/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \
disabled=no
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \
comment="" disabled=no
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \
comment="" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 distance=2
Kamis, 15 Mei 2008
Load Balancing Mikrotik
Script Failover via netwatch
add host=125.163.xx.xx timeout=100ms interval=15s up-script="/ip route enable \[/ip route find comment=\"GATEWAY-DSL\"\]" down-script="/ip route disable \[/ip route find comment=\"GATEWAY-DSL\"\]" comment="Ping Gateway IIX >> Kalau koneksi wireless putus script jalan >> " disabled=no
eXtra firewall
add chain=virus protocol=udp action=drop dst-port=1 comment="Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=2 comment="Death"
add chain=virus protocol=tcp action=drop dst-port=20 comment="Senna Spy FTP server"
add chain=virus protocol=tcp action=drop dst-port=21 comment="Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash"
add chain=virus protocol=tcp action=drop dst-port=22 comment="Shaft"
add chain=virus protocol=tcp action=drop dst-port=23 comment="Fire HacKer, Tiny Telnet Server TTS, Truva Atl"
add chain=virus protocol=tcp action=drop dst-port=25 comment="Ajan, Antigen, Barok, Email Password Sender EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT Mail Bombing Trojan, Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy"
add chain=virus protocol=tcp action=drop dst-port=30 comment="Agent 40421"
add chain=virus protocol=tcp action=drop dst-port=31 comment="Agent 31, Hackers Paradise, Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=41 comment="Deep Throat, Foreplay"
add chain=virus protocol=tcp action=drop dst-port=48 comment="DRAT"
add chain=virus protocol=tcp action=drop dst-port=50 comment="DRAT"
add chain=virus protocol=tcp action=drop dst-port=58 comment="DMSetup"
add chain=virus protocol=tcp action=drop dst-port=59 comment="DMSetup"
add chain=virus protocol=tcp action=drop dst-port=79 comment="CDK, Firehotcker"
add chain=virus protocol=tcp action=drop dst-port=80 comment="711 trojan, Seven Eleven, AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader"
add chain=virus protocol=tcp action=drop dst-port=81 comment="RemoConChubo"
add chain=virus protocol=tcp action=drop dst-port=99 comment="Hidden Port, NCX"
add chain=virus protocol=tcp action=drop dst-port=110 comment="ProMail trojan"
add chain=virus protocol=tcp action=drop dst-port=113 comment="Invisible Identd Deamon, Kazimas"
add chain=virus protocol=tcp action=drop dst-port=119 comment="Happy99"
add chain=virus protocol=tcp action=drop dst-port=121 comment="Attack Bot, God Message, JammerKillah"
add chain=virus protocol=tcp action=drop dst-port=123 comment="Net Controller"
add chain=virus protocol=tcp action=drop dst-port=133 comment="Farnaz"
add chain=virus protocol=tcp action=drop dst-port=135-139 comment="Blaster worm"
add chain=virus protocol=udp action=drop dst-port=135-139 comment="messenger worm
add chain=virus protocol=tcp action=drop dst-port=142 comment="NetTaxi"
add chain=virus protocol=tcp action=drop dst-port=146 comment="Infector"
add chain=virus protocol=udp action=drop dst-port=146 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=170 comment="A-trojan"
add chain=virus protocol=tcp action=drop dst-port=334 comment="Backage"
add chain=virus protocol=tcp action=drop dst-port=411 comment="Backage"
add chain=virus protocol=tcp action=drop dst-port=420 comment="Breach, Incognito"
add chain=virus protocol=tcp action=drop dst-port=421 comment="TCP Wrappers trojan"
add chain=virus protocol=tcp action=drop dst-port=445 comment="Blaster worm
add chain=virus protocol=udp action=drop dst-port=445 comment="Blaster worm
add chain=virus protocol=tcp action=drop dst-port=455 comment="Fatal Connections"
add chain=virus protocol=tcp action=drop dst-port=456 comment="Hackers Paradise"
add chain=virus protocol=tcp action=drop dst-port=513 comment="Grlogin"
add chain=virus protocol=tcp action=drop dst-port=514 comment="RPC Backdoor"
add chain=virus protocol=tcp action=drop dst-port=531 comment="Net666, Rasmin"
add chain=virus protocol=tcp action=drop dst-port=555 comment="711 trojan, Seven Eleven, Ini-Killer, Net Administrator, Phase Zero, Phase-0, Stealth Spy"
add chain=virus protocol=tcp action=drop dst-port=605 comment="Secret Service"
add chain=virus protocol=tcp action=drop dst-port=666 comment="Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door SBD, ServU, Shadow Phyre, th3r1pp3rz Therippers"
add chain=virus protocol=tcp action=drop dst-port=667 comment="SniperNet"
add chain=virus protocol=tcp action=drop dst-port=669 comment="DP trojan"
add chain=virus protocol=tcp action=drop dst-port=692 comment="GayOL"
add chain=virus protocol=tcp action=drop dst-port=777 comment="AimSpy, Undetected"
add chain=virus protocol=tcp action=drop dst-port=808 comment="WinHole"
add chain=virus protocol=tcp action=drop dst-port=911 comment="Dark Shadow"
add chain=virus protocol=tcp action=drop dst-port=999 comment="Deep Throat, Foreplay, WinSatan"
add chain=virus protocol=tcp action=drop dst-port=1000 comment="Der Spaeher, Direct Connection"
add chain=virus protocol=tcp action=drop dst-port=1001 comment="Der Spaeher, Le Guardien, Silencer, WebEx"
add chain=virus protocol=tcp action=drop dst-port=1010-1016 comment="Doly Trojan"
add chain=virus protocol=tcp action=drop dst-port=1020 comment="Vampire"
add chain=virus protocol=tcp action=drop dst-port=1024 comment="Jade, Latinus, NetSpy"
add chain=virus protocol=tcp action=drop dst-port=1025 comment="Remote Storm"
add chain=virus protocol=udp action=drop dst-port=1025 comment="Remote Storm"
add chain=virus protocol=tcp action=drop dst-port=1035 comment="Multidropper"
add chain=virus protocol=tcp action=drop dst-port=1042 comment="BLA trojan"
add chain=virus protocol=tcp action=drop dst-port=1045 comment="Rasmin"
add chain=virus protocol=tcp action=drop dst-port=1049 comment="sbin initd"
add chain=virus protocol=tcp action=drop dst-port=1050 comment="MiniCommand"
add chain=virus protocol=tcp action=drop dst-port=1053 comment="The Thief"
add chain=virus protocol=tcp action=drop dst-port=1054 comment="AckCmd"
add chain=virus protocol=tcp action=drop dst-port=1080-1083 comment="WinHole"
add chain=virus protocol=tcp action=drop dst-port=1090 comment="Xtreme"
add chain=virus protocol=tcp action=drop dst-port=1095-1098 comment="Remote Administration Tool RAT"
add chain=virus protocol=tcp action=drop dst-port=1099 comment="Blood Fest Evolution, Remote Administration Tool RAT"
add chain=virus protocol=tcp action=drop dst-port=1150-1151 comment="Orion"
add chain=virus protocol=tcp action=drop dst-port=1170 comment="Psyber Stream Server PSS, Streaming Audio Server, Voice"
add chain=virus protocol=udp action=drop dst-port=1200-1201 comment="NoBackO"
add chain=virus protocol=tcp action=drop dst-port=1207 comment="SoftWAR"
add chain=virus protocol=tcp action=drop dst-port=1208 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=1212 comment="Kaos"
add chain=virus protocol=tcp action=drop dst-port=1234 comment="SubSeven Java client, Ultors Trojan"
add chain=virus protocol=tcp action=drop dst-port=1243 comment="BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles"
add chain=virus protocol=tcp action=drop dst-port=1245 comment="VooDoo Doll"
add chain=virus protocol=tcp action=drop dst-port=1255 comment="Scarab"
add chain=virus protocol=tcp action=drop dst-port=1256 comment="Project nEXT"
add chain=virus protocol=tcp action=drop dst-port=1269 comment="Matrix"
add chain=virus protocol=tcp action=drop dst-port=1272 comment="The Matrix"
add chain=virus protocol=tcp action=drop dst-port=1313 comment="NETrojan"
add chain=virus protocol=tcp action=drop dst-port=1338 comment="Millenium Worm"
add chain=virus protocol=tcp action=drop dst-port=1349 comment="Bo dll"
add chain=virus protocol=tcp action=drop dst-port=1394 comment="GoFriller, Backdoor G-1"
add chain=virus protocol=tcp action=drop dst-port=1441 comment="Remote Storm"
add chain=virus protocol=tcp action=drop dst-port=1492 comment="FTP99CMP"
add chain=virus protocol=tcp action=drop dst-port=1524 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=1568 comment="Remote Hack"
add chain=virus protocol=tcp action=drop dst-port=1600 comment="Direct Connection, Shivka-Burka"
add chain=virus protocol=tcp action=drop dst-port=1703 comment="Exploiter"
add chain=virus protocol=tcp action=drop dst-port=1777 comment="Scarab"
add chain=virus protocol=tcp action=drop dst-port=1807 comment="SpySender"
add chain=virus protocol=tcp action=drop dst-port=1966 comment="Fake FTP"
add chain=virus protocol=tcp action=drop dst-port=1967 comment="WM FTP Server"
add chain=virus protocol=tcp action=drop dst-port=1969 comment="OpC BO"
add chain=virus protocol=tcp action=drop dst-port=1981 comment="Bowl, Shockrave"
add chain=virus protocol=tcp action=drop dst-port=1999 comment="Back Door, SubSeven, TransScout"
add chain=virus protocol=tcp action=drop dst-port=2000 comment="Der Spaeher, Insane Network, Last 2000, Remote Explorer 2000, Senna Spy Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=2001 comment="Der Spaeher, Trojan Cow"
add chain=virus protocol=tcp action=drop dst-port=2023 comment="Ripper Pro"
add chain=virus protocol=tcp action=drop dst-port=2080 comment="WinHole"
add chain=virus protocol=tcp action=drop dst-port=2115 comment="Bugs"
add chain=virus protocol=udp action=drop dst-port=2130 comment="Mini Backlash"
add chain=virus protocol=tcp action=drop dst-port=2140 comment="The Invasor"
add chain=virus protocol=udp action=drop dst-port=2140 comment="Deep Throat, Foreplay"
add chain=virus protocol=tcp action=drop dst-port=2155 comment="Illusion Mailer"
add chain=virus protocol=tcp action=drop dst-port=2255 comment="Nirvana"
add chain=virus protocol=tcp action=drop dst-port=2283 comment="Hvl RAT"
add chain=virus protocol=tcp action=drop dst-port=2300 comment="Xplorer"
add chain=virus protocol=tcp action=drop dst-port=2311 comment="Studio 54"
add chain=virus protocol=tcp action=drop dst-port=2330-2339 comment="Contact"
add chain=virus protocol=udp action=drop dst-port=2339 comment="Voice Spy"
add chain=virus protocol=tcp action=drop dst-port=2345 comment="Doly Trojan"
add chain=virus protocol=tcp action=drop dst-port=2565 comment="Striker trojan"
add chain=virus protocol=tcp action=drop dst-port=2583 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=2600 comment="Digital RootBeer"
add chain=virus protocol=tcp action=drop dst-port=2716 comment="The Prayer"
add chain=virus protocol=tcp action=drop dst-port=2773-2774 comment="SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=2801 comment="Phineas Phucker"
add chain=virus protocol=udp action=drop dst-port=2989 comment="Remote Administration Tool RAT"
add chain=virus protocol=tcp action=drop dst-port=3000 comment="Remote Shut"
add chain=virus protocol=tcp action=drop dst-port=3024 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=3031 comment="Microspy"
add chain=virus protocol=tcp action=drop dst-port=3128 comment="Reverse WWW Tunnel Backdoor, RingZero"
add chain=virus protocol=tcp action=drop dst-port=3129 comment="Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=3150 comment="The Invasor"
add chain=virus protocol=udp action=drop dst-port=3150 comment="Deep Throat, Foreplay, Mini Backlash"
add chain=virus protocol=tcp action=drop dst-port=3456 comment="Terror trojan"
add chain=virus protocol=tcp action=drop dst-port=3459 comment="Eclipse 2000, Sanctuary"
add chain=virus protocol=tcp action=drop dst-port=3700 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=3777 comment="PsychWard"
add chain=virus protocol=tcp action=drop dst-port=3791-3801 comment="Total Solar Eclypse"
add chain=virus protocol=tcp action=drop dst-port=4000 comment="SkyDance"
add chain=virus protocol=tcp action=drop dst-port=4092 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=4242 comment="Virtual Hacking Machine VHM"
add chain=virus protocol=tcp action=drop dst-port=4321 comment="BoBo"
add chain=virus protocol=tcp action=drop dst-port=4444 comment="Prosiak, Swift Remote"
add chain=virus protocol=tcp action=drop dst-port=4567 comment="File Nail"
add chain=virus protocol=tcp action=drop dst-port=4590 comment="ICQ Trojan"
add chain=virus protocol=tcp action=drop dst-port=4950 comment="ICQ Trogen Lm"
add chain=virus protocol=tcp action=drop dst-port=5000 comment="Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=5001 comment="Back Door Setup, Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=5002 comment="cd00r, Shaft"
add chain=virus protocol=tcp action=drop dst-port=5010 comment="Solo"
add chain=virus protocol=tcp action=drop dst-port=5011 comment="One of the Last Trojans OOTLT, One of the Last Trojans OOTLT, modified"
add chain=virus protocol=tcp action=drop dst-port=5025 comment="WM Remote KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=5031-5032 comment="Net Metropolitan"
add chain=virus protocol=tcp action=drop dst-port=5321 comment="Firehotcker"
add chain=virus protocol=tcp action=drop dst-port=5333 comment="Backage, NetDemon"
add chain=virus protocol=tcp action=drop dst-port=5343 comment="wCrat WC Remote Administration Tool"
add chain=virus protocol=tcp action=drop dst-port=5400-5402 comment="Back Construction, Blade Runner"
add chain=virus protocol=tcp action=drop dst-port=5512 comment="Illusion Mailer"
add chain=virus protocol=tcp action=drop dst-port=5534 comment="The Flu"
add chain=virus protocol=tcp action=drop dst-port=5550 comment="Xtcp"
add chain=virus protocol=tcp action=drop dst-port=5555 comment="ServeMe"
add chain=virus protocol=tcp action=drop dst-port=5556-5557 comment="BO Facil"
add chain=virus protocol=tcp action=drop dst-port=5569 comment="Robo-Hack"
add chain=virus protocol=tcp action=drop dst-port=5637-5638 comment="PC Crasher"
add chain=virus protocol=tcp action=drop dst-port=5742 comment="WinCrash"
add chain=virus protocol=tcp action=drop dst-port=5760 comment="Portmap Remote Root Linux Exploit"
add chain=virus protocol=tcp action=drop dst-port=5880-5889 comment="Y3K RAT"
add chain=virus protocol=tcp action=drop dst-port=6000 comment="The Thing"
add chain=virus protocol=tcp action=drop dst-port=6006 comment="Bad Blood"
add chain=virus protocol=tcp action=drop dst-port=6272 comment="Secret Service"
add chain=virus protocol=tcp action=drop dst-port=6400 comment="The Thing"
add chain=virus protocol=tcp action=drop dst-port=6661 comment="TEMan, Weia-Meia"
add chain=virus protocol=tcp action=drop dst-port=6666 comment="Dark Connection Inside, NetBus worm"
add chain=virus protocol=tcp action=drop dst-port=6667 comment="Dark FTP, ScheduleAgent, SubSeven, Subseven 2.1.4 DefCon 8, Trinity, WinSatan"
add chain=virus protocol=tcp action=drop dst-port=6669 comment="Host Control, Vampire"
add chain=virus protocol=tcp action=drop dst-port=6670 comment="BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame"
add chain=virus protocol=tcp action=drop dst-port=6711 comment="BackDoor-G, SubSeven, VP Killer"
add chain=virus protocol=tcp action=drop dst-port=6712 comment="Funny trojan, SubSeven"
add chain=virus protocol=tcp action=drop dst-port=6713 comment="SubSeven"
add chain=virus protocol=tcp action=drop dst-port=6723 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=6771 comment="Deep Throat, Foreplay"
add chain=virus protocol=tcp action=drop dst-port=6776 comment="2000 Cracks, BackDoor-G, SubSeven, VP Killer"
add chain=virus protocol=udp action=drop dst-port=6838 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=6883 comment="Delta Source DarkStar"
add chain=virus protocol=tcp action=drop dst-port=6912 comment="Shit Heep"
add chain=virus protocol=tcp action=drop dst-port=6939 comment="Indoctrination"
add chain=virus protocol=tcp action=drop dst-port=6969-6970 comment="GateCrasher, IRC 3, Net Controller, Priority"
add chain=virus protocol=tcp action=drop dst-port=7000 comment="Exploit Translation Server, Kazimas, Remote Grab, SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=7001 comment="Freak88, Freak2k"
add chain=virus protocol=tcp action=drop dst-port=7215 comment="SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=7300-7308 comment="NetMonitor"
add chain=virus protocol=tcp action=drop dst-port=7424 comment="Host Control"
add chain=virus protocol=udp action=drop dst-port=7424 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=7597 comment="Qaz"
add chain=virus protocol=tcp action=drop dst-port=7626 comment="Glacier"
add chain=virus protocol=tcp action=drop dst-port=7777 comment="God Message, Tini"
add chain=virus protocol=tcp action=drop dst-port=7789 comment="Back Door Setup, ICKiller"
add chain=virus protocol=tcp action=drop dst-port=7891 comment="The ReVeNgEr"
add chain=virus protocol=tcp action=drop dst-port=7983 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=8787 comment="Back Orifice 2000"
add chain=virus protocol=tcp action=drop dst-port=8988 comment="BacHack"
add chain=virus protocol=tcp action=drop dst-port=8989 comment="Rcon, Recon, Xcon"
add chain=virus protocol=tcp action=drop dst-port=9000 comment="Netministrator"
add chain=virus protocol=udp action=drop dst-port=9325 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=9400 comment="InCommand"
add chain=virus protocol=tcp action=drop dst-port=9872-9875 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=9876 comment="Cyber Attacker, Rux"
add chain=virus protocol=tcp action=drop dst-port=9878 comment="TransScout"
add chain=virus protocol=tcp action=drop dst-port=9989 comment="Ini-Killer"
add chain=virus protocol=tcp action=drop dst-port=9999 comment="The Prayer"
add chain=virus protocol=tcp action=drop dst-port=10000-10005 comment="OpwinTRojan"
add chain=virus protocol=udp action=drop dst-port=10067 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=10085-10086 comment="Syphillis"
add chain=virus protocol=tcp action=drop dst-port=10100 comment="Control Total, Gift trojan"
add chain=virus protocol=tcp action=drop dst-port=10101 comment="BrainSpy, Silencer"
add chain=virus protocol=udp action=drop dst-port=10167 comment="Portal of Doom"
add chain=virus protocol=tcp action=drop dst-port=10520 comment="Acid Shivers"
add chain=virus protocol=tcp action=drop dst-port=10528 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=10607 comment="Coma"
add chain=virus protocol=udp action=drop dst-port=10666 comment="Ambush"
add chain=virus protocol=tcp action=drop dst-port=11000 comment="Senna Spy Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=11050-11051 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=11223 comment="Progenic trojan, Secret Agent"
add chain=virus protocol=tcp action=drop dst-port=12076 comment="Gjamer"
add chain=virus protocol=tcp action=drop dst-port=12223 comment="Hack´99 KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=12345 comment="Ashley, cron crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill"
add chain=virus protocol=tcp action=drop dst-port=12346 comment="Fat Bitch trojan, GabanBus, NetBus, X-bill"
add chain=virus protocol=tcp action=drop dst-port=12349 comment="BioNet"
add chain=virus protocol=tcp action=drop dst-port=12361-12363 comment="Whack-a-mole"
add chain=virus protocol=udp action=drop dst-port=12623 comment="DUN Control"
add chain=virus protocol=tcp action=drop dst-port=12624 comment="ButtMan"
add chain=virus protocol=tcp action=drop dst-port=12631 comment="Whack Job"
add chain=virus protocol=tcp action=drop dst-port=12754 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=13000 comment="Senna Spy Trojan Generator, Senna Spy Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=13010 comment="Hacker Brasil HBR"
add chain=virus protocol=tcp action=drop dst-port=13013-13014 comment="PsychWard"
add chain=virus protocol=tcp action=drop dst-port=13223 comment="Hack´99 KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=13473 comment="Chupacabra"
add chain=virus protocol=tcp action=drop dst-port=14500-14503 comment="PC Invader"
add chain=virus protocol=tcp action=drop dst-port=15000 comment="NetDemon"
add chain=virus protocol=tcp action=drop dst-port=15092 comment="Host Control"
add chain=virus protocol=tcp action=drop dst-port=15104 comment="Mstream"
add chain=virus protocol=tcp action=drop dst-port=15382 comment="SubZero"
add chain=virus protocol=tcp action=drop dst-port=15858 comment="CDK"
add chain=virus protocol=tcp action=drop dst-port=16484 comment="Mosucker"
add chain=virus protocol=tcp action=drop dst-port=16660 comment="Stacheldraht"
add chain=virus protocol=tcp action=drop dst-port=16772 comment="ICQ Revenge"
add chain=virus protocol=tcp action=drop dst-port=16959 comment="SubSeven, Subseven 2.1.4 DefCon 8"
add chain=virus protocol=tcp action=drop dst-port=16969 comment="Priority"
add chain=virus protocol=tcp action=drop dst-port=17166 comment="Mosaic"
add chain=virus protocol=tcp action=drop dst-port=17300 comment="Kuang2 the virus"
add chain=virus protocol=tcp action=drop dst-port=17449 comment="Kid Terror"
add chain=virus protocol=tcp action=drop dst-port=17499-17500 comment="CrazzyNet"
add chain=virus protocol=tcp action=drop dst-port=17569 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=17593 comment="Audiodoor"
add chain=virus protocol=tcp action=drop dst-port=17777 comment="Nephron"
add chain=virus protocol=udp action=drop dst-port=18753 comment="Shaft"
add chain=virus protocol=tcp action=drop dst-port=19864 comment="ICQ Revenge"
add chain=virus protocol=tcp action=drop dst-port=20000 comment="Millenium"
add chain=virus protocol=tcp action=drop dst-port=20001 comment="Millenium, Millenium Lm"
add chain=virus protocol=tcp action=drop dst-port=20002 comment="AcidkoR"
add chain=virus protocol=tcp action=drop dst-port=20005 comment="Mosucker"
add chain=virus protocol=tcp action=drop dst-port=20023 comment="VP Killer"
add chain=virus protocol=tcp action=drop dst-port=20034 comment="NetBus 2.0 Pro, NetBus 2.0 Pro Hidden, NetRex, Whack Job"
add chain=virus protocol=tcp action=drop dst-port=20203 comment="Chupacabra"
add chain=virus protocol=tcp action=drop dst-port=20331 comment="BLA trojan"
add chain=virus protocol=tcp action=drop dst-port=20432 comment="Shaft"
add chain=virus protocol=udp action=drop dst-port=20433 comment="Shaft"
add chain=virus protocol=tcp action=drop dst-port=21544 comment="GirlFriend, Kid Terror"
add chain=virus protocol=tcp action=drop dst-port=21554 comment="Exploiter, Kid Terror, Schwindler, Winsp00fer"
add chain=virus protocol=tcp action=drop dst-port=22222 comment="Donald Dick, Prosiak, Ruler, RUX The TIc.K"
add chain=virus protocol=tcp action=drop dst-port=23005-23006 comment="NetTrash"
add chain=virus protocol=tcp action=drop dst-port=23023 comment="Logged"
add chain=virus protocol=tcp action=drop dst-port=23032 comment="Amanda"
add chain=virus protocol=tcp action=drop dst-port=23432 comment="Asylum"
add chain=virus protocol=tcp action=drop dst-port=23456 comment="Evil FTP, Ugly FTP, Whack Job"
add chain=virus protocol=tcp action=drop dst-port=23476 comment="Donald Dick"
add chain=virus protocol=udp action=drop dst-port=23476 comment="Donald Dick"
add chain=virus protocol=tcp action=drop dst-port=23477 comment="Donald Dick"
add chain=virus protocol=tcp action=drop dst-port=23777 comment="InetSpy"
add chain=virus protocol=tcp action=drop dst-port=24000 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=25685-25982 comment="Moonpie"
add chain=virus protocol=udp action=drop dst-port=26274 comment="Delta Source"
add chain=virus protocol=tcp action=drop dst-port=26681 comment="Voice Spy"
add chain=virus protocol=tcp action=drop dst-port=27374 comment="Bad Blood, Ramen, Seeker, SubSeven, SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven Muie, Ttfloader"
add chain=virus protocol=udp action=drop dst-port=27444 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=27573 comment="SubSeven"
add chain=virus protocol=tcp action=drop dst-port=27665 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=28678 comment="Exploit"er
add chain=virus protocol=tcp action=drop dst-port=29104 comment="NetTrojan"
add chain=virus protocol=tcp action=drop dst-port=29369 comment="ovasOn"
add chain=virus protocol=tcp action=drop dst-port=29891 comment="The Unexplained"
add chain=virus protocol=tcp action=drop dst-port=30000 comment="Infector"
add chain=virus protocol=tcp action=drop dst-port=30001 comment="ErrOr32"
add chain=virus protocol=tcp action=drop dst-port=30003 comment="Lamers Death"
add chain=virus protocol=tcp action=drop dst-port=30029 comment="AOL trojan"
add chain=virus protocol=tcp action=drop dst-port=30100-30133 comment="NetSphere"
add chain=virus protocol=udp action=drop dst-port=30103 comment="NetSphere"
add chain=virus protocol=tcp action=drop dst-port=30303 comment="Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=30947 comment="Intruse"
add chain=virus protocol=tcp action=drop dst-port=30999 comment="Kuang2"
add chain=virus protocol=tcp action=drop dst-port=31335 comment="Trinoo"
add chain=virus protocol=tcp action=drop dst-port=31336 comment="Bo Whack, Butt Funnel"
add chain=virus protocol=tcp action=drop dst-port=31337 comment="Back Fire, Back Orifice 1.20 patches, Back Orifice Lm, Back Orifice russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini"
add chain=virus protocol=udp action=drop dst-port=31337 comment="Back Orifice, Deep BO"
add chain=virus protocol=tcp action=drop dst-port=31338 comment="Back Orifice, Butt Funnel, NetSpy DK"
add chain=virus protocol=udp action=drop dst-port=31338 comment="Deep BO"
add chain=virus protocol=tcp action=drop dst-port=31339 comment="NetSpy DK"
add chain=virus protocol=tcp action=drop dst-port=31666 comment="BOWhack"
add chain=virus protocol=tcp action=drop dst-port=31785-31792 comment="Hack a Tack"
add chain=virus protocol=udp action=drop dst-port=31791-31792 comment="Hack a Tack"
add chain=virus protocol=tcp action=drop dst-port=32001 comment="Donald Dick"
add chain=virus protocol=tcp action=drop dst-port=32100 comment="Peanut Brittle, Project nEXT"
add chain=virus protocol=tcp action=drop dst-port=32418 comment="Acid Battery"
add chain=virus protocol=tcp action=drop dst-port=33270 comment="Trinity"
add chain=virus protocol=tcp action=drop dst-port=33333 comment="Blakharaz, Prosiak"
add chain=virus protocol=tcp action=drop dst-port=33577-33777 comment="Son of PsychWard"
add chain=virus protocol=tcp action=drop dst-port=33911 comment="Spirit 2000, Spirit 2001"
add chain=virus protocol=tcp action=drop dst-port=34324 comment="Big Gluck, TN"
add chain=virus protocol=tcp action=drop dst-port=34444 comment="Donald Dick"
add chain=virus protocol=udp action=drop dst-port=34555-35555 comment="Trinoo for Windows"
add chain=virus protocol=tcp action=drop dst-port=37237 comment="Mantis"
add chain=virus protocol=tcp action=drop dst-port=37651 comment="Yet Another Trojan YAT"
add chain=virus protocol=tcp action=drop dst-port=40412 comment="The Spy"
add chain=virus protocol=tcp action=drop dst-port=40421 comment="Agent 40421, Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=40422-40426 comment="Masters Paradise"
add chain=virus protocol=tcp action=drop dst-port=41337 comment="Storm"
add chain=virus protocol=tcp action=drop dst-port=41666 comment="Remote Boot Tool RBT, Remote Boot Tool RBT"
add chain=virus protocol=tcp action=drop dst-port=44444 comment="Prosiak"
add chain=virus protocol=tcp action=drop dst-port=44575 comment="Exploiter"
add chain=virus protocol=udp action=drop dst-port=47262 comment="Delta Source"
add chain=virus protocol=tcp action=drop dst-port=49301 comment="OnLine KeyLogger"
add chain=virus protocol=tcp action=drop dst-port=50130 comment="Enterprise"
add chain=virus protocol=tcp action=drop dst-port=50505 comment="Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=50766 comment="Fore, Schwindler"
add chain=virus protocol=tcp action=drop dst-port=51966 comment="Cafeini"
add chain=virus protocol=tcp action=drop dst-port=52317 comment="Acid Battery 2000"
add chain=virus protocol=tcp action=drop dst-port=53001 comment="Remote Windows Shutdown RWS"
add chain=virus protocol=tcp action=drop dst-port=54283 comment="SubSeven, SubSeven 2.1 Gold"
add chain=virus protocol=tcp action=drop dst-port=54320 comment="Back Orifice 2000"
add chain=virus protocol=tcp action=drop dst-port=54321 comment="Back Orifice 2000, School Bus"
add chain=virus protocol=tcp action=drop dst-port=55165 comment="File Manager trojan, File Manager trojan, WM Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=55166 comment="WM Trojan Generator"
add chain=virus protocol=tcp action=drop dst-port=57341 comment="NetRaider"
add chain=virus protocol=tcp action=drop dst-port=58339 comment="Butt Funnel"
add chain=virus protocol=tcp action=drop dst-port=60000 comment="Deep Throat, Foreplay, Sockets des Troie"
add chain=virus protocol=tcp action=drop dst-port=60001 comment="Trinity"
add chain=virus protocol=tcp action=drop dst-port=60068 comment="Xzip 6000068"
add chain=virus protocol=tcp action=drop dst-port=60411 comment="Connection"
add chain=virus protocol=tcp action=drop dst-port=61348 comment="Bunker-Hill"
add chain=virus protocol=tcp action=drop dst-port=61466 comment="TeleCommando"
add chain=virus protocol=tcp action=drop dst-port=61603 comment="Bunker-Hill"
add chain=virus protocol=tcp action=drop dst-port=63485 comment="Bunker-Hill"
add chain=virus protocol=tcp action=drop dst-port=64101 comment="Taskman"
add chain=virus protocol=tcp action=drop dst-port=65000 comment="Devil, Sockets des Troie, Stacheldraht"
add chain=virus protocol=tcp action=drop dst-port=65390 comment="Eclypse"
add chain=virus protocol=tcp action=drop dst-port=65421 comment="Jade"
add chain=virus protocol=tcp action=drop dst-port=65432 comment="The Traitor th3tr41t0r"
add chain=virus protocol=udp action=drop dst-port=65432 comment="The Traitor th3tr41t0r"
add chain=virus protocol=tcp action=drop dst-port=65534 comment="sbin initd"
add chain=virus protocol=tcp action=drop dst-port=65535 comment="RC1 trojan"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
Proioritas Upstream agar browsing tetep smooth (hint:lancar)
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=syn \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="Testing TCP \
Flags" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=rst \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=ack \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=fin \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=syn \
connection-state=established packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting protocol=tcp connection-mark=upstream_conn \
action=mark-packet new-packet-mark=upstream_ack passthrough=no comment="" \
disabled=no
Rabu, 14 Mei 2008
Lokal Mail Server
Rabu, 27 Februari 08 - oleh : Panyahuti Matondang
Membangun mail server postfix dengan Mandrake 10 sangat mudah sekali, berikut langkah-langkahnya:
langkah-langkah yang saya jelaskan ini adalah membuat mail server di belakang ruter, untuk setting ruternya silakan baca buku manual ruternya untuk mengaktifkan Virtual server (portforwarding), beberapa port yang harus dibuka adalah : Port 53 (DNS), 80 (http), 25 (SMTP), 110(POP),
Syarat : Punya domain yang halal (valid) di internet, Punya IP PUBLIK, Buat domain di DynDns (dynamik DNS). untuk contoh saya punya domain: xyz.web.id yang diregistrasikan di PANDI, kemudian saya daftar di DynDNS dengan domain: xyz.dnsalias.net
1.
Install linux mandrake, xwindows yang dipakai pake KDE saja (saya tidak terbiasa pakai Gnome), instal juga apache, mysql dsb
2.
setelah terinstall dengan baik, Klik start-system-configuration-configure your computer, masukkan password root anda
3.
Pilih Software Management - Install, pada Kotak SEARCH ketik drakwizard,
4.
Install software drakwizard tersebut (drakwizard salah satu tool untuk mempermudah setting server DNS server, Postfix, Samba,Apache dll
5.
Kemudian install BIND (server dns) seperti langkah No 3
6.
Install Postfix seperti langkah No 3
7.
Install IMAP seperti langkah No 3
8.
Install Squirrelmail (untuk web mail) seperti langkah 3
9.
Konfigurasikan DNS server anda :klik start-system-configuration-configure your computer-server wizard-DNS, setelah diklik DNS akan ditanyakan External domain isikan dengan IP addres DNS ISP anda, masukkan nama domain anda misalnya xyz.web.id, anda akan melihat laporan konfigurasi. selesai setting DNS
10.
Untuk setting DNS selanjutnya masuk direktori /var/named/zone (saya menggunakan program MC seperti NC di DOS), edit file xyz.web.id.rev tambahkan cname domain anda sbb: www.xyz.web.id. IN CNAME xyz.dnsalias.net. tambahkan juga rute email anda di bawahnya : xyz.web.id. IN MX 20 xyz.dnsalias.net. (perhatikan titik harus ada dibelakan domain. dimain xyz.dnsalias.net adalah yang kita daftarkan di DynDNS)
11.
restart DNS server anda yaitu masuk menu : klik start-system-configuration-configure your computer-system-service, cari named kemudian klik start, cari IMAP kemudian centang start in requested, demikian juga untuk POP3S
12.
Coba ping ke www.xyz.web.id, jika semuanya berjalan dengan baik maka akan replay.
13.
Coba masuk ke Browser anda ketik : http://www.xyz.web.id seharusnya semuanya sudah ok.
14.
Konfigurasikan Postfix server anda :klik start-system-configuration-configure your computer-server wizard-mail, pilih internal server. selesai.
15.
edit main.cf di /etc/postfix cari inet_interfaces= xxx, ganti xxx menjadi all, cari juga mydestination=xxxxxx, xxxxx , xyz.web.id, xxxxxx adalah konfigurasi standar biarkan saja, xyz.web.id ditambahkan dibelakangnya.
16.
restart postfix anda seperti langkah 11, pilih postfix klik start.
17.
Seharusanya sekarang anda sudah bisa menerima dan mengirim email ke luar.
18.
Selamat server anda sekarang sudah jadi.
19.
coba ketik di browser anda : http://www.xyz.web.id/squirrelmail/ seharusnya sudah berjalan sempurna
Bogon address List
add list=bogons address=1.0.0.0/8 comment="" disabled=no
add list=bogons address=2.0.0.0/8 comment="" disabled=no
add list=bogons address=5.0.0.0/8 comment="" disabled=no
add list=bogons address=10.0.0.0/8 comment="" disabled=no
add list=bogons address=23.0.0.0/8 comment="" disabled=no
add list=bogons address=27.0.0.0/8 comment="" disabled=no
add list=bogons address=31.0.0.0/8 comment="" disabled=no
add list=bogons address=36.0.0.0/8 comment="" disabled=no
add list=bogons address=37.0.0.0/8 comment="" disabled=no
add list=bogons address=39.0.0.0/8 comment="" disabled=no
add list=bogons address=42.0.0.0/8 comment="" disabled=no
add list=bogons address=46.0.0.0/8 comment="" disabled=no
add list=bogons address=49.0.0.0/8 comment="" disabled=no
add list=bogons address=50.0.0.0/8 comment="" disabled=no
add list=bogons address=100.0.0.0/8 comment="" disabled=no
add list=bogons address=101.0.0.0/8 comment="" disabled=no
add list=bogons address=102.0.0.0/8 comment="" disabled=no
add list=bogons address=103.0.0.0/8 comment="" disabled=no
add list=bogons address=104.0.0.0/8 comment="" disabled=no
add list=bogons address=105.0.0.0/8 comment="" disabled=no
add list=bogons address=106.0.0.0/8 comment="" disabled=no
add list=bogons address=107.0.0.0/8 comment="" disabled=no
add list=bogons address=108.0.0.0/8 comment="" disabled=no
add list=bogons address=109.0.0.0/8 comment="" disabled=no
add list=bogons address=110.0.0.0/8 comment="" disabled=no
add list=bogons address=111.0.0.0/8 comment="" disabled=no
add list=bogons address=112.0.0.0/8 comment="" disabled=no
add list=bogons address=113.0.0.0/8 comment="" disabled=no
add list=bogons address=169.254.0.0/16 comment="" disabled=no
add list=bogons address=172.16.0.0/12 comment="" disabled=no
add list=bogons address=173.0.0.0/8 comment="" disabled=no
add list=bogons address=174.0.0.0/8 comment="" disabled=no
add list=bogons address=175.0.0.0/8 comment="" disabled=no
add list=bogons address=176.0.0.0/8 comment="" disabled=no
add list=bogons address=177.0.0.0/8 comment="" disabled=no
add list=bogons address=178.0.0.0/8 comment="" disabled=no
add list=bogons address=180.0.0.0/8 comment="" disabled=no
add list=bogons address=181.0.0.0/8 comment="" disabled=no
add list=bogons address=182.0.0.0/8 comment="" disabled=no
add list=bogons address=183.0.0.0/8 comment="" disabled=no
add list=bogons address=184.0.0.0/8 comment="" disabled=no
add list=bogons address=185.0.0.0/8 comment="" disabled=no
add list=bogons address=192.0.2.0/24 comment="" disabled=no
add list=bogons address=197.0.0.0/8 comment="" disabled=no
add list=bogons address=198.18.0.0/15 comment="" disabled=no
add list=bogons address=223.0.0.0/8 comment="" disabled=no
drop broadcast AP Mikrotik
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; block discovery mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop1 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
2 ;;; block discovery mikrotik
chain=output mac-protocol=ip dst-port=5678 ip-protocol=udp action=drop
drop flooding
/ip firewall filter add chain=syn-flood action=return protocol=!tcp disabled=yes
/ip firewall filter add chain=syn-flood action=return tcp-flags=!,syn,!fin,!rst,!ack protocol=tcp disabled=yes
/ip firewall filter add chain=syn-flood action=log log-prefix=”SYN FLOOD:”
/ip firewall filter add chain=syn-flood action=drop disabled=yes
preventing natted access
Sesuai dengan judul diatas,
inti dari kasus ini adalah penyedia jasa tidak ingin BW yang diberikan kepada user di sharing lagi mempergunakan nat-router.
Ilmu baru buat saya, dengan memberikan TTL=1 ?, mmmm aneh sekali.
Hasil dari googling di wikipedia di dapat informasi sebagai berikut :
The TTL field is set by the sender of the datagram, and reduced by every host on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an ICMP error datagram (11 - Time Exceeded) is sent back to the sender.
Supaya tidak hilang ditelan hari, dikopi saja ke situs
Diambil dari http://forum.mikrotik.com/viewtopic.php?f=9&t=19484
/ip firewall mangle
add action=change-ttl dst-address=192.168.1.0/24 \
chain=forward new-ttl=set:1
Maksud dari baris perintah diatas, adalah paket yang lewat router mikrotik hanya dibuat valid untuk 1 hop berikutnya ke arah klient, yang berarti hanya valid untuk 1 pc, karena begitu masuk ke PC tersebut TTL berkurang 1, sehingga menjadi 0.
Jangan lupa, peletakan firewallnya harus dibaris yang tepat, bila tidak tepat rule ini tidak akan terbaca.
Bila mempergunakan linux dan iptables, maka panduan-nya ada di milist linux ini.
IPtables
# —————————————————
# Copyright (C) 2005
# Last modified by Dani ‘Abah’ Hadimukti : 09-05-2005
# This firewall configuration is suitable for Router.
# —————————————————
IPTABLES=/sbin/iptables
# Definisi komponen sistem untuk mempermudah perawatan.
# —————————————————————————–
LOOPBACK_INTERFACE=”lo” # Interface Loopback
CLASS_D_MULTICAST=”224.0.0.0/4? # Class D multicast addr
CLASS_E_RESERVED_NET=”240.0.0.0/5? # Class E reserved addr
OSPF_MCAST=”224.0.0.5? # OSPF
OSPFD_MCAST=”224.0.0.6? # OSPFD
BROADCAST_src=”0.0.0.0? mce_src=”0.0.0.0? # Broadcast source addr
BROADCAST_DEST=”255.255.255.255? # Broadcast destination addr
PRIVPORTS=”0:1023? # Privileged port range
UNPRIVPORTS=”1024:” # Unprivileged port range
SSH_LOCAL_PORTS=”1022:65535? # Port range for local clients
SSH_REMOTE_PORTS=”513:65535? # Port range for remote clients
TRACEROUTE_SRC_PORTS=”32769:65535? # Port range sources for traceroute
TRACEROUTE_DEST_PORTS=”33434:33523? # Port range destination for traceroute
# —————————————————————————–
# Firewalls…. begins here!
# Kosongin semua aturan
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
# Buat aturan firewall (DROP semua)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Spesifik Rule Firewall
# Furtive Port scanner
$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
# Batasi Paket Flooding
$IPTABLES -A INPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
# Batasi Ping of Death
$IPTABLES -A INPUT -p icmp -m length –length 512: -j DROP
$IPTABLES -A FORWARD -p icmp -m length –length 512: -j DROP
$IPTABLES -A OUTPUT -p icmp -m length –length 512: -j DROP
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
# Unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# OSPF
$IPTABLES -A INPUT -p ospf -j ACCEPT
$IPTABLES -A FORWARD -p ospf -j ACCEPT
$IPTABLES -A OUTPUT -p ospf -j ACCEPT
# GRE Tunneling
#$IPTABLES -A INPUT -p GRE -j ACCEPT
#$IPTABLES -A FORWARD -p GRE -j ACCEPT
#$IPTABLES -A OUTPUT -p GRE -j ACCEPT
# ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
# TRACEROUTE (-S 32769:65535 -D 33434:33523)
$IPTABLES -A INPUT -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
# Dynamic Routing (2600-2605)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
# HTTP (80)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
# WebCache (8080)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
# DNS: full server (53)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p udp –sport 53 –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 53 –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 53 –dport 53 -j ACCEPT
# DNS client (53)
$IPTABLES -A INPUT -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
# DNS Zone Transfers (53)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
# HTTPS (443)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
# Mikrotik (3987)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
# SSH (22)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
# FTP (20-21)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 20:1024 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 20:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 20:1024 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 20:21 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 20:21 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 20:21 -j ACCEPT
# POP3 (110)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
# Instant Messanger (5050)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
# VoIP (5060)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
# SNMP (161)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 161 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 161 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
#$IPTABLES -A INPUT -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
# IMAP over SSL (993)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
# IMAP (143)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
# QMQP (628)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
# SMTP (25)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
# IMAP (143)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
# QMQP (628)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
# SMTP (25)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
p2p filtering
How to use Peer-to-Peer filtering?
Description
This chapter shows some examples on how to use Peer-to-Peer traffic matching feature introducted in RouterOS? version 2.8.
LoggingTo log all P2P traffic the following rule should be added:
/ip firewall rule forward add p2p=all-p2p log=yes
If the firewall logging is enabled in the router then in the log file you will see P2P packet information like this:
oct/06/2003 16:07:32 forward->ACCEPT, in:wlan1, out:prism1, prot TCP (ACK),>Drop
10.1.5.49:3556->81.198.155.83:13830, len 40
To drop all P2P traffic the following rule should be added:
/ip firewall rule forward add p2p=all-p2p action=drop
You can enable the logging for the dropped packets by adding the log=yes to the previous command. Then in the log file you will see such similar entries:
oct/06/2003 16:16:08 forward->DROP, in:prism1, out:wlan1, prot TCP (ACK),
62.85.19.201:30003->10.1.5.49:3562, len 1500
If you want to allow some of your users to use P2P then you need to add 2 (one for download, one for upload) accept rules before the drop rule:
/ip firewall rule forward add src-address=10.1.5.49/32 p2p=all-p2pOne Way P2P
/ip firewall rule forward add dst-address=10.1.5.49/32 p2p=all-p2p
In case of DC++ you can't just add dst-address of the user in the forward chain and then drop all other P2P traffic - DC++ send out some P2P info to the other P2P user, from which you are downloading. If the upload P2P traffic is blocked then you will not be able to download too. To make one way P2P you should decrease the speed of the other way to a small speed limit, for example, P2P upload traffic limit to 10000bps (10Kbps). Then users will be able to download the P2P traffic, but their upload traffic will be maximum 10Kbps.
To do that, mark all P2P traffic using Firewall mangle:
/ip firewall mangle add p2p=all-p2p mark-flow=p2p
And then add queues to limit upload traffic to 10Kbps:
/queue tree add parent=public flow=p2p max-limit=10000Individual IP P2P limit
This section will help you to make P2P limitation to individual IPs and with different speed limit for each IP. Suppose we have 2 clients and we would like to limit one client s P2P traffic to 256Kbps(download)/64Kbps(upload) and the other client s P2P traffic to 384Kbps(download)/128Kbps(upload). First client s IP address is 10.1.5.49 and the second client s IP is 10.1.5.50. To do this, mark all P2P traffic using Firewall mangle:
/ip firewall mangle add p2p=all-p2p mark-flow=all-p2p action=passthrough
Then mark P2P traffic of the first client (upload/download):
<>/ip firewall mangle add flow=all-p2p src-address=10.1.5.49/32 mark-flow=client1-p2p /ip firewall mangle add flow=all-p2p dst-address=10.1.5.49/32 mark-flow=client1-p2pNext, mark P2P traffic of the second client (upload/download):
/ip firewall mangle add flow=all-p2p src-address=10.1.5.50/32
mark-flow=client2-p2p
/ip firewall mangle add flow=all-p2p dst-address=10.1.5.50/32
mark-flow=client2-p2p
Add queue rules for the first client (upload/download):
/queue tree add parent=public flow=client1-p2p max-limit=64000
/queue tree add parent=local flow=client1-p2p max-limit=256000
And finally, add queue rules for the second client (upload/download):
/queue tree add parent=public flow=client2-p2p max-limit=128000
/queue tree add parent=local flow=client2-p2p max-limit=384000
If we have masquerade enabled then we can't limit the download stream. Mangle is the first firewall module that gets packets, when they are received. Next DST-NAT is done, which not only execute DST-NAT rules, but also performs un-SRC-NATting. That is why mangle do not 'see' the real addresses of the clients. As SRC-NAT is not allowing to establish connections to the NATted clients, it is possible to match all responses in already existing connections established by the clients using connection marks. To do this, first of all, connection-mark all packets from the IP of each client with different marks for each client using action=passthrough:
/ip firewall mangle add src-address=10.1.5.51/32 mark-connection=client1
action=passthrough
Then we can remark these connections with a different flow mark and also mark the p2p traffic:
/ip firewall mangle add connection=client1 p2p=all-p2p mark-flow= client1-p2p
action=passthrough
Finally, add a queue rule:
/queue tree add parent=local flow=client1-p2p max-limit=256000Burst
We have already configured mangle rules and queues for download:
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 p2p=all-p2p action=passthrough mark-flow=all-p2p
1 dst-address=10.1.5.49/32 flow=all-p2p
action=accept mark-flow=client1-p2p
[admin@MikroTik] > queue tree print
Flags: X - disabled, I - invalid, D - dynamic
0 name="download-client1-p2p" parent=local flow=client1-p2p limit-at=0
queue=default priority=8 max-limit=256000 burst-limit=0 burst-threshold=0
burst-time=0
[admin@MikroTik] >
We want to allow bursting up to 400000bps for 5min (in case when the download speed is maximum all the time), after 5min, the speed limit will be back to 256000. To do that we need to modify the queue rule:
/queue tree set 0 burst-limit=400000 burst-time=600 burst-threshold=200000
We specified burst time 600 seconds (10min). This time is needed for the calculation of the specific moment when the router will drop the queue speed limit from burst-time to max-limit. Router is calculating the average value: sum of the speed in each second in the burst-time, divided with the burst-time. Now there are two cases:
- If this value is lower that the burst-threshold then the queue speed limit will be raised to the burst-limit
- If this value is higher that the burst-threshold then the queue speed limit will be dropped down to max-limit
In our case the user is downloading at the maximum speed. This means he could download at the burst-limit speed 5min - average value is still equal to burst-threshold which is 200000 (400000*300/600=200000). In the next second the speed limit will be greater than the burst-threshold and the speed limit will be dropped to the max-limit.
Using PCQSuppose we have a network and we want to limit Peer-to-Peer traffic for each client in this network to 64Kbit/s upload and 128Kbit/s for download. This queue type is called PCQ. You can also use it in the previous examples instead of the default queue type.
First of all, create a PCQ queues - one for upload (this should classify by src-address), and one for download (this should classify by dst-address):
/queue type add name=up kind=pcq pcq-classifier=src-address pcq-rate=64000
/queue type add name=down kind=pcq pcq-classifier=dst-address pcq-rate=128000
Then we should 'catch' the P2P traffic using mangle rule:
/ip firewall mangle add p2p=all-p2p action=passthrough mark-flow=p2p
Now we can create queues:
/queue tree add parent=public flow=p2p queue=up
/queue tree add parent=local flow=p2p queue=down
Setting OSPF
SETTING OSPF MAINROUTER
Setting Interface
[admin@MainRouter] > in pr
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1=ToClient ether 0 0 1500
1 R ether2=ToInternet ether 0 0 1500
Setting IP
[admin@MainRouter] > ip add pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.10.18/27 192.168.10.0 192.168.10.31 ether2=ToInternet
1 10.10.10.1/24 10.10.10.0 10.10.10.255 ether1=ToClient
2 10.10.20.1/24 10.10.20.0 10.10.20.255 ether1=ToClient
Setting Gateway (ROUTE)
[admin@MainRouter] > ip rou pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DIS
0 ADC 192.168.10.0/27 192.168.10.18
1 A S 0.0.0.0/0 r 192.168.10.1
Setting NAT
[admin@MainRouter] > ip fire nat pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether2=ToInternet action=masquerade
Setting DNS
[admin@MainRouter] > ip dns pr
primary-dns: 222.124.180.40
secondary-dns: 0.0.0.0
allow-remote-requests: yes
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 20KiB
SETTING OSPF
[admin@MainRouter] > routing ospf pr
router-id: 0.0.0.0
distribute-default: if-installed-as-type-2
redistribute-connected: as-type-1
redistribute-static: as-type-2
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 0
metric-static: 0
metric-rip: 0
metric-bgp: 0
Setting OSPF AREA
[admin@MainRouter] > routing ospf area print
Flags: X - disabled
# NAME AREA-ID TYPE DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 default none
1 Local 0.0.0.1 default 1 none
Setting OSPF NETWORK
[admin@MainRouter] > routing ospf network print
Flags: X - disabled, I - invalid
# NETWORK AREA
0 10.10.10.0/24 Local
1 10.10.20.0/24 Local
Hasil Settingan di OSPF Neighbors
[admin@MainRouter] > routing ospf neighbor print
router-id=192.168.101.1 address=10.10.20.2 priority=1 state=”Full”
state-changes=4 ls-retransmits=0 ls-requests=0 db-summaries=0
dr-id=10.10.20.1 backup-dr-id=10.10.20.2
router-id=192.168.200.1 address=10.10.10.2 priority=1 state=”Full”
state-changes=8 ls-retransmits=0 ls-requests=0 db-summaries=0
dr-id=10.10.10.1 backup-dr-id=10.10.10.2
router-id=192.168.10.18 address=10.10.20.1 priority=1 state=”2-Way”
state-changes=0 ls-retransmits=0 ls-requests=0 db-summaries=0
dr-id=10.10.20.1 backup-dr-id=10.10.20.2
Hasil Akhir Settingan di IP ROUTE
[admin@MainRouter] > ip rou pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DIS
0 ADC 10.10.10.0/24 10.10.10.1
1 Do 10.10.10.0/24
2 ADC 10.10.20.0/24 10.10.20.1
3 Do 10.10.20.0/24
4 ADC 192.168.10.0/27 192.168.10.18
5 ADo 192.168.100.0/30 r 10.10.10.2
6 ADo 192.168.101.0/24 r 10.10.20.2
7 ADo 192.168.200.0/30 r 10.10.10.2
8 A S 0.0.0.0/0 r 192.168.10.1
SETTING OSPF CLIENT1
[admin@Client1=RouterBoard] > in pr
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1=ToMainRouter ether 0 0 1500
1 R ether2=ToLocal ether 0 0 1500
2 R ether3 ether 0 0 1500
3 wlan1 wlan 0 0 1500
4 X wlan2 wlan 0 0 1500
[admin@Client1=RouterBoard] > ip add pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.10.10.2/24 10.10.10.0 10.10.10.255 ether1=ToMainRouter
1 192.168.100.1/30 192.168.100.0 192.168.100.3 ether2=ToLocal
2 192.168.200.1/30 192.168.200.0 192.168.200.3 wlan1
[admin@Client1=RouterBoard] > ip dns pr
primary-dns: 0.0.0.0
secondary-dns: 0.0.0.0
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 17KiB
[admin@Client1=RouterBoard] > rou ospf pr
router-id: 0.0.0.0
distribute-default: never
redistribute-connected: as-type-1
redistribute-static: no
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 0
metric-static: 0
metric-rip: 0
metric-bgp: 0
[admin@Client1=RouterBoard] > rou ospf area pr
Flags: X - disabled
# NAME AREA-ID TYPE DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 default none
1 Local 0.0.0.1 default 1 none
[admin@Client1=RouterBoard] > rou ospf network pr
Flags: X - disabled, I - invalid
# NETWORK AREA
0 10.10.10.0/24 Local
1 10.10.20.0/24 Local
[admin@Client1=RouterBoard] > ip route pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DIS
0 ADC 10.10.10.0/24 10.10.10.2
1 Do 10.10.10.0/24
2 ADC 192.168.100.0/30 192.168.100.1
3 ADC 192.168.200.0/30 192.168.200.1
CATATAN : IP disesuaikan dgn alokasi IP masing-masing tempat.
sumber : http://pejewan.wordpress.com/2008/02/06/setting-ospf-mikrotik/