Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Page 1 of 3 123 LastLast
Results 1 to 15 of 36
  1. #1
    Status
    Offline
    mossy's Avatar
    Member
    Join Date
    Apr 2008
    Location
    Jakarta, Cikarang
    Posts
    247
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Firewall untuk Router Mikrotik ....(buat tambah2 aja)

    Firewall untuk Router Mikrotik

    Untuk mengamankan router mikrotik dari traffic virus dan akses ping dapat digunakan skrip firewall berikut :

    Pertama buat address-list "ournetwork" yang berisi alamat IP radio, IP LAN dan IP WAN atau IP lainnya yang dapat dipercaya

    Dalam contoh berikut alamat IP radio adalah = 10.0.0.0/16, IP LAN = 192.168.2.0/24 dan IP WAN = 203.89.24.0/21 dan IP lainnya yang dapat dipercaya = 202.67.33.7

    Untuk membuat address-list dapat menggunakan contoh skrip seperti berikut ini tinggal disesuaikan dengan konfigurasi jaringan Anda.

    Buat skrip berikut menggunakan notepad kemudian copy-paste ke console mikrotik :

    Code:
    / ip firewall address-list
    add list=ournetwork address=203.89.24.0/21 comment="Datautama Network"
        disabled=no
    add list=ournetwork address=10.0.0.0/16 comment="IP Radio" disabled=no
    add list=ournetwork address=192.168.2.0/24 comment="LAN Network" disabled=no
    Selanjutnya copy-paste skrip berikut pada console mikrotik :

    Code:
    / ip firewall filter
    add chain=forward connection-state=established action=accept comment="allow
        established connections" disabled=no
    add chain=forward connection-state=related action=accept comment="allow
        related connections" disabled=no
    add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop
        Messenger Worm" disabled=no
    add chain=forward connection-state=invalid action=drop comment="drop invalid
        connections" disabled=no
    add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop
        Blaster Worm" disabled=no
    add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
        disabled=no
    add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster
        Worm" disabled=no
    add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster
        Worm" disabled=no
    add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
        disabled=no
    add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
        disabled=no
    add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
        disabled=no
    add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
        disabled=no
    add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
        disabled=no
    add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
        disabled=no
    add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
        disabled=no
    add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
        disabled=no
    add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
        disabled=no
    add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
        disabled=no
    add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
        disabled=no
    add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
        disabled=no
    add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop
        Beagle.C-K" disabled=no
    add chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom"
        disabled=no
    add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
        OptixPro" disabled=no
    add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
        disabled=no
    add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
        disabled=no
    add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
        disabled=no
    add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
        disabled=no
    add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop
        Dabber.A-B" disabled=no
    add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop
        Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau
        webmin" disabled=yes
    add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop
        MyDoom.B" disabled=no
    add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
        disabled=no
    add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
        disabled=no
    add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop
        SubSeven" disabled=no
    add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,
        Agobot, Gaobot" disabled=no
    add chain=forward action=jump jump-target=virus comment="jump to the virus
        chain" disabled=no
    add chain=input connection-state=established action=accept comment="Accept
        established connections" disabled=no
    add chain=input connection-state=related action=accept comment="Accept related
        connections" disabled=no
    add chain=input connection-state=invalid action=drop comment="Drop invalid
        connections" disabled=no
    add chain=input protocol=udp action=accept comment="UDP" disabled=no
    add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow
        limited pings" disabled=no
    add chain=input protocol=icmp action=drop comment="Drop excess pings"
        disabled=no
    add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork
        action=accept comment="FTP" disabled=no
    add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork
        action=accept comment="SSH for secure shell" disabled=no
    add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork
        action=accept comment="Telnet" disabled=no
    add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork
        action=accept comment="Web" disabled=no
    add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork
        action=accept comment="winbox" disabled=no
    add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server"
        disabled=no
    add chain=input src-address-list=ournetwork action=accept comment="From
        Datautama network" disabled=no
    add chain=input action=log log-prefix="DROP INPUT" comment="Log everything
        else" disabled=no
    add chain=input action=drop comment="Drop everything else" disabled=no
    Efek dari skrip diatas adalah:

    1. Router mikrotik hanya dapat diakses FTP, SSH, Web dan Winbox dari IP yang didefinisikan dalam address-list "ournetwork" sehingga tidak bisa diakses dari sembarang tempat.
    2. Port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu harus dicek pada chain="virus" apakah port yang dibutuhkan user tersebut terblok oleh firewall.
    3. Packet ping dibatasi untuk menghindari akses ping.
    Selain itu yang perlu diperhatikan adalah: sebaiknya buat user baru dan password dengan group full kemudian disable user admin, hal ini untuk meminimasi resiko mikrotik Anda di hack orang.

    sumber :


    Click here to enlarge
    Last edited by [a]; 20-06-2008 at 21:45.

  2. The Following 23 Users Say Thank You to mossy For This Useful Post:

    + Show/Hide list of the thanked


  3. #2
    Status
    Offline
    [a]
    [a]'s Avatar
    Administrator
    Join Date
    Jun 2007
    Location
    Jakarta, Indonesia, Indonesia
    Posts
    1,729
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    thanks yah mbak mossy
    Click here to enlarge

  4. The Following User Says Thank You to [a] For This Useful Post:


  5. #3
    Status
    Offline
    poensan's Avatar
    Member
    Join Date
    Sep 2007
    Location
    http://warnet-planet.com
    Posts
    120
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    kok di masukin ip firewall nya malah ga bisa browsing Click here to enlarge

  6. #4
    Status
    Offline
    mossy's Avatar
    Member
    Join Date
    Apr 2008
    Location
    Jakarta, Cikarang
    Posts
    247
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by [a] Click here to enlarge
    thanks yah mbak mossy
    Click here to enlarge
    Click here to enlargeaku cuma cari2 aja, klo dapet kan bisa di-share hehehe....
    Click here to enlarge

  7. #5
    Status
    Offline
    mossy's Avatar
    Member
    Join Date
    Apr 2008
    Location
    Jakarta, Cikarang
    Posts
    247
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by poensan Click here to enlarge
    kok di masukin ip firewall nya malah ga bisa browsing Click here to enlarge
    Click here to enlarge coba kk poesan baca lagi efek dr rule tsb, pada point 2...

  8. #6
    Status
    Offline
    poensan's Avatar
    Member
    Join Date
    Sep 2007
    Location
    http://warnet-planet.com
    Posts
    120
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by mossy Click here to enlarge
    Click here to enlarge coba kk poesan baca lagi efek dr rule tsb, pada point 2...

    ternyata rule ini yg bikin ga bisa browsing Click here to enlarge
    add chain=input action=drop comment="Drop everything else" disabled=no

  9. #7
    Status
    Offline
    henry's Avatar
    Member
    Join Date
    Mar 2008
    Location
    Jakarta
    Posts
    107
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    @poensan

    IMO : aih ini mah kudu atuh ... sesuai rules diatas kalo gak ada ginian gimana mo di blok, kalo ada yg ke block, dicek lagi make port mana trus ditambahin ... jangan yang ntu didisable ... bukan gituh cc mossy?
    Last edited by henry; 30-06-2008 at 11:07.

  10. #8
    Status
    Offline
    poensan's Avatar
    Member
    Join Date
    Sep 2007
    Location
    http://warnet-planet.com
    Posts
    120
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by henry Click here to enlarge
    @poensan

    IMO : aih ini mah kudu atuh ... sesuai rules diatas kalo gak ada ginian gimana mo di blok, kalo ada yg ke block, dicek lagi make port mana trus ditambahin ... jangan yang ntu didisable ... bukan gituh cc mossy?
    jadi gimana dong, maklum newbie Click here to enlarge

  11. #9
    Status
    Offline
    mossy's Avatar
    Member
    Join Date
    Apr 2008
    Location
    Jakarta, Cikarang
    Posts
    247
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by henry Click here to enlarge
    @poensan

    IMO : aih ini mah kudu atuh ... sesuai rules diatas kalo gak ada ginian gimana mo di blok, kalo ada yg ke block, dicek lagi make port mana trus ditambahin ... jangan yang ntu didisable ... bukan gituh cc mossy?
    gitcu deh kk poensanClick here to enlarge

  12. #10
    Status
    Offline
    mossy's Avatar
    Member
    Join Date
    Apr 2008
    Location
    Jakarta, Cikarang
    Posts
    247
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by poensan Click here to enlarge
    jadi gimana dong, maklum newbie Click here to enlarge
    btw, thx to kk henryClick here to enlarge

    Code:
    add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork
        action=accept comment="Web" disabled=no
    klo gk salah (maklum newbie juga) port 80 itu utk browsing kan !!!
    rule yg itu aja yg di-disable...Click here to enlarge

    mohon pencerahan dari para master juga...Click here to enlarge

  13. #11
    Status
    Offline
    nuxboy's Avatar
    Newbie
    Join Date
    May 2008
    Posts
    38
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by poensan Click here to enlarge
    kok di masukin ip firewall nya malah ga bisa browsing Click here to enlarge
    Yang dialamin Bro poensan sama persis dengan pengalaman saya, tapi itu dulu waktu pake mikrotik bajakan versi 2.9.27, tapi pas ganti pake yg mikrotik original versi 3.10 gk ada lagi masalah browsing ke blok, heheClick here to enlarge saya jg bingung koq bisa gitu ya, mungkin yg halal lebih bagus kali yaClick here to enlarge.

  14. #12
    Status
    Offline
    Master Piece's Avatar
    Baru Gabung
    Join Date
    Apr 2008
    Posts
    17
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    thank's a lot......

    Click here to enlarge

  15. #13
    Status
    Offline
    poensan's Avatar
    Member
    Join Date
    Sep 2007
    Location
    http://warnet-planet.com
    Posts
    120
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by nuxboy Click here to enlarge
    Yang dialamin Bro poensan sama persis dengan pengalaman saya, tapi itu dulu waktu pake mikrotik bajakan versi 2.9.27, tapi pas ganti pake yg mikrotik original versi 3.10 gk ada lagi masalah browsing ke blok, heheClick here to enlarge saya jg bingung koq bisa gitu ya, mungkin yg halal lebih bagus kali yaClick here to enlarge.
    hehehe, mungkin juga gw pake yg bajaklaut Click here to enlarge

  16. #14
    Status
    Offline
    botakedan's Avatar
    Newbie
    Join Date
    Nov 2007
    Posts
    43
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Saya pake Versi 2.4.49... Berlisensi Asli... tapi kayaknya berpengaruh dengan line itu juga. karena pada saat saya disable client langsung bisa browsing

    Apakah versi mempengaruhi ?


    ---------- UPDATE ----------
    Dah dapat solusinya (MT v.2.4.29)
    Tambahkan IP Server Mikrotik yang ingin diprotect pada kolom destination address.

    1. Jika pada mikrotik terdapat proxy maka sebelumnya harus ditambahkan:
    Code:
    add chain=input dst-address=192.168.0.1 dst-port=8080 protocol=tcp \
         action=accept comment="Enable Proxy Connection"
    2. Tambah di kolom dst address dengan IP Server Mikrotik anda.
    Code:
    add chain=input dst-address=192.168.0.1 protocol=tcp dst-port=21 \
         src-address-list=ournetwork action=accept comment="FTP" disabled=no
    add chain=input dst-address=192.168.0.1 protocol=tcp dst-port=22 \
         src-address-list=ournetwork action=accept comment="SSH for secure shell" disabled=no
    add chain=input dst-address=192.168.0.1 protocol=tcp dst-port=23 \
         src-address-list=ournetwork action=accept comment="Telnet" disabled=no
    add chain=input dst-address=192.168.0.1 protocol=tcp dst-port=80 \
         src-address-list=ournetwork action=accept comment="Web" disabled=no
    add chain=input dst-address=192.168.0.1 protocol=tcp dst-port=8291 \
         src-address-list=ournetwork action=accept comment="winbox" disabled=no
    add chain=input dst-address=192.168.0.1 protocol=tcp dst-port=1723 \
         action=accept comment="pptp-server" disabled=no
    add chain=input dst-address=192.168.0.1 src-address-list=ournetwork \
         action=accept comment="From Datautama network" disabled=no
    add chain=input action=log log-prefix="DROP INPUT" \
         comment="Log everything else" disabled=no
    add chain=input dst-address=192.168.0.1 action=drop \
         comment="Drop everything else" disabled=no
    Last edited by botakedan; 16-08-2008 at 17:52.

  17. The Following 3 Users Say Thank You to botakedan For This Useful Post:


  18. #15
    Status
    Offline
    mossy's Avatar
    Member
    Join Date
    Apr 2008
    Location
    Jakarta, Cikarang
    Posts
    247
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Thx kk BOTAKEDAN, mudah2an yg lain udah gk bermasalah lagiClick here to enlarge

 

 
Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. script firewall filter (untuk blok port virus dan spam)
    By dot in forum General Networking
    Replies: 52
    Last Post: 16-02-2016, 14:27
  2. ip firewall mangel NTH untuk load balance
    By d3v4 in forum General Networking
    Replies: 267
    Last Post: 12-12-2010, 18:45
  3. Pc Router Mikrotik pake PCI apa Linksys Wrt54gl buat ap ?
    By andy_0211 in forum Wireless Networking
    Replies: 18
    Last Post: 07-10-2008, 17:28
  4. Nyari PC buat Router
    By apdentalsystem in forum Others Hardware
    Replies: 10
    Last Post: 13-06-2008, 07:45

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •