Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 8 of 8
  1. #1
    Status
    Offline
    yudigadget's Avatar
    Calon Member
    Join Date
    Dec 2007
    Posts
    81
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Pertanyaan untuk wiki "Protecting your customers"

    Mengikuti dari

    add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
    add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
    add chain=forward protocol=tcp comment="allow TCP"
    add chain=forward protocol=icmp comment="allow ping"
    add chain=forward protocol=udp comment="allow udp"
    add chain=forward action=drop comment="drop everything else"

    Saya lihat koneksi ke port 80 tidak ada sama sekali, tetapi kalau ke port 25 ada aktifitas

    lalu saya coba pasang action log pada chain.. dengan tipe chain forward, hasilnya adalah gak ada packet / koneksi yang kedeteksi sama sekali.
    Lalu saya coba ganti chain-nya dengan output, hasilnya adalah ada koneksi dari port 3128 (proxy) ke IP yang sedang browsing.

    Jadi menurut saya masalahnya disini:
    3 chain=dstnat in-interface=local src-address=172.168.0.0/16 protocol=tcp dst-port=80 action=redirect to-ports=3128

    dicoba dengan 3.13, lalu 2.9.27

    Jadi bagaimana ya konsepnya proteksi pelanggan dengan NAT lalu Proxy port 80, inginya saya ingin melimitasi port2 yang ada..
    jadi cuma diperbolehkan 80, 25, 110, dkk. Sisanya di drop.

    thanks..


    This is my configurations:
    [admin@MikroTik] > ip firewall filter print (from 0-33 is disabled)
    Flags: X - disabled, I - invalid, D - dynamic
    34 ;;; Proxy From Outside
    chain=input in-interface=public src-address=0.0.0.0/0 protocol=tcp dst-port=3128 action=drop

    35 ;;; accept established connection packets
    chain=input connection-state=established action=accept

    36 ;;; accept related connection packets
    chain=input connection-state=related action=accept

    37 ;;; Log invalid connections
    chain=input connection-state=invalid action=log log-prefix="INVALID"

    38 ;;; drop invalid packets
    chain=input connection-state=invalid action=drop

    39 ;;; Allow PPTP
    chain=input protocol=tcp dst-port=1723 action=accept

    40 ;;; Allow PPTP
    chain=input protocol=gre action=accept

    41 ;;; Allow from local network
    chain=input src-address=172.168.0.0/16 action=accept

    42 ;;; Log everything else
    chain=input protocol=tcp src-port=3128 action=log log-prefix="DROP"

    43 X ;;; Drop everything else
    chain=input action=drop

    44 ;;; allow established connections
    chain=forward connection-state=established action=accept

    45 ;;; allow related connections
    chain=forward connection-state=related action=accept

    46 ;;; Log invalid connections
    chain=forward connection-state=invalid action=log log-prefix="INVALID"

    47 ;;; drop invalid connections
    chain=forward connection-state=invalid action=drop

    48 X ;;; Allow HTTP
    chain=output protocol=tcp dst-port=80 action=accept

    49 X ;;; anti-spam policy
    chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop

    50 X chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
    address-list-timeout=0s

    51 X chain=smtp-first-drop src-address-list=approved-smtp action=return

    52 X chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s

    53 X chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

    54 X ;;; DNS
    chain=local-services connection-mark=dns action=accept

    55 X ;;; Drop Public Conections
    chain=public-services action=drop

    56 ;;; allow ping
    chain=forward protocol=icmp action=jump jump-target=ICMP

    57 ;;; Allow local traffic (between router applications)
    chain=input src-address-type=local dst-address-type=local action=accept

    58 ;;; Allow pings, but at a very limited rate (5 per sec)
    chain=input connection-mark=ping limit=5,5 action=accept

    59 ;;; 0:0 and limit for 5pac/s
    chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept

    60 ;;; 3:3 and limit for 5pac/s
    chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept

    61 ;;; 3:4 and limit for 5pac/s
    chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept

    62 ;;; 8:0 and limit for 5pac/s
    chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept

    63 ;;; 11:0 and limit for 5pac/s
    chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept

    64 X chain=input action=jump jump-target=drop

    65 X chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept

    66 X chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept

    67 X chain=dhcp dst-address-type=local src-address-list=local-addr action=accept

    68 ;;; jump to the virus chain
    chain=forward action=jump jump-target=virus

    69 ;;; Drop Blaster Worm
    chain=virus protocol=tcp dst-port=135-139 action=drop

    70 ;;; Drop Messenger Worm
    chain=virus protocol=udp dst-port=135-139 action=drop

    71 ;;; Drop Blaster Worm
    chain=virus protocol=tcp dst-port=445 action=drop

    72 ;;; Drop Blaster Worm
    chain=virus protocol=udp dst-port=445 action=drop

    73 ;;; ________
    chain=virus protocol=tcp dst-port=593 action=drop

    74 ;;; ________
    chain=virus protocol=tcp dst-port=1024-1030 action=drop

    75 ;;; Drop MyDoom
    chain=virus protocol=tcp dst-port=1080 action=drop

    76 ;;; ________
    chain=virus protocol=tcp dst-port=1214 action=drop

    77 ;;; ndm requester
    chain=virus protocol=tcp dst-port=1363 action=drop

    78 ;;; ndm server
    chain=virus protocol=tcp dst-port=1364 action=drop

    79 ;;; screen cast
    chain=virus protocol=tcp dst-port=1368 action=drop

    80 ;;; hromgrafx
    chain=virus protocol=tcp dst-port=1373 action=drop

    81 ;;; cichlid
    chain=virus protocol=tcp dst-port=1377 action=drop

    82 ;;; Worm
    chain=virus protocol=tcp dst-port=1433-1434 action=drop

    83 ;;; Bagle Virus
    chain=virus protocol=tcp dst-port=2745 action=drop

    84 ;;; Drop Dumaru.Y
    chain=virus protocol=tcp dst-port=2283 action=drop

    85 ;;; Drop Beagle
    chain=virus protocol=tcp dst-port=2535 action=drop

    86 ;;; Drop Beagle.C-K
    chain=virus protocol=tcp dst-port=2745 action=drop

    87 ;;; Drop MyDoom
    chain=virus protocol=tcp dst-port=3127-3128 action=drop

    88 ;;; Drop Backdoor OptixPro
    chain=virus protocol=tcp dst-port=3410 action=drop

    89 ;;; Worm
    chain=virus protocol=tcp dst-port=4444 action=drop

    90 ;;; Worm
    chain=virus protocol=udp dst-port=4444 action=drop

    91 ;;; Drop Sasser
    chain=virus protocol=tcp dst-port=5554 action=drop

    92 ;;; Drop Beagle.B
    chain=virus protocol=tcp dst-port=8866 action=drop

    93 ;;; Drop Dabber.A-B
    chain=virus protocol=tcp dst-port=9898 action=drop

    94 ;;; Drop MyDoom.B
    chain=virus protocol=tcp dst-port=10080 action=drop

    95 ;;; Drop NetBus
    chain=virus protocol=tcp dst-port=12345 action=drop

    96 ;;; Drop Kuang2
    chain=virus protocol=tcp dst-port=17300 action=drop

    97 ;;; Drop SubSeven
    chain=virus protocol=tcp dst-port=27374 action=drop

    98 ;;; Drop PhatBot, Agobot, Gaobot
    chain=virus protocol=tcp dst-port=65506 action=drop

    99 X ;;; Allow HTTP
    chain=forward protocol=tcp dst-port=8080 action=accept

    100 X ;;; Allow SMTP
    chain=forward protocol=tcp dst-port=25 action=accept

    101 X ;;; Allow SSL
    chain=forward protocol=tcp dst-port=443 action=accept

    102 X ;;; Allow POP3
    chain=forward protocol=tcp dst-port=110 action=accept

    103 X ;;; Allow SMTP
    chain=forward protocol=tcp dst-port=25 action=accept

    104 X ;;; Allow NTP
    chain=forward protocol=tcp dst-port=123 action=accept

    105 X ;;; Allow YM
    chain=forward protocol=tcp dst-port=5050 action=accept

    106 X ;;; Allow HBCI
    chain=forward protocol=tcp dst-port=3000 action=accept

    107 X ;;; Allow Galileo
    chain=forward protocol=tcp dst-port=2749 action=accept

    108 X ;;; Allow Galileo
    chain=forward protocol=tcp dst-port=4143 action=accept

    109 X ;;; allow TCP
    chain=forward protocol=tcp action=accept

    110 X ;;; allow ping
    chain=forward protocol=icmp action=accept

    111 X ;;; allow udp
    chain=forward protocol=udp action=accept

    112 X ;;; drop everything else
    chain=forward action=drop
    -- [Q quit|D dump|up|down]


    [admin@MikroTik] > ip firewall nat print
    Flags: X - disabled, I - invalid, D - dynamic
    0 chain=srcnat out-interface=public src-address=172.168.0.0/16 action=masquerade

    1 I chain=srcnat out-interface=CBN src-address=172.168.0.0/16 action=masquerade

    2 chain=srcnat out-interface=abacus1 dst-address=10.10.1.0/24 action=masquerade

    3 chain=dstnat in-interface=local src-address=172.168.0.0/16 protocol=tcp dst-port=80 action=redirect to-ports=3128

    4 chain=dstnat in-interface=local src-address=172.168.0.0/16 protocol=tcp dst-port=3128 action=redirect to-ports=3128

  2. #2
    Status
    Offline
    felix_sg's Avatar
    Member Super Senior
    Join Date
    Sep 2007
    Location
    indonesia
    Posts
    607
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    maksud nya apaan yah Click here to enlarge

  3. #3
    Status
    Offline
    yudigadget's Avatar
    Calon Member
    Join Date
    Dec 2007
    Posts
    81
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    intinya, gimana caranya untuk melakukan limitasi port?
    Jadi yang kebuka cuma 80, 25, 110, dsb. Sisanya di drop semua port lainnya.

    Tapi kan masalahnya pakai internal proxy mikrotik nih.. lalu ada chain dstnat dari port 80 ke 3128, nah ini menyebabkan port 80 di filter dengan chain forward nggak kedeteksi.

  4. #4
    Status
    Offline
    Akangage's Avatar
    Administrator
    Join Date
    Aug 2007
    Location
    Daerah Khusus Ibukota Jakarta, Indonesia
    Posts
    4,195
    Reviews
    Read 0 Reviews
    Downloads
    210
    Uploads
    87
    Feedback Score
    0
    wah.... kalo gitu si boz harus baca ke tutorial bagian firewall di bahas disitu tentang ini, coba aja mampir, oia sama baca2 tentang IP Flow di manual kalo mau bikin rule di situ sumber yang paling berharga

  5. #5
    Status
    Offline
    felix_sg's Avatar
    Member Super Senior
    Join Date
    Sep 2007
    Location
    indonesia
    Posts
    607
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    kalo pake proxy mikrotik, biasa nya perintah forward di rubah menjadi output, baru jalan.

    cuman kalo mau allow beberapa port only, mungkin pake rule jump ya. belum pernah nyoba sih, kasian yang mau game-online.. Click here to enlarge

  6. #6
    Status
    Offline
    yudigadget's Avatar
    Calon Member
    Join Date
    Dec 2007
    Posts
    81
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by Akangage Click here to enlarge
    wah.... kalo gitu si boz harus baca ke tutorial bagian firewall di bahas disitu tentang ini, coba aja mampir, oia sama baca2 tentang IP Flow di manual kalo mau bikin rule di situ sumber yang paling berharga
    lah hehehe.. klo itu juga udah baca berkali2 atuh boz dari dulu2, itu kenapa saya sedikit bisa trace permasalahan yang terjadi... ya paling minta koreksi2 bgituu..
    Saya ingin minta pendapat atau koreksi dari masalah ini, mungkin ada kasus yang serupa, lalu solusinya gimana..

  7. #7
    Status
    Offline
    yudigadget's Avatar
    Calon Member
    Join Date
    Dec 2007
    Posts
    81
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by felix_sg Click here to enlarge
    kalo pake proxy mikrotik, biasa nya perintah forward di rubah menjadi output, baru jalan.

    cuman kalo mau allow beberapa port only, mungkin pake rule jump ya. belum pernah nyoba sih, kasian yang mau game-online.. Click here to enlarge
    Iya, saya sudah coba di 2.9.27 pakai forward nggak bisa, lalu pakai output ada yang terdeteksi koneksinya.. tapi waktu kemarin test chain input nggak terdeteksi juga ya
    Oh ya agak beda dengan 3.13, output & input seingat saya terdeteksi, tetapi output tidak. (screenshot menyusul)

    jadi kalau output, terdeteksinya seperti screenshot ini:
    Click here to enlarge
    sorry itu prefixnya pakai drop.. bukan berarti koneksi / paketnya di drop.. itu log untuk invalid connections (prefixnya pakai drop), terus saya lupa ganti prefix dropnya hehe... jangan terkecoh ya.. itu cuma prefix log aja koq.
    Trus sorry kalau IP Address LAN nya ngawur... itu bekas IT yang lama, pas saya masuk semua komputer udah di set begitu.. (172.168.x.x/16),mungkin maksudnya tuh IT yang lama set 172.16.x.x/16, cuma dia lupa2 inget dengan 192.168.x.x. Saya belum sempet ganti hehe.. abis sekitar 30 PC IPnya begitu semua, pusyingg

    pertanyaan saya berikutnya, apakah dengan menggunakan external proxy (squid di PC Server berbeda), juga tetap terdeteksi 3128?
    Terus terang ini saya belum pernah coba.. mungkin ada teman2 yang pakai external proxy bisa bantu check apakah pada filter chain=forward action=accept dst-port=80 nya kedeteksi koneksi yang lewat??

    btw, kalau mau game online ya tinggal di accept aja atuh kang.. port yang bersangkutan hehe.. tadi di kantor sih nih.. kayaknya nggak boleh deh sama management

    arigato gozaimas!
    Last edited by yudigadget; 29-08-2008 at 09:57.

  8. #8
    Status
    Offline
    yudigadget's Avatar
    Calon Member
    Join Date
    Dec 2007
    Posts
    81
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    sorry hasil screenshot di 3.13 gagal...
    sepertinya ada masalah perpaduan antara PPPoE dan internal webproxy, kalau dst-nat nya tak aktifkan, angot2an.. kadang bisa browsing, kadang cuma waiting saja terus2an.. nggak pernah sampai Transferring data.
    Kalau dst-nat ke port proxy 3128 tak aktifkan.. baru bisa browsing. Click here to enlarge

    Ntar coba downgrade deh ke 3.11

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [ask] setting agar user tidak bisa saling "lihat"
    By dencow in forum Beginner Basics
    Replies: 24
    Last Post: 14-03-2013, 14:37
  2. Replies: 3
    Last Post: 26-11-2012, 20:52
  3. [ASK] Bagaimana "membocorkan" sinyal dari Antenna?
    By bboelhasrin in forum Wireless Networking
    Replies: 6
    Last Post: 29-04-2010, 20:47
  4. Gimana ya "transparent bridge" ke AP tanpa WDS?
    By ariwea in forum Wireless Networking
    Replies: 9
    Last Post: 29-04-2010, 10:45
  5. IP Address status "Invalid" dan berwarna merah
    By pathic in forum Beginner Basics
    Replies: 9
    Last Post: 30-04-2009, 09:52

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •