Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 10 of 10
  1. #1
    Status
    Offline
    unavailabled's Avatar
    Member
    Join Date
    Dec 2008
    Location
    Mangle Prerouting
    Posts
    137
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Question Gimana Caranya ...??

    1. Gimana Cara Memblok Client untuk mengakses ke Target Port??
    - Misalnya IP Range :192.168.10.20-192.168.10.40 Tdk boleh akses port :21, tapi bisa akses Port :80 (Web) di internet

    2. Gimana Cara Memblok Client Untuk Mengakses Web Content Porno Tertentu tanpa menggunakan SquidGuard. Dengan Catatan, web yg diblok itu bukan IP Addressnya yg didaftar. tapi Alamat Webnya. misalnya : ato

    3. Trus, Gimana Caranya Ngeblok Chat Via Web seperti YM versi WEB


    Mohon Bantuannya Soalnya akhir2 ini banyak client yg nakal2 Click here to enlarge
    Last edited by unavailabled; 27-02-2009 at 17:25.

  2. #2
    Status
    Offline
    d3v4's Avatar
    Forum Guru
    Join Date
    Jul 2007
    Location
    di alam baka
    Posts
    1,015
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    jawab ya..

    1. saya kasi contoh 1 aja ya..
    /ip firewall filter dst-port=21 src-address=192.168.10.20 chain=forward

    2. dan 3.

    gunakan web proxy
    manual nya ada di

  3. #3
    Status
    Offline
    rahwana's Avatar
    Forum Guru
    Join Date
    Nov 2007
    Location
    Sidoarjo, Jawa Timur, Indonesia, Indonesia
    Posts
    1,337
    Reviews
    Read 0 Reviews
    Downloads
    2
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by d3v4 Click here to enlarge
    1. saya kasi contoh 1 aja ya..
    /ip firewall filter dst-port=21 src-address=192.168.10.20 chain=forward
    Ini nggak kurang action=drop ya?

  4. #4
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    betul tuh mr rahwana hehe kurang actionnya

    nah buat yang lebih lengkapnya ini nih, tinggal di sesuaikan ma network masing2 ya..

    Firewall Komplit

    / ip firewall mangle
    add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-
    services
    add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-
    services
    add chain=prerouting connection-state=new action=jump jump-target=other-services
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-
    connection new-connection-mark=ftp passthrough=no
    add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-
    connection new-connection-mark=ssh passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-
    connection new-connection-mark=telnet passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-
    connection new-connection-mark=smtp passthrough=no
    add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection
    new-connection-mark=dns passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-
    connection new-connection-mark=dns passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-
    connection new-connection-mark=http passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-
    connection new-connection-mark=pop3 passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-
    connection new-connection-mark=auth passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-
    connection new-connection-mark=nntp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-
    connection new-connection-mark=imap passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162
    action=mark-connection new-connection-mark=snmp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-
    connection new-connection-mark=https passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-
    connection new-connection-mark=smtps passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-
    connection new-connection-mark=imaps passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-
    connection new-connection-mark=pop3s passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-
    connection new-connection-mark=pptp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-
    connection new-connection-mark=kgs passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-
    connection new-connection-mark=proxy passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-
    connection new-connection-mark=win-ts passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243
    action=mark-connection new-connection-mark=emule passthrough=no
    add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535
    action=mark-connection new-connection-mark=overnet passthrough=no
    add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901
    action=mark-connection new-connection-mark=vnc passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669
    action=mark-connection new-connection-mark=irc passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889
    action=mark-connection new-connection-mark=bittorrent passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-
    connection new-connection-mark=http passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-
    connection new-connection-mark=winbox passthrough=no
    add chain=tcp-services protocol=tcp action=mark-connection new-connection-
    mark=other-tcp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-
    connection new-connection-mark=dns passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-
    connection new-connection-mark=ntp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-
    connection new-connection-mark=l2tp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-
    connection new-connection-mark=overnet passthrough=no
    add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-
    connection new-connection-mark=overnet passthrough=no
    add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-
    connection new-connection-mark=skype passthrough=no
    add chain=udp-services protocol=udp connection-state=new action=mark-connection
    new-connection-mark=other-udp passthrough=no
    add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection
    new-connection-mark=ping passthrough=no
    add chain=other-services protocol=gre action=mark-connection new-connection-
    mark=gre passthrough=no
    add chain=other-services action=mark-connection new-connection-mark=other
    passthrough=no
    Most generic invalid packet and port-scan detection techniques
    /ip firewall mangle
    add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet
    new-packet-mark=nat-traversal passthrough=no
    / ip firewall address-list
    add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
    add list=illegal-addr address=127.0.0.0/8
    add list=illegal-addr address=224.0.0.0/3
    add list=illegal-addr address=10.0.0.0/8
    add list=illegal-addr address=172.16.0.0/12
    add list=illegal-addr address=192.168.0.0/16
    add list=local-addr address=172.31.255.0/29 comment="my local network"
    add list=nat-addr address=172.31.255.0/29 comment="my local network"
    / ip firewall filter
    add chain=forward in-interface=Local out-interface=Local action=accept
    comment="Allow traffic between wired and wireless networks"
    / ip firewall filter
    add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
    add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
    comment="Deny illegal NAT traversal"
    add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list
    address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
    add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-
    to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP
    Null scan"
    add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-
    src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block
    TCP Xmas scan"
    add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-
    target=drop
    add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
    comment="Drop TCP RST"
    add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
    comment="Drop TCP SYN+FIN"
    add chain=sanity-check connection-state=invalid action=jump jump-target=drop
    comment="Dropping invalid connections at once"
    add chain=sanity-check connection-state=established action=accept
    comment="Accepting already established connections"
    add chain=sanity-check connection-state=related action=accept comment="Also
    accepting related connections"
    add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-
    target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
    add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-
    type=!local action=jump jump-target=drop comment="Drop illegal destination
    addresses"
    add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump
    jump-target=drop comment="Drop everything that goes from local interface but not from
    local address"
    add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump
    jump-target=drop comment="Drop illegal source addresses"
    add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump
    jump-target=drop comment="Drop everything that goes from public interface but not to
    local address"
    add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-
    target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"
    / ip firewall filter
    add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
    add chain=forward protocol=udp action=jump jump-target=restrict-udp
    add chain=forward action=jump jump-target=restrict-ip
    add chain=restrict-tcp connection-mark=auth action=reject
    add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop
    comment="anti-spam policy"
    add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list
    address-list=approved-smtp
    add chain=smtp-first-drop src-address-list=approved-smtp action=return
    add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
    add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
    / ip firewall filter
    add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
    add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
    add chain=restrict-ip connection-mark=other action=jump jump-target=drop
    / ip firewall filter
    add chain=input src-address-type=local dst-address-type=local action=accept
    comment="Allow local traffic \(between router applications\)"
    add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump
    jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so
    enabling it explicitly before other checks"
    add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
    add chain=input dst-address-type=!local action=jump jump-target=drop
    comment="Dropping packets not destined to the router itself, including all broadcast
    traffic"
    add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings,
    but at a very limited rate \(5 per sec\)"
    add chain=input in-interface=Local action=jump jump-target=local-services
    comment="Allowing some services to be accessible from the local network"
    add chain=input in-interface=Public action=jump jump-target=public-services
    comment="Allowing some services to be accessible from the Internet"
    add chain=input action=jump jump-target=drop
    add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
    add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
    add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
    add chain=local-services connection-mark=ssh action=accept comment="SSH
    \(22/TCP\)"
    add chain=local-services connection-mark=dns action=accept comment="DNS"
    add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy
    \(3128/TCP\)"
    add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)"
    disabled=no
    add chain=local-services action=drop comment="Drop Other Local Services"
    add chain=public-services connection-mark=ssh action=accept comment="SSH
    \(22/TCP\)"
    add chain=public-services connection-mark=pptp action=accept comment="PPTP
    \(1723/TCP\)"
    add chain=public-services connection-mark=gre action=accept comment="GRE for
    PPTP"
    add chain=public-services action=drop comment="Drop Other Public Services"


    Proxying everything
    / ip firewall nat
    add chain=dstnat in-interface=Local connection-mark=dns action=redirect
    comment="proxy for DNS requests"
    add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect
    to-ports=3128 comment="proxy for HTTP requests"
    add chain=dstnat in-interface=Local connection-mark=ntp action=redirect
    comment="proxy for NTP requests"

    ini buat yang mau pake ntp server, optional koq

    Enable Proxy servers
    / system ntp server
    set enabled=yes broadcast=no multicast=no manycast=no
    / system ntp client
    set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0

    ini standar transparan proxy, dns

    / ip proxy
    set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000
    maximal-server-connections=1000
    / ip dns
    set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes
    cache-size=2048KiB cache-max-ttl=1w

    nah ini buat menangkal bruteforce lewat ftp/telnet maupun SSH

    Bruteforce login prevention (FTP & SSH)
    /ip firewall filter
    add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
    add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-
    limit=1/1m,9,dst-address/1m
    add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login
    incorrect" \
    address-list=ftp_blacklist address-list-timeout=3h
    add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
    comment="drop ssh brute forcers" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=10d comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-
    list=ssh_stage1 \
    action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
    comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-
    address-list \
    address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no


    Click here to enlarge

    kalo mau nanya2 dibuka kesempatannya..hehehehe, lumayan buat sharing2 pengetahuankan?
    Last edited by mattnux; 21-02-2009 at 12:51.

  5. #5
    Status
    Offline
    unavailabled's Avatar
    Member
    Join Date
    Dec 2008
    Location
    Mangle Prerouting
    Posts
    137
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by mattnux Click here to enlarge
    betul tuh mr rahwana hehe kurang actionnya

    nah buat yang lebih lengkapnya ini nih, tinggal di sesuaikan ma network masing2 ya..

    Firewall Komplit

    / ip firewall mangle
    add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-
    services
    add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-
    services
    add chain=prerouting connection-state=new action=jump jump-target=other-services
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-
    connection new-connection-mark=ftp passthrough=no
    add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-
    connection new-connection-mark=ssh passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-
    connection new-connection-mark=telnet passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-
    connection new-connection-mark=smtp passthrough=no
    add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection
    new-connection-mark=dns passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-
    connection new-connection-mark=dns passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-
    connection new-connection-mark=http passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-
    connection new-connection-mark=pop3 passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-
    connection new-connection-mark=auth passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-
    connection new-connection-mark=nntp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-
    connection new-connection-mark=imap passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162
    action=mark-connection new-connection-mark=snmp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-
    connection new-connection-mark=https passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-
    connection new-connection-mark=smtps passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-
    connection new-connection-mark=imaps passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-
    connection new-connection-mark=pop3s passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-
    connection new-connection-mark=pptp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-
    connection new-connection-mark=kgs passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-
    connection new-connection-mark=proxy passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-
    connection new-connection-mark=win-ts passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243
    action=mark-connection new-connection-mark=emule passthrough=no
    add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535
    action=mark-connection new-connection-mark=overnet passthrough=no
    add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901
    action=mark-connection new-connection-mark=vnc passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669
    action=mark-connection new-connection-mark=irc passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889
    action=mark-connection new-connection-mark=bittorrent passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-
    connection new-connection-mark=http passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-
    connection new-connection-mark=winbox passthrough=no
    add chain=tcp-services protocol=tcp action=mark-connection new-connection-
    mark=other-tcp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-
    connection new-connection-mark=dns passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-
    connection new-connection-mark=ntp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-
    connection new-connection-mark=l2tp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-
    connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-
    connection new-connection-mark=overnet passthrough=no
    add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-
    connection new-connection-mark=overnet passthrough=no
    add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-
    connection new-connection-mark=skype passthrough=no
    add chain=udp-services protocol=udp connection-state=new action=mark-connection
    new-connection-mark=other-udp passthrough=no
    add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection
    new-connection-mark=ping passthrough=no
    add chain=other-services protocol=gre action=mark-connection new-connection-
    mark=gre passthrough=no
    add chain=other-services action=mark-connection new-connection-mark=other
    passthrough=no
    Most generic invalid packet and port-scan detection techniques
    /ip firewall mangle
    add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet
    new-packet-mark=nat-traversal passthrough=no
    / ip firewall address-list
    add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
    add list=illegal-addr address=127.0.0.0/8
    add list=illegal-addr address=224.0.0.0/3
    add list=illegal-addr address=10.0.0.0/8
    add list=illegal-addr address=172.16.0.0/12
    add list=illegal-addr address=192.168.0.0/16
    add list=local-addr address=172.31.255.0/29 comment="my local network"
    add list=nat-addr address=172.31.255.0/29 comment="my local network"
    / ip firewall filter
    add chain=forward in-interface=Local out-interface=Local action=accept
    comment="Allow traffic between wired and wireless networks"
    / ip firewall filter
    add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
    add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
    comment="Deny illegal NAT traversal"
    add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list
    address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
    add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-
    to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP
    Null scan"
    add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-
    src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block
    TCP Xmas scan"
    add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-
    target=drop
    add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
    comment="Drop TCP RST"
    add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
    comment="Drop TCP SYN+FIN"
    add chain=sanity-check connection-state=invalid action=jump jump-target=drop
    comment="Dropping invalid connections at once"
    add chain=sanity-check connection-state=established action=accept
    comment="Accepting already established connections"
    add chain=sanity-check connection-state=related action=accept comment="Also
    accepting related connections"
    add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-
    target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
    add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-
    type=!local action=jump jump-target=drop comment="Drop illegal destination
    addresses"
    add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump
    jump-target=drop comment="Drop everything that goes from local interface but not from
    local address"
    add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump
    jump-target=drop comment="Drop illegal source addresses"
    add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump
    jump-target=drop comment="Drop everything that goes from public interface but not to
    local address"
    add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-
    target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"
    / ip firewall filter
    add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
    add chain=forward protocol=udp action=jump jump-target=restrict-udp
    add chain=forward action=jump jump-target=restrict-ip
    add chain=restrict-tcp connection-mark=auth action=reject
    add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop
    comment="anti-spam policy"
    add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list
    address-list=approved-smtp
    add chain=smtp-first-drop src-address-list=approved-smtp action=return
    add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
    add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
    / ip firewall filter
    add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
    add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
    add chain=restrict-ip connection-mark=other action=jump jump-target=drop
    / ip firewall filter
    add chain=input src-address-type=local dst-address-type=local action=accept
    comment="Allow local traffic \(between router applications\)"
    add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump
    jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so
    enabling it explicitly before other checks"
    add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
    add chain=input dst-address-type=!local action=jump jump-target=drop
    comment="Dropping packets not destined to the router itself, including all broadcast
    traffic"
    add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings,
    but at a very limited rate \(5 per sec\)"
    add chain=input in-interface=Local action=jump jump-target=local-services
    comment="Allowing some services to be accessible from the local network"
    add chain=input in-interface=Public action=jump jump-target=public-services
    comment="Allowing some services to be accessible from the Internet"
    add chain=input action=jump jump-target=drop
    add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
    add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
    add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
    add chain=local-services connection-mark=ssh action=accept comment="SSH
    \(22/TCP\)"
    add chain=local-services connection-mark=dns action=accept comment="DNS"
    add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy
    \(3128/TCP\)"
    add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)"
    disabled=no
    add chain=local-services action=drop comment="Drop Other Local Services"
    add chain=public-services connection-mark=ssh action=accept comment="SSH
    \(22/TCP\)"
    add chain=public-services connection-mark=pptp action=accept comment="PPTP
    \(1723/TCP\)"
    add chain=public-services connection-mark=gre action=accept comment="GRE for
    PPTP"
    add chain=public-services action=drop comment="Drop Other Public Services"


    Proxying everything
    / ip firewall nat
    add chain=dstnat in-interface=Local connection-mark=dns action=redirect
    comment="proxy for DNS requests"
    add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect
    to-ports=3128 comment="proxy for HTTP requests"
    add chain=dstnat in-interface=Local connection-mark=ntp action=redirect
    comment="proxy for NTP requests"

    ini buat yang mau pake ntp server, optional koq

    Enable Proxy servers
    / system ntp server
    set enabled=yes broadcast=no multicast=no manycast=no
    / system ntp client
    set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0

    ini standar transparan proxy, dns

    / ip proxy
    set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000
    maximal-server-connections=1000
    / ip dns
    set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes
    cache-size=2048KiB cache-max-ttl=1w

    nah ini buat menangkal bruteforce lewat ftp/telnet maupun SSH

    Bruteforce login prevention (FTP & SSH)
    /ip firewall filter
    add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
    add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-
    limit=1/1m,9,dst-address/1m
    add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login
    incorrect" \
    address-list=ftp_blacklist address-list-timeout=3h
    add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
    comment="drop ssh brute forcers" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=10d comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-
    list=ssh_stage1 \
    action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
    comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-
    address-list \
    address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no


    Click here to enlarge

    kalo mau nanya2 dibuka kesempatannya..hehehehe, lumayan buat sharing2 pengetahuankan?
    Banyak banget port virus Click here to enlarge

  6. #6
    Status
    Offline
    Akangage's Avatar
    Administrator
    Join Date
    Aug 2007
    Location
    Daerah Khusus Ibukota Jakarta, Indonesia
    Posts
    4,195
    Reviews
    Read 0 Reviews
    Downloads
    210
    Uploads
    87
    Feedback Score
    0
    beeuughhh........... panjang ya!! Bacanya pusing!!! Keep post bro Click here to enlarge

  7. #7
    Status
    Offline
    unavailabled's Avatar
    Member
    Join Date
    Dec 2008
    Location
    Mangle Prerouting
    Posts
    137
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by d3v4 Click here to enlarge
    jawab ya..

    1. saya kasi contoh 1 aja ya..
    /ip firewall filter dst-port=21 src-address=192.168.10.20 chain=forward

    2. dan 3.

    gunakan web proxy
    manual nya ada di
    kalo untuk semua kompie gini yah boss

    Code:
    /ip firewall filter chain=forward dst-port=21 src-address=192.168.10.0/24  action=drop

  8. #8
    Status
    Offline
    mikroseek's Avatar
    Newbie
    Join Date
    Feb 2009
    Posts
    20
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    wah kalo di lihat rulenya ini mirim dengan demitry dan sanity check Click here to enlarge

  9. #9
    Status
    Offline
    mikroseek's Avatar
    Newbie
    Join Date
    Feb 2009
    Posts
    20
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0


    ini rulenya aku test dan pasang semua di rb433AH kalo
    Protecting the router rule yang paling bawah di aktifkan
    semuanya ndak bisa konek tapi kalo di disable bisa konek
    cuma beberapa rule atasnya ndak berfungsi ya

  10. #10
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Click here to enlarge Originally Posted by mikroseek Click here to enlarge


    ini rulenya aku test dan pasang semua di rb433AH kalo
    Protecting the router rule yang paling bawah di aktifkan
    semuanya ndak bisa konek tapi kalo di disable bisa konek
    cuma beberapa rule atasnya ndak berfungsi ya
    berarti rule atasnya masih belum match dengan kondisi jaringan anda bro. Jangan terima mentah copy paste aja, tapi sesuaikan dengan kondisi jaringan anda.

    Logikanya kan itu mengizinkan trafik yang sesuai dengan rules nya, dan di bagian bawah (protecting the router rule) TOLAK semua yang tidak cocok. Nah kalau bagian yang menolaknya di disable kan rule di atasnya gak ada artinya, trus kalo di enable tapi tidak ada yang match dengan rule di atasnya, otomatis justru semua trafik ditolak.

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [Ask] Gimana caranya membatasi Bandwidth client ????
    By Master Piece in forum Beginner Basics
    Replies: 19
    Last Post: 26-07-2011, 10:41
  2. <ask> gimana caranya gabungin 3 speedy di server mikroktil
    By ethoxions in forum Beginner Basics
    Replies: 4
    Last Post: 15-02-2009, 02:03
  3. [Ask]Remote pc lewat mikrotik, gimana caranya ya :(
    By lylyk in forum Beginner Basics
    Replies: 4
    Last Post: 04-11-2007, 09:18
  4. help : web proxy gimana caranya?
    By flytosky in forum General Networking
    Replies: 2
    Last Post: 08-10-2007, 15:10
  5. [ask]Gimana caranya memblok trafiic local
    By gateway in forum General Networking
    Replies: 34
    Last Post: 19-07-2007, 01:59

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •