address=10.1.0.9-10.1.0.14 action=mark-routing new-routing-mark=GroupB comment="IP 10.1.0.9-10.1.0.14"
add chain=prerouting src-address=10.1.0.17-10.1.0.22 action=mark-routing new-routing-mark=GroupC comment="IP 10.1.0.17-10.1.0.22"
add chain=prerouting src-address=10.1.0.25-10.1.0.30 action=mark-routing new-routing-mark=GroupD comment="IP 10.1.0.25-10.1.0.30"

Layer 7 Protocol Site
http://www.mikrotik.com/download/l7-protos.rsc
Marking Packet IIX & International
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=”IIX” passthrough=yes dst-address-list=indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet IIX” passthrough=no connection-mark=IIX
add chain=prerouting action=mark-connection new-connection-mark=”INTL” passthrough=yes dst-address-list=!indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet INTL” passthrough=no connection-mark=INTL

firewall anti virus di mikrotik

Assalamu'alaikum...

pada bagian ini ijinkan saya share tentang firewall filtering virus, sebelumnya hal ini sudah sering dibahas pada forum2 networking, terutama yaitu forum mikrotik indonesia,
okelah langsung saja, script ini tinggal copas aja, menggunakan new terminal.

1.

Code:
/ip firewall filter
add chain=virus protocol=udp action=drop dst-port=1 comment="Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=2 comment="Death"
add chain=virus protocol=tcp action=drop dst-port=20 comment="Senna Spy FTP server"
add chain=virus protocol=tcp action=drop dst-port=21 comment="Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash"
add chain=virus protocol=tcp action=drop dst-port=22 comment="Shaft"
add chain=virus protocol=tcp action=drop dst-port=23 comment="Fire HacKer, Tiny Telnet Server TTS, Truva Atl"
add chain=virus protocol=tcp action=drop dst-port=25 comment="Ajan, Antigen, Barok, Email Password Sender EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT Mail Bombing Trojan, Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy"
add chain=virus protocol=tcp action=drop dst-port=30 comment="Agent 40421"
add chain=virus protocol=tcp action=drop dst-port=31 comment="Agent 31, Hackers Paradise, Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=41 comment="Deep Throat, Foreplay"
add chain=virus protocol=tcp action=drop dst-port=48 comment="DRAT"
add chain=virus protocol=tcp action=drop dst-port=50 comment="DRAT"
add chain=virus protocol=tcp action=drop dst-port=58 comment="DMSetup"
add chain=virus protocol=tcp action=drop dst-port=59 comment="DMSetup"
add chain=virus protocol=tcp action=drop dst-port=79 comment="CDK, Firehotcker"
add chain=virus protocol=tcp action=drop dst-port=80 comment="711 trojan, Seven Eleven, AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader"
add chain=virus protocol=tcp action=drop dst-port=81 comment="RemoConChubo"
add chain=virus protocol=tcp action=drop dst-port=99 comment="Hidden Port, NCX"
add chain=virus protocol=tcp action=drop dst-port=110 comment="ProMail trojan"
add chain=virus protocol=tcp action=drop dst-port=113 comment="Invisible Identd Deamon, Kazimas"
add chain=virus protocol=tcp action=drop dst-port=119 comment="Happy99"
add chain=virus protocol=tcp action=drop dst-port=121 comment="Attack Bot, God Message, JammerKillah"
add chain=virus protocol=tcp action=drop dst-port=123 comment="Net Controller"
add chain=virus protocol=tcp action=drop dst-port=133 comment="Farnaz"
add chain=virus protocol=tcp action=drop dst-port=135-139 comment="Blaster worm"
add chain=virus protocol=udp action=drop dst-port=135-139 comment="messenger worm
add chain=virus protocol=tcp action=drop dst-port=142 comment="NetTaxi"
add chain=virus protocol=tcp action=drop dst-port=146 comment="Infector"
add chain=virus protocol=udp action=drop dst-port=146 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=170 comment="A-trojan"
add chain=virus protocol=tcp action=drop dst-port=334 comment="Backage"
add chain=virus protocol=tcp action=drop dst-port=411 comment="Backage"
add chain=virus protocol=tcp action=drop dst-port=420 comment="Breach, Incognito"
add chain=virus protocol=tcp action=drop dst-port=421 comment="TCP Wrappers trojan"
add chain=virus protocol=tcp action=drop dst-port=445 comment="Blaster worm
add chain=virus protocol=udp action=drop dst-port=445 comment="Blaster worm
add chain=virus protocol=tcp action=drop dst-port=455 comment="Fatal Connections"
add chain=virus protocol=tcp action=drop dst-port=456 comment="Hackers Paradise"
add chain=virus protocol=tcp action=drop dst-port=513 comment="Grlogin"
add chain=virus protocol=tcp action=drop dst-port=514 comment="RPC Backdoor"
add chain=virus protocol=tcp action=drop dst-port=531 comment="Net666, Rasmin"
add chain=virus protocol=tcp action=drop dst-port=555 comment="711 trojan, Seven Eleven, Ini-Killer, Net Administrator, Phase Zero, Phase-0, Stealth Spy"
add chain=virus protocol=tcp action=drop dst-port=605 comment="Secret Service"
add chain=virus protocol=tcp action=drop dst-port=666 comment="Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door SBD, ServU, Shadow Phyre, th3r1pp3rz Therippers"
add chain=virus protocol=tcp action=drop dst-port=667 comment="SniperNet"
add chain=virus protocol=tcp action=drop dst-port=669 comment="DP trojan"
add chain=virus protocol=tcp action=drop dst-port=692 comment="GayOL"
add chain=virus protocol=tcp action=drop dst-port=777 comment="AimSpy, Undetected"
add chain=virus protocol=tcp action=drop dst-port=808 comment="WinHole"
add chain=virus protocol=tcp action=drop dst-port=911 comment="Dark Shadow"
add chain=virus protocol=tcp action=drop dst-port=999 comment="Deep Throat, Foreplay, WinSatan"
add chain=virus protocol=tcp action=drop dst-port=1000 comment="Der Spaeher, Direct Connection"
add chain=virus protocol=tcp action=drop dst-port=1001 comment="Der Spaeher, Le Guardien, Silencer, WebEx"
add chain=virus protocol=tcp action=drop dst-port=1010-1016 comment="Doly Trojan"
add chain=virus protocol=tcp action=drop dst-port=1020 comment="Vampire"
add chain=virus protocol=tcp action=drop dst-port=1024 comment="Jade, Latinus, NetSpy"
add chain=virus protocol=tcp action=drop dst-port=1025 comment="Remote Storm"
add chain=virus protocol=udp action=drop dst-port=1025 comment="Remote Storm"
add chain=virus protocol=tcp action=drop dst-port=1035 comment="Multidropper"
add chain=virus protocol=tcp action=drop dst-port=1042 comment="BLA trojan"
add chain=virus protocol=tcp action=drop dst-port=1045 comment="Rasmin"
add chain=virus protocol=tcp action=drop dst-port=1049 comment="sbin initd"
add chain=virus protocol=tcp action=drop dst-port=1050 comment="MiniCommand"
add chain=virus protocol=tcp action=drop dst-port=1053 comment="The Thief"
add chain=virus protocol=tcp action=drop dst-port=1054 comment="AckCmd"
add chain=virus protocol=tcp action=drop dst-port=1080-1083 comment="WinHole"
add chain=virus protocol=tcp action=drop dst-port=1090 comment="Xtreme"
add chain=virus protocol=tcp action=drop dst-port=1095-1098 comment="Remote Administration Tool RAT"
add chain=virus protocol=tcp action=drop dst-port=1099 comment="Blood Fest Evolution, Remote Administration Tool RAT"
add chain=virus protocol=tcp action=drop dst-port=1150-1151 comment="Orion"
add chain=virus protocol=tcp action=drop dst-port=1170 comment="Psyber Stream Server PSS, Streaming Audio Server, Voice"
add chain=virus protocol=udp action=drop dst-port=1200-1201 comment="NoBackO"
add chain=virus protocol=tcp action=drop dst-port=1207 comment="SoftWAR"
add chain=virus protocol=tcp action=drop dst-port=1208 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=1212 comment="Kaos"
add chain=virus protocol=tcp action=drop dst-port=1234 comment="SubSeven Java client, Ultors Trojan"
add chain=virus protocol=tcp action=drop dst-port=1243 comment="BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles"
add chain=virus protocol=tcp action=drop dst-port=1245 comment="VooDoo Doll"
add chain=virus protocol=tcp action=drop dst-port=1255 comment="Scarab"
add chain=virus protocol=tcp action=drop dst-port=1256 comment="Project nEXT"
add chain=virus protocol=tcp action=drop dst-port=1269 comment="Matrix"
add chain=virus protocol=tcp action=drop dst-port=1272 comment="The Matrix"
add chain=virus protocol=tcp action=drop dst-port=1313 comment="NETrojan"
add chain=virus protocol=tcp action=drop dst-port=1338 comment="Millenium Worm"
add chain=virus protocol=tcp action=drop dst-port=1349 comment="Bo dll"
add chain=virus protocol=tcp action=drop dst-port=1394 comment="GoFriller, Backdoor G-1"
add chain=virus protocol=tcp action=drop dst-port=1441 comment="Remote Storm"
add chain=virus protocol=tcp action=drop dst-port=1492 comment="FTP99CMP"
add chain=virus protocol=tcp action=drop dst-port=1524 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=1568 comment="Remote Hack"
add chain=virus protocol=tcp action=drop dst-port=1600 comment="Direct Connection, Shivka-Burka"
add chain=virus protocol=tcp action=drop dst-port=1703 comment="Exploiter"
add chain=virus protocol=tcp action=drop dst-port=1777 comment="Scarab"
add chain=virus protocol=tcp action=drop dst-port=1807 comment="SpySender"
add chain=virus protocol=tcp action=drop dst-port=1966 comment="Fake FTP"
add chain=virus protocol=tcp action=drop dst-port=1967 comment="WM FTP Server"
add chain=virus protocol=tcp action=drop dst-port=1969 comment="OpC BO"
add chain=virus protocol=tcp action=drop dst-port=1981 comment="Bowl, Shockrave"
add chain=virus protocol=tcp action=drop dst-port=1999 comment="Back Door, SubSeven, TransScout"
add chain=virus protocol=tcp action=drop dst-port=2000 comment="Der Spaeher, Insane Network, Last 2000, Remote Explorer 2000, Senna Spy Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=2001 comment="Der Spaeher, Trojan Cow"
add chain=virus protocol=tcp action=drop dst-port=2023 comment="Ripper Pro"
add chain=virus protocol=tcp action=drop dst-port=2080 comment="WinHole"
add chain=virus protocol=tcp action=drop dst-port=2115 comment="Bugs"
add chain=virus protocol=udp action=drop dst-port=2130 comment="Mini Backlash"
add chain=virus protocol=tcp action=drop dst-port=2140 comment="The Invasor"
add chain=virus protocol=udp action=drop dst-port=2140 comment="Deep Throat, Foreplay"
add chain=virus protocol=tcp action=drop dst-port=2155 comment="Illusion Mailer"
add chain=virus protocol=tcp action=drop dst-port=2255 comment="Nirvana"
add chain=virus protocol=tcp action=drop dst-port=2283 comment="Hvl RAT"
add chain=virus protocol=tcp action=drop dst-port=2300 comment="Xplorer"
add chain=virus protocol=tcp action=drop dst-port=2311 comment="Studio 54"
add chain=virus protocol=tcp action=drop dst-port=2330-2339 comment="Contact"
add chain=virus protocol=udp action=drop dst-port=2339 comment="Voice Spy"
add chain=virus protocol=tcp action=drop dst-port=2345 comment="Doly Trojan"
add chain=virus protocol=tcp action=drop dst-port=2565 comment="Striker trojan"
add chain=virus protocol=tcp action=drop dst-port=2583 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=2600 comment="Digital RootBeer"
add chain=virus protocol=tcp action=drop dst-port=2716 comment="The Prayer"
add chain=virus protocol=tcp action=drop dst-port=2773-2774 comment="SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=2801 comment="Phineas Phucker"
add chain=virus protocol=udp action=drop dst-port=2989 comment="Remote Administration Tool RAT"
add chain=virus protocol=tcp action=drop dst-port=3000 comment="Remote Shut"
add chain=virus protocol=tcp action=drop dst-port=3024 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=3031 comment="Microspy"
add chain=virus protocol=tcp action=drop dst-port=3128 comment="Reverse WWW Tunnel Backdoor, RingZero"
add chain=virus protocol=tcp action=drop dst-port=3129 comment="Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=3150 comment="The Invasor"
add chain=virus protocol=udp action=drop dst-port=3150 comment="Deep Throat, Foreplay, Mini Backlash"
add chain=virus protocol=tcp action=drop dst-port=3456 comment="Terror trojan"
add chain=virus protocol=tcp action=drop dst-port=3459 comment="Eclipse 2000, Sanctuary"
add chain=virus protocol=tcp action=drop dst-port=3700 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=3777 comment="PsychWard"
add chain=virus protocol=tcp action=drop dst-port=3791-3801 comment="Total Solar Eclypse"
add chain=virus protocol=tcp action=drop dst-port=4000 comment="SkyDance"
add chain=virus protocol=tcp action=drop dst-port=4092 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=4242 comment="Virtual Hacking Machine VHM"
add chain=virus protocol=tcp action=drop dst-port=4321 comment="BoBo"
add chain=virus protocol=tcp action=drop dst-port=4444 comment="Prosiak, Swift Remote"
add chain=virus protocol=tcp action=drop dst-port=4567 comment="File Nail"
add chain=virus protocol=tcp action=drop dst-port=4590 comment="ICQ Trojan"
add chain=virus protocol=tcp action=drop dst-port=4950 comment="ICQ Trogen Lm"
add chain=virus protocol=tcp action=drop dst-port=5000 comment="Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=5001 comment="Back Door Setup, Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=5002 comment="cd00r, Shaft"
add chain=virus protocol=tcp action=drop dst-port=5010 comment="Solo"
add chain=virus protocol=tcp action=drop dst-port=5011 comment="One of the Last Trojans OOTLT, One of the Last Trojans OOTLT, modified"
add chain=virus protocol=tcp action=drop dst-port=5025 comment="WM Remote KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=5031-5032 comment="Net Metropolitan"
add chain=virus protocol=tcp action=drop dst-port=5321 comment="Firehotcker"
add chain=virus protocol=tcp action=drop dst-port=5333 comment="Backage, NetDemon"
add chain=virus protocol=tcp action=drop dst-port=5343 comment="wCrat WC Remote Administration Tool"
add chain=virus protocol=tcp action=drop dst-port=5400-5402 comment="Back Construction, Blade Runner"
add chain=virus protocol=tcp action=drop dst-port=5512 comment="Illusion Mailer"
add chain=virus protocol=tcp action=drop dst-port=5534 comment="The Flu"
add chain=virus protocol=tcp action=drop dst-port=5550 comment="Xtcp"
add chain=virus protocol=tcp action=drop dst-port=5555 comment="ServeMe"
add chain=virus protocol=tcp action=drop dst-port=5556-5557 comment="BO Facil"
add chain=virus protocol=tcp action=drop dst-port=5569 comment="Robo-Hack"
add chain=virus protocol=tcp action=drop dst-port=5637-5638 comment="PC Crasher"
add chain=virus protocol=tcp action=drop dst-port=5742 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=5760 comment="Portmap Remote Root Linux Exploit"
add chain=virus protocol=tcp action=drop dst-port=5880-5889 comment="Y3K RAT"
add chain=virus protocol=tcp action=drop dst-port=6000 comment="The Thing"
add chain=virus protocol=tcp action=drop dst-port=6006 comment="Bad Blood"
add chain=virus protocol=tcp action=drop dst-port=6272 comment="Secret Service"

2.
Code:
add chain=virus protocol=tcp action=drop dst-port=6400 comment="The Thing"
add chain=virus protocol=tcp action=drop dst-port=6661 comment="TEMan, Weia-Meia"
add chain=virus protocol=tcp action=drop dst-port=6666 comment="Dark Connection Inside, NetBus worm"
add chain=virus protocol=tcp action=drop dst-port=6667 comment="Dark FTP, ScheduleAgent, SubSeven, Subseven 2.1.4 DefCon 8, Trinity, WinSatan"
add chain=virus protocol=tcp action=drop dst-port=6669 comment="Host Control, Vampire"
add chain=virus protocol=tcp action=drop dst-port=6670 comment="BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame"
add chain=virus protocol=tcp action=drop dst-port=6711 comment="BackDoor-G, SubSeven, VP Killer"
add chain=virus protocol=tcp action=drop dst-port=6712 comment="Funny trojan, SubSeven"
add chain=virus protocol=tcp action=drop dst-port=6713 comment="SubSeven"
add chain=virus protocol=tcp action=drop dst-port=6723 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=6771 comment="Deep Throat, Foreplay"
add chain=virus protocol=tcp action=drop dst-port=6776 comment="2000 Cracks, BackDoor-G, SubSeven, VP Killer"
add chain=virus protocol=udp action=drop dst-port=6838 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=6883 comment="Delta Source DarkStar"
add chain=virus protocol=tcp action=drop dst-port=6912 comment="Shit Heep"
add chain=virus protocol=tcp action=drop dst-port=6939 comment="Indoctrination"
add chain=virus protocol=tcp action=drop dst-port=6969-6970 comment="GateCrasher, IRC 3, Net Controller, Priority"
add chain=virus protocol=tcp action=drop dst-port=7000 comment="Exploit Translation Server, Kazimas, Remote Grab, SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=7001 comment="Freak88, Freak2k"
add chain=virus protocol=tcp action=drop dst-port=7215 comment="SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=7300-7308 comment="NetMonitor"
add chain=virus protocol=tcp action=drop dst-port=7424 comment="Host Control"
add chain=virus protocol=udp action=drop dst-port=7424 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=7597 comment="Qaz"
add chain=virus protocol=tcp action=drop dst-port=7626 comment="Glacier"
add chain=virus protocol=tcp action=drop dst-port=7777 comment="God Message, Tini"
add chain=virus protocol=tcp action=drop dst-port=7789 comment="Back Door Setup, ICKiller"
add chain=virus protocol=tcp action=drop dst-port=7891 comment="The ReVeNgEr"
add chain=virus protocol=tcp action=drop dst-port=7983 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=8787 comment="Back Orifice 2000"
add chain=virus protocol=tcp action=drop dst-port=8988 comment="BacHack"
add chain=virus protocol=tcp action=drop dst-port=8989 comment="Rcon, Recon, Xcon"
add chain=virus protocol=tcp action=drop dst-port=9000 comment="Netministrator"
add chain=virus protocol=udp action=drop dst-port=9325 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=9400 comment="InCommand"
add chain=virus protocol=tcp action=drop dst-port=9872-9875 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=9876 comment="Cyber Attacker, Rux"
add chain=virus protocol=tcp action=drop dst-port=9878 comment="TransScout"
add chain=virus protocol=tcp action=drop dst-port=9989 comment="Ini-Killer"
add chain=virus protocol=tcp action=drop dst-port=9999 comment="The Prayer"
add chain=virus protocol=tcp action=drop dst-port=10000-10005 comment="OpwinTRojan"
add chain=virus protocol=udp action=drop dst-port=10067 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=10085-10086 comment="Syphillis"
add chain=virus protocol=tcp action=drop dst-port=10100 comment="Control Total, Gift trojan"
add chain=virus protocol=tcp action=drop dst-port=10101 comment="BrainSpy, Silencer"
add chain=virus protocol=udp action=drop dst-port=10167 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=10520 comment="Acid Shivers"
add chain=virus protocol=tcp action=drop dst-port=10528 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=10607 comment="Coma"
add chain=virus protocol=udp action=drop dst-port=10666 comment="Ambush"
add chain=virus protocol=tcp action=drop dst-port=11000 comment="Senna Spy Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=11050-11051 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=11223 comment="Progenic trojan, Secret Agent"
add chain=virus protocol=tcp action=drop dst-port=12076 comment="Gjamer"
add chain=virus protocol=tcp action=drop dst-port=12223 comment="Hack´99 KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=12345 comment="Ashley, cron  crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill"
add chain=virus protocol=tcp action=drop dst-port=12346 comment="Fat Bitch trojan, GabanBus, NetBus, X-bill"
add chain=virus protocol=tcp action=drop dst-port=12349 comment="BioNet"
add chain=virus protocol=tcp action=drop dst-port=12361-12363 comment="Whack-a-mole"
add chain=virus protocol=udp action=drop dst-port=12623 comment="DUN Control"
add chain=virus protocol=tcp action=drop dst-port=12624 comment="ButtMan"
add chain=virus protocol=tcp action=drop dst-port=12631 comment="Whack Job"
add chain=virus protocol=tcp action=drop dst-port=12754 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=13000 comment="Senna Spy Trojan Generator, Senna Spy Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=13010 comment="Hacker Brasil HBR"
add chain=virus protocol=tcp action=drop dst-port=13013-13014 comment="PsychWard"
add chain=virus protocol=tcp action=drop dst-port=13223 comment="Hack´99 KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=13473 comment="Chupacabra"
add chain=virus protocol=tcp action=drop dst-port=14500-14503 comment="PC Invader"
add chain=virus protocol=tcp action=drop dst-port=15000 comment="NetDemon"
add chain=virus protocol=tcp action=drop dst-port=15092 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=15104 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=15382 comment="SubZero"
add chain=virus protocol=tcp action=drop dst-port=15858 comment="CDK"
add chain=virus protocol=tcp action=drop dst-port=16484 comment="Mosucker"
add chain=virus protocol=tcp action=drop dst-port=16660 comment="Stacheldraht"
add chain=virus protocol=tcp action=drop dst-port=16772 comment="ICQ Revenge"
add chain=virus protocol=tcp action=drop dst-port=16959 comment="SubSeven, Subseven 2.1.4 DefCon 8"
add chain=virus protocol=tcp action=drop dst-port=16969 comment="Priority"
add chain=virus protocol=tcp action=drop dst-port=17166 comment="Mosaic"
add chain=virus protocol=tcp action=drop dst-port=17300 comment="Kuang2 the virus"
add chain=virus protocol=tcp action=drop dst-port=17449 comment="Kid Terror"
add chain=virus protocol=tcp action=drop dst-port=17499-17500 comment="CrazzyNet"
add chain=virus protocol=tcp action=drop dst-port=17569 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=17593 comment="Audiodoor"
add chain=virus protocol=tcp action=drop dst-port=17777 comment="Nephron"
add chain=virus protocol=udp action=drop dst-port=18753 comment="Shaft"
add chain=virus protocol=tcp action=drop dst-port=19864 comment="ICQ Revenge"
add chain=virus protocol=tcp action=drop dst-port=20000 comment="Millenium"
add chain=virus protocol=tcp action=drop dst-port=20001 comment="Millenium, Millenium Lm"
add chain=virus protocol=tcp action=drop dst-port=20002 comment="AcidkoR"
add chain=virus protocol=tcp action=drop dst-port=20005 comment="Mosucker"
add chain=virus protocol=tcp action=drop dst-port=20023 comment="VP Killer"
add chain=virus protocol=tcp action=drop dst-port=20034 comment="NetBus 2.0 Pro, NetBus 2.0 Pro Hidden, NetRex, Whack Job"
add chain=virus protocol=tcp action=drop dst-port=20203 comment="Chupacabra"
add chain=virus protocol=tcp action=drop dst-port=20331 comment="BLA trojan"
add chain=virus protocol=tcp action=drop dst-port=20432 comment="Shaft"
add chain=virus protocol=udp action=drop dst-port=20433 comment="Shaft"
add chain=virus protocol=tcp action=drop dst-port=21544 comment="GirlFriend, Kid Terror"
add chain=virus protocol=tcp action=drop dst-port=21554 comment="Exploiter, Kid Terror, Schwindler, Winsp00fer"
add chain=virus protocol=tcp action=drop dst-port=22222 comment="Donald Dick, Prosiak, Ruler, RUX The TIc.K"
add chain=virus protocol=tcp action=drop dst-port=23005-23006 comment="NetTrash"
add chain=virus protocol=tcp action=drop dst-port=23023 comment="Logged"
add chain=virus protocol=tcp action=drop dst-port=23032 comment="Amanda"
add chain=virus protocol=tcp action=drop dst-port=23432 comment="Asylum"
add chain=virus protocol=tcp action=drop dst-port=23456 comment="Evil FTP, Ugly FTP, Whack Job"
add chain=virus protocol=tcp action=drop dst-port=23476 comment="Donald Dick"
add chain=virus protocol=udp action=drop dst-port=23476 comment="Donald Dick"
add chain=virus protocol=tcp action=drop dst-port=23477 comment="Donald Dick"
add chain=virus protocol=tcp action=drop dst-port=23777 comment="InetSpy"
add chain=virus protocol=tcp action=drop dst-port=24000 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=25685-25982 comment="Moonpie"
add chain=virus protocol=udp action=drop dst-port=26274 comment="Delta Source"
add chain=virus protocol=tcp action=drop dst-port=26681 comment="Voice Spy"
add chain=virus protocol=tcp action=drop dst-port=27374 comment="Bad Blood, Ramen, Seeker, SubSeven, SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven Muie, Ttfloader"
add chain=virus protocol=udp action=drop dst-port=27444 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=27573 comment="SubSeven"
add chain=virus protocol=tcp action=drop dst-port=27665 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=28678 comment="Exploit"er
add chain=virus protocol=tcp action=drop dst-port=29104 comment="NetTrojan"
add chain=virus protocol=tcp action=drop dst-port=29369 comment="ovasOn"
add chain=virus protocol=tcp action=drop dst-port=29891 comment="The Unexplained"
add chain=virus protocol=tcp action=drop dst-port=30000 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=30001 comment="ErrOr32"
add chain=virus protocol=tcp action=drop dst-port=30003 comment="Lamers Death"
add chain=virus protocol=tcp action=drop dst-port=30029 comment="AOL trojan"
add chain=virus protocol=tcp action=drop dst-port=30100-30133 comment="NetSphere"
add chain=virus protocol=udp action=drop dst-port=30103 comment="NetSphere"
add chain=virus protocol=tcp action=drop dst-port=30303 comment="Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=30947 comment="Intruse"
add chain=virus protocol=tcp action=drop dst-port=30999 comment="Kuang2"
add chain=virus protocol=tcp action=drop dst-port=31335 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=31336 comment="Bo Whack, Butt Funnel"
add chain=virus protocol=tcp action=drop dst-port=31337 comment="Back Fire, Back Orifice 1.20 patches, Back Orifice Lm, Back Orifice russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron  crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini"
add chain=virus protocol=udp action=drop dst-port=31337 comment="Back Orifice, Deep BO"
add chain=virus protocol=tcp action=drop dst-port=31338 comment="Back Orifice, Butt Funnel, NetSpy DK"
add chain=virus protocol=udp action=drop dst-port=31338 comment="Deep BO"
add chain=virus protocol=tcp action=drop dst-port=31339 comment="NetSpy DK"
add chain=virus protocol=tcp action=drop dst-port=31666 comment="BOWhack"
add chain=virus protocol=tcp action=drop dst-port=31785-31792 comment="Hack a Tack"
add chain=virus protocol=udp action=drop dst-port=31791-31792 comment="Hack a Tack"
add chain=virus protocol=tcp action=drop dst-port=32001 comment="Donald Dick"
add chain=virus protocol=tcp action=drop dst-port=32100 comment="Peanut Brittle, Project nEXT"
add chain=virus protocol=tcp action=drop dst-port=32418 comment="Acid Battery"
add chain=virus protocol=tcp action=drop dst-port=33270 comment="Trinity"
add chain=virus protocol=tcp action=drop dst-port=33333 comment="Blakharaz, Prosiak"
add chain=virus protocol=tcp action=drop dst-port=33577-33777 comment="Son of PsychWard"
add chain=virus protocol=tcp action=drop dst-port=33911 comment="Spirit 2000, Spirit 2001"
add chain=virus protocol=tcp action=drop dst-port=34324 comment="Big Gluck, TN"
add chain=virus protocol=tcp action=drop dst-port=34444 comment="Donald Dick"
add chain=virus protocol=udp action=drop dst-port=34555-35555 comment="Trinoo for Windows"
add chain=virus protocol=tcp action=drop dst-port=37237 comment="Mantis"
add chain=virus protocol=tcp action=drop dst-port=37651 comment="Yet Another Trojan YAT"
add chain=virus protocol=tcp action=drop dst-port=40412 comment="The Spy"
add chain=virus protocol=tcp action=drop dst-port=40421 comment="Agent 40421, Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=40422-40426 comment="Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=41337 comment="Storm"
add chain=virus protocol=tcp action=drop dst-port=41666 comment="Remote Boot Tool RBT, Remote Boot Tool RBT"
add chain=virus protocol=tcp action=drop dst-port=44444 comment="Prosiak"
add chain=virus protocol=tcp action=drop dst-port=44575 comment="Exploiter"
add chain=virus protocol=udp action=drop dst-port=47262 comment="Delta Source"
add chain=virus protocol=tcp action=drop dst-port=49301 comment="OnLine KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=50130 comment="Enterprise"
add chain=virus protocol=tcp action=drop dst-port=50505 comment="Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=50766 comment="Fore, Schwindler"
add chain=virus protocol=tcp action=drop dst-port=51966 comment="Cafeini"
add chain=virus protocol=tcp action=drop dst-port=52317 comment="Acid Battery 2000"
add chain=virus protocol=tcp action=drop dst-port=53001 comment="Remote Windows Shutdown RWS"

3.
Code:
add chain=virus protocol=tcp action=drop dst-port=54283 comment="SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=54320 comment="Back Orifice 2000"
add chain=virus protocol=tcp action=drop dst-port=54321 comment="Back Orifice 2000, School Bus"
add chain=virus protocol=tcp action=drop dst-port=55165 comment="File Manager trojan, File Manager trojan, WM Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=55166 comment="WM Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=57341 comment="NetRaider"
add chain=virus protocol=tcp action=drop dst-port=58339 comment="Butt Funnel"
add chain=virus protocol=tcp action=drop dst-port=60000 comment="Deep Throat, Foreplay, Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=60001 comment="Trinity"
add chain=virus protocol=tcp action=drop dst-port=60068 comment="Xzip 6000068"
add chain=virus protocol=tcp action=drop dst-port=60411 comment="Connection"
add chain=virus protocol=tcp action=drop dst-port=61348 comment="Bunker-Hill"
add chain=virus protocol=tcp action=drop dst-port=61466 comment="TeleCommando"
add chain=virus protocol=tcp action=drop dst-port=61603 comment="Bunker-Hill"
add chain=virus protocol=tcp action=drop dst-port=63485 comment="Bunker-Hill"
add chain=virus protocol=tcp action=drop dst-port=64101 comment="Taskman"
add chain=virus protocol=tcp action=drop dst-port=65000 comment="Devil, Sockets des Troie, Stacheldraht"
add chain=virus protocol=tcp action=drop dst-port=65390 comment="Eclypse"
add chain=virus protocol=tcp action=drop dst-port=65421 comment="Jade"
add chain=virus protocol=tcp action=drop dst-port=65432 comment="The Traitor th3tr41t0r"
add chain=virus protocol=udp action=drop dst-port=65432 comment="The Traitor th3tr41t0r"
add chain=virus protocol=tcp action=drop dst-port=65534 comment="sbin initd"
add chain=virus protocol=tcp action=drop dst-port=65535 comment="RC1 trojan"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

NB :
kelebihan
1. memblokir semua virus2 yang bertebaran di jaringan lan, terutama yang ingin masuk ke dalam router, dan berniat menggerogoti bandwith inet anda!

kerugian
1. jika anda menggunakan router broard, sebaiknya jangan terlalu byk, karena dapat menimbulkan hank.
2. jika anda menggunakan pc router yang spek komputernya minimal.
contoh pentium 3 dgn hdd 5-7 juga kurang baik. Sebaiknya menggunakan pc yang high performance.

Mudah2an bermanfaat,

Wassalamu'alaikum...

sumber : http://forum.devilzc0de.org

Firewall di mikrotik Full

Assalamu'alaikum..

Dan sudah ada yang pernah di bahas di http://www.forummikrotik.com/
nah langsung saja, kita simak dengan seksama setting optimalisasi pada firewall di mikrotik.

Drop port scanners


Code:
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Redirect mail traffic to a specified server

Code:
ip firewall nat add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=10.0.0.1( ip server email ) to-ports=25

Block Websites & Stop Downloading Using Proxy

Code:
/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0:0
cache-drive: system
cache-administrator: "webmaster"
max-disk-cache-size: none
max-ram-cache-size: none
cache-only-on-disk: no
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 512KiB
max-fresh-time: 3d
Now, Make it Transparent
/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
Make sure that your proxy is NOT a Open Proxy
/ip firewall filter
chain=input in-interface= src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop
Now for Blocking Websites
/ip proxy access
dst-host=www.vansol27.com action=deny
We can also stop downloading files like.mp3, .exe, .dat, .avi,…etc.
/ip proxy access
path=*.exe action=deny
path=*.mp3 action=deny
path=*.zip action=deny
path=*.rar action=deny.
/ip proxy access
dst-host=:mail action=deny

How to autodetect infected or spammer users and temporary block the SMTP output

Code:
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"
add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"
/system script
add name="spammers" source=":log error \"----------Users detected like \
SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
error \$usser} };" policy=ftp,read,write,policy,test,winbox

Protect customer

Code:
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

Firewall Komplit

Components of the filter
• protocol classifier
• invalid packet filter
• port-scan detector
• policy classifier
• application protocol filter
• TCP-specific filters
• application protocol specific filters

Code:
/ ip firewall mangle
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
add chain=prerouting connection-state=new action=jump jump-target=other-services
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imaps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3s passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-connection new-connection-mark=kgs passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-connection new-connection-mark=win-ts passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection new-connection-mark=bittorrent passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox passthrough=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-connection new-connection-mark=ntp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype passthrough=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp passthrough=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no
add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no
add chain=other-services action=mark-connection new-connection-mark=other passthrough=no
Most generic invalid packet and port-scan detection techniques
/ip firewall mangle
add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet new-packet-mark=nat-traversal passthrough=no
/ ip firewall address-list
add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
add list=illegal-addr address=127.0.0.0/8
add list=illegal-addr address=224.0.0.0/3
add list=illegal-addr address=10.0.0.0/8
add list=illegal-addr address=172.16.0.0/12
add list=illegal-addr address=192.168.0.0/16
add list=local-addr address=172.31.255.0/29 comment="my local network"
add list=nat-addr address=172.31.255.0/29 comment="my local network"
/ ip firewall filter
add chain=forward in-interface=Local out-interface=Local action=accept comment="Allow traffic between wired and wireless networks"
/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from public interface but not to local address"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"
/ ip firewall filter
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
add chain=forward protocol=udp action=jump jump-target=restrict-udp
add chain=forward action=jump jump-target=restrict-ip
add chain=restrict-tcp connection-mark=auth action=reject
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy"
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
add chain=smtp-first-drop src-address-list=approved-smtp action=return
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
/ ip firewall filter
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
add chain=restrict-ip connection-mark=other action=jump jump-target=drop
/ ip firewall filter
add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic \(between router applications\)"
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic"
add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate \(5 per sec\)"
add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
add chain=local-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)"
add chain=local-services connection-mark=dns action=accept comment="DNS"
add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy \(3128/TCP\)"
add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)" disabled=no
add chain=local-services action=drop comment="Drop Other Local Services"
add chain=public-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)"
add chain=public-services connection-mark=pptp action=accept comment="PPTP \(1723/TCP\)"
add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP"
add chain=public-services action=drop comment="Drop Other Public Services"

Proxying everything

Code:
/ ip firewall nat
add chain=dstnat in-interface=Local connection-mark=dns action=redirect comment="proxy for DNS requests"
add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect to-ports=3128 comment="proxy for HTTP requests"
add chain=dstnat in-interface=Local connection-mark=ntp action=redirect comment="proxy for NTP requests"

Enable Proxy servers

Code:
/ system ntp server
set enabled=yes broadcast=no multicast=no manycast=no
/ system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0
/ ip proxy
set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000 maximal-server-connections=1000
/ ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

Bruteforce login prevention (FTP & SSH)

Code:
/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Wassalamu'alaikum...

Block Port Scanner di Mikrotik

Assalamu'alaikum...
di bagian filter:

Code:
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
Chain ini dipakai untuk mendaftar ip ke black-list address list
Chain selanjutnya untuk mendeteksi apakah ada indikasi aktifitas port scanner:

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

jika ada tanda tanda dari kejadian di atas, maka harus didrop scanning IPnya pakai perintah ini:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

sumber:
HTML Code:
http://wiki.mikrotik.com/wiki/Drop_port_scanners