Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 15 of 15
  1. #1
    Status
    Offline
    radenfahmi's Avatar
    Baru Gabung
    Join Date
    Oct 2008
    Posts
    16
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Talking bGaimana agar IP publik kita gak bisa di PING...?

    buat pendekar2 mikrotik terhormat...Click here to enlargemo tanya nih....maklum masih newbie banget....bagaimana caranya di mikrotik agar IP publik kita tidak bisa di ping dari luar ato kalo di ping request time out gituh?...tapi masih bisa akses ke luar...soalnya banyak port scanner yg bergentayangan...Click here to enlargetolong ya kalo ada yg bisa....Click here to enlarge

  2. #2
    Status
    Offline
    geonet_comp's Avatar
    Member Super Senior
    Join Date
    Aug 2007
    Posts
    527
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by radenfahmi Click here to enlarge
    buat pendekar2 mikrotik terhormat...Click here to enlargemo tanya nih....maklum masih newbie banget....bagaimana caranya di mikrotik agar IP publik kita tidak bisa di ping dari luar ato kalo di ping request time out gituh?...tapi masih bisa akses ke luar...soalnya banyak port scanner yg bergentayangan...Click here to enlargetolong ya kalo ada yg bisa....Click here to enlarge
    ke firewall bagian filter, actionnya forward ato input (tergantung kebutuhan), in-interfacenya yang ke internet, protocolnya icmp, actionnya di drop itu ajah
    Click here to enlarge

  3. The Following User Says Thank You to geonet_comp For This Useful Post:


  4. #3
    Status
    Offline
    ripmanis's Avatar
    VIP Member
    Join Date
    Dec 2008
    Location
    Balikpapan as Balikpapaners
    Posts
    774
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    gini kali ya.. udah nyoba sich.. adeeeemmm Click here to enlargeClick here to enlarge

    /ip firewall filter add chain=forward protocol=icmp in-interface=lan action=reject reject-with=icmp-network-unreachable disabled=no comment=DropICMP

  5. #4
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    interfaces nya di buat all aja kan maunya dari dalam dan luar kan?
    command nya udah benar bgt

  6. #5
    Status
    Offline
    desutha's Avatar
    Newbie
    Join Date
    Nov 2007
    Location
    Planet Bumi
    Posts
    43
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    dulu sih pernah baca diforum ini agar ping dibiarkan saja tetapi dilimit pingnya..
    tujuannya apa?agar kita juga bisa memantau kalo lg berada diluar..dan isp juga.
    kalo udah flood ping tinggal kasih tau aja pihak isp biar mereka yg bekerja kita duduk manis...hehehe..
    begini kira2 rulenya..
    Code:
    / ip firewall filter 
    add chain=input protocol=icmp limit=5,5 action=accept comment="Allow_limited_pings" disabled=no
    / ip firewall filter 
    add chain=input protocol=icmp action=drop comment="Drop_excess_pings" disabled=no
    mohon koreksi & penjelasannya dari para suhu² jika ada yg kurang....

  7. #6
    Status
    Offline
    ripmanis's Avatar
    VIP Member
    Join Date
    Dec 2008
    Location
    Balikpapan as Balikpapaners
    Posts
    774
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    bukan kurang, tapi aku binun Click here to enlargeClick here to enlarge

  8. #7
    Status
    Offline
    ripmanis's Avatar
    VIP Member
    Join Date
    Dec 2008
    Location
    Balikpapan as Balikpapaners
    Posts
    774
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    yoi banget kang matt..
    jadinya gini kali ya (klo akyu sich..)

    /ip firewall filter add chain=forward protocol=icmp action=reject reject-with=icmp-network-unreachable disabled=no comment=DropICMP

    jadi pada saat traceroute dan pinging hasilnya "Destination net unreachable."Click here to enlarge

  9. #8
    Status
    Offline
    all21's Avatar
    Member
    Join Date
    Apr 2008
    Posts
    283
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0
    aku justru bingung kenapa ip public aku ngga bisa di ping maupun di akses dari luar...
    padahal kalo pake di rb433 bisa...
    bingung Click here to enlargeClick here to enlarge

  10. #9
    Status
    Offline
    all21's Avatar
    Member
    Join Date
    Apr 2008
    Posts
    283
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0
    kalo untuk blok traceroute dan port scanner mudah... caranya...
    copas kode berikut :P
    Code:
    /ip firewall filter
    add chain=forward protocol=icmp icmp-options=11:0 action=drop comment="Drop Traceroute"
    add chain=forward protocol=icmp icmp-options=3:3 action=drop comment="Drop Traceroute"
    add chain=input action=accept protocol=icmp limit=50/5s,2 comment="limit ping dari client"
    add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list" disabled=no 
    add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
    add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
    add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
    add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
    add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
    add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
    add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

  11. The Following User Says Thank You to all21 For This Useful Post:


  12. #10
    Status
    Offline
    ripmanis's Avatar
    VIP Member
    Join Date
    Dec 2008
    Location
    Balikpapan as Balikpapaners
    Posts
    774
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by all21 Click here to enlarge
    kalo untuk blok traceroute dan port scanner mudah... caranya...
    copas kode berikut :P
    Code:
    /ip firewall filter
    add chain=forward protocol=icmp icmp-options=11:0 action=drop comment="Drop Traceroute"
    add chain=forward protocol=icmp icmp-options=3:3 action=drop comment="Drop Traceroute"
    add chain=input action=accept protocol=icmp limit=50/5s,2 comment="limit ping dari client"
    add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list" disabled=no 
    add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
    add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
    add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
    add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
    add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
    add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
    add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
    itu maksudnya apaan sih kang ? gak ngerti gitu kang Click here to enlargeClick here to enlarge

  13. #11
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    hehe itu sama aja, cuman versi lengkapnya bro..protokol yg di sembunyiin kan ga mesti icmp, ada lainnya juga, tp hati2 dengan mode paranoid bisa-bisa keder sendiri saat ada masalah di networking, misalnya gini saat kita pake network monitoring seperti cacti, mrtg nagio dll akan mengakibatkan si network monitoring tsb kesulitan untuk menjalankan tugasnya karena bahan2 yg biasanya dia pake untuk polling jadi ga tersedia semua karena aksi blocking oleh admin hehehe. lebih bagus kalo di kasih yg lebih lengkap dengan menambahkan list ip yg boleh, caranya tutup dulu akses dari semua setelah itu di buka buat yg berkepentingan aja misalnya poller2 dan admin dkk

  14. The Following 2 Users Say Thank You to mattnux For This Useful Post:


  15. #12
    Status
    Offline
    all21's Avatar
    Member
    Join Date
    Apr 2008
    Posts
    283
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by mattnux Click here to enlarge
    hehe itu sama aja, cuman versi lengkapnya bro..protokol yg di sembunyiin kan ga mesti icmp, ada lainnya juga, tp hati2 dengan mode paranoid bisa-bisa keder sendiri saat ada masalah di networking, misalnya gini saat kita pake network monitoring seperti cacti, mrtg nagio dll akan mengakibatkan si network monitoring tsb kesulitan untuk menjalankan tugasnya karena bahan2 yg biasanya dia pake untuk polling jadi ga tersedia semua karena aksi blocking oleh admin hehehe. lebih bagus kalo di kasih yg lebih lengkap dengan menambahkan list ip yg boleh, caranya tutup dulu akses dari semua setelah itu di buka buat yg berkepentingan aja misalnya poller2 dan admin dkk
    pan tinggal lo tambahin pengecualian untuk ip kamu, jadi src-addressnya untuk masing² rule ditambahin jadi !<ip Lokal Lo> atau bikin address list ip² yang bisa akses trus src-address-list lo bikin !<address list lo>

  16. #13
    Status
    Offline
    all21's Avatar
    Member
    Join Date
    Apr 2008
    Posts
    283
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by ripmanis Click here to enlarge
    itu maksudnya apaan sih kang ? gak ngerti gitu kang Click here to enlargeClick here to enlarge
    itu rule yang harus kamu masukin ke firewall...
    bisa juga copy paste ke terminal kamu..

  17. #14
    Status
    Offline
    aagyung's Avatar
    Calon Member
    Join Date
    Feb 2008
    Location
    Kudus
    Posts
    77
    Reviews
    Read 0 Reviews
    Downloads
    2
    Uploads
    0
    Feedback Score
    0
    kalau dari logika saya, ip publik itu adanya di router mikrotik kan. Kalau dari dalam biarin aja bisa ngeping, toh dari internal jaringan sendiri. Tapi kalau di luar langsung drop aja, tanpa reject, kalau routernya pake RB kan kasian nanti untuk memberikan balesan reject ke yang melakukan ICMP.
    caranya dari winbox :
    chain = input
    protocol=icmp
    in-interface=<interface publiknya>
    action=drop
    Nah kalau punya beberapa ip publik, caranya beda lagi
    1. bikin dulu address list ip2 publikmu
    2. terus langkah diatas ditambahin..
    src-address-list=!ip-publikmu

    selamat mencoba.
    thanks

  18. #15
    Status
    Offline
    ripmanis's Avatar
    VIP Member
    Join Date
    Dec 2008
    Location
    Balikpapan as Balikpapaners
    Posts
    774
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    mantab gan.. Click here to enlargeClick here to enlarge

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [Ask]Bisa gak kita buat mikrotik pake PC bekas...
    By rahmatkurniawan2007 in forum Beginner Basics
    Replies: 7
    Last Post: 22-04-2013, 06:28
  2. Replies: 66
    Last Post: 10-11-2011, 17:43
  3. Replies: 14
    Last Post: 13-03-2009, 02:04
  4. <ask>IP publik tidak bisa di ping dari internet
    By pionkerton in forum General Networking
    Replies: 0
    Last Post: 11-08-2008, 14:56
  5. (ask) Agar server gak bisa di ping
    By zrane in forum Beginner Basics
    Replies: 14
    Last Post: 02-07-2008, 23:13

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •