Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 6 of 6
  1. #1
    Status
    Offline
    mrymodion's Avatar
    Baru Gabung
    Join Date
    Oct 2007
    Posts
    6
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Red face [tanya] DNS Server error kalo lewat inet

    alow, saya pake mikrotik sebagai gatewaynya, dan di forward DNS port 53 ke server Linux Ubuntu, dan kalo test di lokal sih jalan DNS-nya, nah kan daftar domain di register.net.id, ip ama dns-nya dah diarahin ke ip publik,

    ni seting firewall-nya
    Code:
    / ip firewall nat 
    add chain=srcnat out-interface=SPEEDY action=src-nat \
        to-addresses=xxx.xxx.xxx.xxx to-ports=0-65535 comment="CLIENT BISA I-NET" \
        disabled=no 
    add chain=srcnat out-interface=LAN src-address=192.168.0.0/24 action=src-nat \
        to-addresses=192.168.0.1 to-ports=0-65535 comment="LOCAL BISA FORWARD IP \
        STATIS" disabled=no 
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=53 \
        action=dst-nat to-addresses=192.168.0.95 to-ports=53 comment="FORWARD DNS \
        \(TCP\)" disabled=no 
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=udp dst-port=53 \
        action=dst-nat to-addresses=192.168.0.95 to-ports=53 comment="FORWARD DNS \
        \(UDP\)" disabled=no
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=80 \
        action=dst-nat to-addresses=192.168.0.95 to-ports=80 comment="FORWARD \
        HTTP" disabled=no 
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=25 \
        action=dst-nat to-addresses=192.168.0.95 to-ports=25 comment="FORWARD SMTP \
        \(TCP\)" disabled=no
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=udp dst-port=25 \
        action=dst-nat to-addresses=192.168.0.95 to-ports=25 comment="FORWARD SMTP \
        \(UDP\)" disabled=no 
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=2222 \
        action=dst-nat to-addresses=192.168.0.95 to-ports=22 comment="FORWARD SSH" \
        disabled=no 
    / ip firewall filter 
    add chain=input protocol=tcp dst-port=53 action=accept comment="Allow DNS" \
        disabled=no 
    add chain=input protocol=udp dst-port=53 action=accept comment="Allow DNS" \
        disabled=no 
    add chain=input protocol=tcp dst-port=953 action=accept comment="Allow RNDC" \
        disabled=no 
    add chain=input protocol=tcp dst-port=1723 action=accept comment="VPN" \
        disabled=no 
    add chain=input protocol=tcp dst-port=47 action=accept comment="VPN" \
        disabled=no 
    add chain=input protocol=tcp dst-port=8291 action=accept comment="Allow \
        WINBOX" disabled=no 
    add chain=input protocol=tcp dst-port=80 action=accept comment="Allow WEB" \
        disabled=no 
    add chain=input protocol=tcp dst-port=25 action=accept comment="Allow SMTP" \
        disabled=no 
    add chain=input protocol=udp dst-port=25 action=accept comment="Allow SMTP" \
        disabled=no 
    add chain=input connection-state=invalid action=drop comment="Drop Invalid \
        connections" disabled=no 
    add chain=input src-address=!192.168.0.0/24 protocol=tcp src-port=1024-65535 \
        dst-port=8888 action=drop comment="Block to Proxy" disabled=no 
    add chain=input protocol=udp dst-port=12667 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=udp dst-port=27665 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=udp dst-port=31335 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=udp dst-port=27444 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=udp dst-port=34555 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=udp dst-port=35555 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=tcp dst-port=27444 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=tcp dst-port=27665 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=tcp dst-port=31335 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=tcp dst-port=31846 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=tcp dst-port=34555 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input protocol=tcp dst-port=35555 action=drop comment="Trinoo" \
        disabled=no 
    add chain=input connection-state=established action=accept comment="Allow \
        Established connections" disabled=no 
    add chain=input connection-state=related action=accept comment="Allow \
        Established connections" disabled=no 
    add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no 
    add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no 
    add chain=input src-address=192.168.0.0/24 action=accept comment="Allow access \
        to router from known network" disabled=no 
    add chain=input action=drop comment="Drop anything else" disabled=no 
    add chain=forward protocol=tcp connection-state=invalid action=drop \
        comment="drop invalid connections" disabled=no 
    add chain=forward connection-state=established action=accept comment="allow \
        already established connections" disabled=no 
    add chain=forward connection-state=related action=accept comment="allow \
        related connections" disabled=no 
    add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no 
    add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no 
    add chain=forward protocol=tcp action=jump jump-target=tcp comment="" \
        disabled=no 
    add chain=forward protocol=udp action=jump jump-target=udp comment="" \
        disabled=no 
    add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
        disabled=no 
    add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" \
        disabled=no 
    add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC \
        portmapper" disabled=no 
    add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC \
        portmapper" disabled=no 
    add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" \
        disabled=no 
    add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" \
        disabled=no 
    add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" \
        disabled=no 
    add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny \
        NetBus" disabled=no 
    add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" \
        disabled=no 
    add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny \
        BackOriffice" disabled=no 
    add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" \
        disabled=no 
    add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" \
        disabled=no 
    add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC \
        portmapper" disabled=no 
    add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC \
        portmapper" disabled=no 
    add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" \
        disabled=no 
    add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" \
        disabled=no 
    add chain=udp protocol=udp dst-port=3133 action=drop comment="deny \
        BackOriffice" disabled=no 
    add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
        address-list="port scanners" address-list-timeout=2w comment="Port \
        scanners to list " disabled=no 
    add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
        action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no 
    add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
        address-list="port scanners" address-list-timeout=2w comment="SYN/FIN \
        scan" disabled=no 
    add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
        address-list="port scanners" address-list-timeout=2w comment="SYN/RST \
        scan" disabled=no 
    add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
        action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no 
    add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
        action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w comment="ALL/ALL scan" disabled=no 
    add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
        action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w comment="NMAP NULL scan" disabled=no 
    add chain=input src-address-list="port scanners" action=drop comment="dropping \
        port scanners" disabled=no 
    add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop \
        invalid connections" disabled=no 
    add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow \
        established connections" disabled=no 
    add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow \
        already established connections" disabled=no 
    add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow \
        source quench" disabled=no 
    add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow \
        echo request" disabled=no 
    add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow \
        time exceed" disabled=no 
    add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow \
        parameter bad" disabled=no 
    add chain=icmp action=drop comment="deny all other types" disabled=no
    help yah please Click here to enlarge

  2. #2
    Status
    Offline
    d3v4's Avatar
    Forum Guru
    Join Date
    Jul 2007
    Location
    di alam baka
    Posts
    1,015
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    maksud nya server nya di taro di bawah mikrotik pake ip local terus di kasi domain dan ip register domain di set ke ip public tersebut gitu ?

    bearti :


    internet --- mikrotik --- web server
    .............................|
    .............................|--- client

    coba kita liat firewall nya deh :

    / ip firewall nat
    add chain=srcnat out-interface=SPEEDY action=src-nat \
    to-addresses=xxx.xxx.xxx.xxx to-ports=0-65535 comment="CLIENT BISA I-NET" \
    disabled=no
    ini di nat ya dari dalem ke public seperti nya OK

    add chain=srcnat out-interface=LAN src-address=192.168.0.0/24 action=src-nat \
    to-addresses=192.168.0.1 to-ports=0-65535 comment="LOCAL BISA FORWARD IP \
    STATIS" disabled=no
    ini maksud nya apa ?? bisa forward IP ke mana ? seperti nya tidak berguna di hilangkan saja. atau ada masud lain ?

    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=53 \
    action=dst-nat to-addresses=192.168.0.95 to-ports=53 comment="FORWARD DNS \
    \(TCP\)" disabled=no
    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=udp dst-port=53 \
    action=dst-nat to-addresses=192.168.0.95 to-ports=53 comment="FORWARD DNS \
    \(UDP\)" disabled=no
    ini redirect DNS dari client ke ip server DNS public. seperti nya OK

    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=80 \
    action=dst-nat to-addresses=192.168.0.95 to-ports=80 comment="FORWARD \
    HTTP" disabled=no
    ini redirect request web ke ip public yg di daftarkan di ke register-id ke ip dalam local ya ? seperti nya sih OK

    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=25 \
    action=dst-nat to-addresses=192.168.0.95 to-ports=25 comment="FORWARD SMTP \
    \(TCP\)" disabled=no
    ini seperti nya redirect email ke server mail di dalam ya..? seperti nya juga OK

    add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=2222 \
    action=dst-nat to-addresses=192.168.0.95 to-ports=22 comment="FORWARD SSH" \
    disabled=no
    wah.. ssh juga di redirect Click here to enlarge kek nya sih ga ada masalah

    sekarang ke firewall
    /ip firewall filter
    add chain=input protocol=tcp dst-port=53 action=accept comment="Allow DNS" \
    disabled=no
    add chain=input protocol=udp dst-port=53 action=accept comment="Allow DNS" \
    disabled=no
    add chain=input protocol=tcp dst-port=953 action=accept comment="Allow RNDC" \
    disabled=no
    add chain=input protocol=tcp dst-port=1723 action=accept comment="VPN" \
    disabled=no
    add chain=input protocol=tcp dst-port=47 action=accept comment="VPN" \
    disabled=no
    add chain=input protocol=tcp dst-port=8291 action=accept comment="Allow \
    WINBOX" disabled=no
    add chain=input protocol=tcp dst-port=80 action=accept comment="Allow WEB" \
    disabled=no
    add chain=input protocol=tcp dst-port=25 action=accept comment="Allow SMTP" \
    disabled=no
    add chain=input protocol=udp dst-port=25 action=accept comment="Allow SMTP" \
    disabled=no
    add chain=input connection-state=invalid action=drop comment="Drop Invalid \
    connections" disabled=no
    add chain=input src-address=!192.168.0.0/24 protocol=tcp src-port=1024-65535 \
    dst-port=8888 action=drop comment="Block to Proxy" disabled=no
    add chain=input protocol=udp dst-port=12667 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=udp dst-port=27665 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=udp dst-port=31335 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=udp dst-port=27444 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=udp dst-port=34555 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=udp dst-port=35555 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=tcp dst-port=27444 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=tcp dst-port=27665 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=tcp dst-port=31335 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=tcp dst-port=31846 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=tcp dst-port=34555 action=drop comment="Trinoo" \
    disabled=no
    add chain=input protocol=tcp dst-port=35555 action=drop comment="Trinoo" \
    disabled=no
    add chain=input connection-state=established action=accept comment="Allow \
    Established connections" disabled=no
    add chain=input connection-state=related action=accept comment="Allow \
    Established connections" disabled=no
    add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
    add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
    add chain=input src-address=192.168.0.0/24 action=accept comment="Allow access \
    to router from known network" disabled=no
    add chain=input action=drop comment="Drop anything else" disabled=no
    buat chain input sepertinya ga ada yang ngeblok trafic web dari public ke local.

    add chain=forward protocol=tcp connection-state=invalid action=drop \
    comment="drop invalid connections" disabled=no
    add chain=forward connection-state=established action=accept comment="allow \
    already established connections" disabled=no
    add chain=forward connection-state=related action=accept comment="allow \
    related connections" disabled=no
    add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
    add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
    add chain=forward protocol=tcp action=jump jump-target=tcp comment="" \
    disabled=no
    add chain=forward protocol=udp action=jump jump-target=udp comment="" \
    disabled=no
    add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
    disabled=no
    chain forward juga ga masalah


    add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" \
    disabled=no
    add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC \
    portmapper" disabled=no
    ...

    chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow \
    parameter bad" disabled=no
    add chain=icmp action=drop comment="deny all other types" disabled=no
    ini mah firewall dapet dari mikrotik chain tcp udp icmp. kk nya sih biasa aja

    kesimpulannya...... Click here to enlarge


    1
    coba gunakan untuk mengecek apakah domain anda sudah ter "resolve" atau belum dari internet biasanya register-id dari PANDI emang aga gila Click here to enlarge

    2
    coba test resolve menggunakan pIng dari luar .. misalkan :


    isi lah dengan nama domain anda misalkan trus coba ping atau trace. sampe ke ip public nya nggak ?

    selamat mencoba Click here to enlarge

  3. #3
    Status
    Offline
    mrymodion's Avatar
    Baru Gabung
    Join Date
    Oct 2007
    Posts
    6
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    kalo di arahin ke ns yg lain masuk tuh domainnya, pas diarahin ke ip publik jg ga maw, kalo di test pake dns tool ga maw ga bisa ke ping soale, apa karena dulu pernah bisa sebelum ganti ip publik, pas ganti ip publik di install ulang mikrotiknya. >.<a thanks yah...

  4. #4
    Status
    Offline
    d3v4's Avatar
    Forum Guru
    Join Date
    Jul 2007
    Location
    di alam baka
    Posts
    1,015
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by mrymodion Click here to enlarge
    kalo di arahin ke ns yg lain masuk tuh domainnya, pas diarahin ke ip publik jg ga maw, kalo di test pake dns tool ga maw ga bisa ke ping soale, apa karena dulu pernah bisa sebelum ganti ip publik, pas ganti ip publik di install ulang mikrotiknya. >.<a thanks yah...
    kalo belum bisa ping pake nama host (seperti contoh ping )
    blom mau.. berarti ip public lo belum ke resolve jadi nama.

    biasanya dari register net itu yang di isi kan adalah ip NS (alias DNS Server)
    misalkan ns1.dodol.org = ip nya sekian2. dan ns2.dodol.org = ip nya sekiansekian.

    nah.. dari DNS server itu lah di arahin kemana , mail.dodol.org dan subdomain yang lainnya. jadi masalah nya bukan di IP PUBLIC atau frewall nya. tapi pengaturan DNS (resolving) nya

  5. #5
    Status
    Offline
    mrymodion's Avatar
    Baru Gabung
    Join Date
    Oct 2007
    Posts
    6
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    hua thanks ya semuanya, dah bisa pas ganti domain yang lain bisa thanks

  6. #6
    Status
    Offline
    d3v4's Avatar
    Forum Guru
    Join Date
    Jul 2007
    Location
    di alam baka
    Posts
    1,015
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    toop Click here to enlargeClick here to enlarge
    yang penting ngerti prinsip nya

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Radmin komputer lewat mikrotik gimana ya?
    By desukajo in forum General Networking
    Replies: 31
    Last Post: 10-01-2012, 08:07
  2. [help] PPPoE server PPTP server
    By edhi_putra in forum General Networking
    Replies: 3
    Last Post: 03-12-2009, 23:29
  3. <ask> Kalo mau limit bandwiht by time gmana ??
    By Mat Soleh in forum General Networking
    Replies: 13
    Last Post: 05-06-2008, 17:40
  4. kk kalo ip dns cache flush gunanya apa ?
    By xxx123 in forum General Networking
    Replies: 4
    Last Post: 18-10-2007, 11:04
  5. [Help]Error: 504 Gateway Timeout
    By nggatau in forum General Networking
    Replies: 7
    Last Post: 24-08-2007, 19:23

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •