TUN/TAP adalah salah satu sarana virtual network point to point antara Linux host dan UML.
Di sini kita akan coba sambung host Jawa dengan IP=10.0.1.254 dan UML merapi IP=10.0.1.1. Untuk melakukan hal ini login sebagai user biasa di host, jalankan GUI, dan luncurkan terminal.
* LUNCURKAN UML DENGAN TUN/TAP
Luncurkan UML merapi (COW) sebagai berikut
tux@jawa:$ linux ubd0=merapi.cow eth0=tuntap,,,10.0.1.254 &
## Lihat syntax-nya
## eth0 = nama device di dalam UML
## tuntap = jenis koneksi
## 10.0.1.254 = alamat IP host
* ATUR NETWORK UML
Setelah UML jalan, silahkan login sebagai root. Lalu kita bisa atur networking-nya pakai netconfig
## Cara Manual
root@uml:$ ifconfig eth0 10.0.1.1 netmask 255.255.255.0 up
## Cara permanen di Vector Linux/Slackware
root@uml:$ netconfig
## Ikuti saja menunya, isikan
## Name = merapi
## domain = vnet
## Tipe IP = static
## IP = 10.0.1.1
## Netmask = 255.255.255.0
## Gateway = 10.0.1.254
## DNS = 10.0.1.254 (host Jawa, kalau ada DNS-nya)
## Kalau sudah reboot, atau jalankan
root@uml:# /etc/rc.d/rc.inet1
## Periksa network
root@uml# ifconfig
eth0 Link encap:Ethernet HWaddr FE:FD:0A:00:01:01
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:5
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:252 (252.0 b) TX bytes:252 (252.0 b)
Nah terlihat kalau network eth0 sudah UP.
* PERIKSA NETWORK HOST
Setelah UML jalan, luncurkan terminal lain untuk periksa apakah network host sudah siap sbb.
## jadi superuser
tux@jawa:$ su
password: ******
root@jawa:# ifconfig
eth0 Link encap:Ethernet HWaddr 00:20:ED:77:A5:B1
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:23515 (22.9 Kb)
Interrupt:11 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tap0 Link encap:Ethernet HWaddr 00:FF:5E:F3:51:5B
inet addr:10.0.1.254 Bcast:10.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Terlihat bahwa host punya device tap0 yang sudah UP dengan IP 10.0.1.254. Semantara itu terlihat juga bahwa host punya eth0. Itu device betulan yang terhubung ke network betulan (kantor). Abaikan saja eth0 ini.
* TESTING DARI UML
Coba ...
## Test ping
root@merapi:# ping -c 3 10.0.1.1
PING 10.0.1.254 (10.0.1.254): 56 octets data
64 octets from 10.0.1.254: icmp_seq=0 ttl=64 time=0.3 ms
64 octets from 10.0.1.254: icmp_seq=1 ttl=64 time=0.3 ms
64 octets from 10.0.1.254: icmp_seq=2 ttl=64 time=0.3 ms
--- 10.0.1.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms
## Nah, ping OK, berarti network sudah terhubung
## Test remote login dari UML ke host
root@merapi:# ssh tux@10.0.1.254
The authenticity of host '10.0.1.254 (10.0.1.254)' can't be established.
RSA key fingerprint is ec:80:09:da:90:da:a9:08:14:33:b6:d6:54:10:3d:03.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.254' (RSA) to the list of known hosts.
tux@10.0.1.254's password:
Linux 2.4.24-win4lin. Type vasm to enter setup menu.
tux@jawa:$
## Yohoo ... kita sudah di host Jawa
## Respond SSH tadi normal jika ini koneksi pertama
## Nanti koneksi selanjutnya tidak akan ditanya soal RSA lagi
Buat yang belum tahu, ssh itu client untuk login remote ke host unix (Linux, FreeBSD, MacOS, dll). Ini gantinya telnet yang lebih secure.
* SEBALIKNYA DARI HOST
Coba ...
tux@jawa:$ ping -c 3 10.0.1.1
PING 10.0.1.1 (10.0.1.1): 56 octets data
64 octets from 10.0.1.1: icmp_seq=0 ttl=64 time=0.2 ms
64 octets from 10.0.1.1: icmp_seq=1 ttl=64 time=0.2 ms
64 octets from 10.0.1.1: icmp_seq=2 ttl=64 time=0.2 ms
--- 10.0.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
## Koneksi OK
## sekarang coba remote login
tux@jawa:$ ssh root@10.0.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ec:80:09:da:90:da:a9:08:14:33:b6:d6:54:10:3d:03.
Please contact your system administrator.
Add correct host key in /home/tux/.ssh/known_hosts to get rid of this message.
Offending key in /home/tux/.ssh/known_hosts:5
RSA host key for 10.0.1.1 has changed and you have requested strict checking.
Host key verification failed.
Lhadalah ... ada apa itu ? Tenang, itu respond yang normal dari SSH kalau 10.0.1.1 ganti mesin. Kalau kita main-main UML, itu kejadian lumrah. Mari kita betulkan ...
## Periksa isi $HOME/.ssh/known_hosts
tux@jawa:$ cat ~/.ssh/known_hosts
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIw... (dipotong)
papua.vnet,10.0.0.5 ssh-rsa AAAAB3NzaC1y... (dipotong)
10.0.1.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwA... (dipotong)
## Nah terlihat kalau 10.0.1.1 ini sudah punya entry lama.
## Hapus saja baris 10.0.1.1 itu pakai editor
## atau cara hacker ...
tux@jawa:$ grep -v 10.0.1.1 ~/.ssh/known_hosts | cat > ~/.ssh/known_host
## atau cara kasar :)
tux@jawa:$ rm ~/.ssh/known_hosts
## Coba SSH lagi
tux@jawa:$ ssh root@10.0.1.1
The authenticity of host '10.0.1.1 (10.0.1.1)' can't be established.
RSA key fingerprint is ec:80:09:da:90:da:a9:08:14:33:b6:d6:54:10:3d:03.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.1' (RSA) to the list of known hosts.
root@10.0.1.1's password: *****
Linux 2.4.22. Type vasm to enter setup menu.
root@merapi:#
## Silahkan main-main di konsole
## Kalau sudah puas, logout
root@merapi:# exit
logout
Connection to 10.0.1.1 closed.
tux@jawa#
Selesai sudah. Network TUN/TAP kita sudah beres. Anda bisa coba sendiri berbagai client dari Merapi untuk akses server di Jawa (kalau jalan), misalnya:
1. dig atau nslookup, kalau di host Jawa ada DNS (bind).
2. lynx untuk akses HTTP (apache)
3. ftp untuk akses FTP server (ProFTP).
4. smbclient untuk akses SAMBA (smnd, nmbd).
Minggu, 27 April 2008
VNET2: TUN/TAP
Linux for Windows
Bisa bayangin nggak main Linux di Windows ? Jadi anda bisa pakai aplikasi-aplikasi for Windows yang katanya user friendly, sementara ada virtual Linux buat test server.
Kalau tertarik, saya perkenalkan ... CoLinux !!!.
CoLinux adalah paket yang memungkinkan anda menjalankan Linux kernel di ataw Windows. Pendekatannya berbeda dengan VmWare. Lebih mirip seperti User Mode Linux menjalankan Linux di atas Linux, atau sebaliknya Win4Lin menjalankan Windows di atas Linux. Buat menjalankan CoLinux, anda perlu:
1. Windows 2000 atau Windows XP
2. Paket CoLinux (EXE file), download dari sourceforge http://sourceforge.net/project/showfiles.php?group_id=98788
3. Rootfs, download dari tempat yang sama. Silahkan pilih salah satu antara gentoo, debian dan Fedora. Kalau mau Slackware atau Vector Linux harus oprek sendiri. http://sourceforge.net/mailarchive/forum.php?thread_id=3808305&forum_id=37489
Terus buat petunjuk pasang dan pakainya anda bisa mulai dari colinux FAQ. Selamat mencoba dan kalau bisa bagi-bagi pengalamannya ya. Saya sendiri belum coba soalnya tidak punya Windows XP/2000.
DHCP Server Pakai DNSMasq
DHCP server adalah layanan yang memberikan alamat IP otomatis kepada komputer-komputer client pada suatu LAN. Layanan DHCP ini kini makin penting dengan makin maraknya jaringan wireless. Untungnya, hal ini mudah disetup pakai dnsmasq.
Bayangkan kita punya sebuah LAN dengan banyak komputer. Setiap komputer tentunya perlu alamat IP yang unik. Dengan cara manual, kita harus berikan alamat IP ini secara statik ke masing-masing komputer. kalau komputernya ada 100 atau lebih, pegel juga kan ;-)
Nah di sinilah perlunya DHCP (Dynamic Host Control Protocol). Secara umum, konfigurasi DHCP adalah sebagai berikut:
[dhcp server]--------{LAN}--------[client (banyak sekali)]
Cara kerja sistem ini adalah:
1. pada suatu LAN, cukup ada SATU DHCP server. DHCP server ini diset untuk membagikan alamat IP dengan rentang tertentu, misal 192.168.0.100 - 192.168.0.199.
2. Ada banyak komputer client. Setiap komputer diset agar TCP/IP nya memakai mode AUTO.
3. Saat komputer client dihidupkan, dia akan menyebarkan permintaan alamat IP.
4. Si DHCP server akan menangkap permintaan ini, lalu memberikan nomor IP unik dalam rentang yang telah ditentukan. Bersamaan dengan itu, juga dapat diberikan informasi lain seperti netmask, alamat dns server, maupun gateway.
5. Si client bisa men-set TCP/IP-nya sesuai informasi yang diberikan dan mulai bekerja.
6. Alamat IP ini hanya pinjaman. Setelah selang waktu yang ditentukan, DHCP server akan menagihnya kembali agar dapat dipinjamkan ke client lain. Jadi si client harus memperbaharui pinjamannya (leasing) secara berkala.
Sementara itu ada hal tak kalah penting yang harus dilakukan. Saat DHCP server meminjamkan nomor IP, nama domain yang bersangkutan harus disinkronkan agar akses ke nama domain tak salah alamat. Jelas bahwa hal ini erat kaitannya dengan DNS server. Karena DNSMASQ adalah sekaligus dns server, hal ini akan otomatis terjadi. Tidak demikian halnya jika kita memakai paket terpisah, misalnya bind + dhcpd.
DHCP SERVER SEDERHANA
Kini mari kita coba setup dnsmasq untuk konfigurasi sebagai berikut
[client]---{LAN}---[gateway (dnsmasq)]---{INTERNET}----[provider (dns server)]
Dalam hal ini, dnsmasq bertindak sebagai dhcp server sekaligus dns server. Misalkan saja LAN ini memiliki data sebagai berikut:
* Nomor IP : 192.168.0.1 - 192.168.0.254
* Netmask : 255.255.255.0
* Gateway : 192.168.0.254
* DNS server : 192.168.0.254
Kemudian alamat IP yang tersedia kita alokasikan sebagai berikut:
* Untuk client dengan IP statik : 192.168.0.1 - 192.168.0.127
* Untuk client dengan IP dinamik : 192.168.0.128 - 192.168.0.191
* Untuk server eksternal : 192.168.0.192 - 192.168.0.223
* Untuk server internal : 192.168.0.224 - 192.168.0.254
Oh ya, sekedar tips. Pembagian tersebut diatur demikian rupa menurut rentang kepangkatan angka binari (128 + 64 + 64) sehingga nantinya enak kalau kita pasang firewall.
Nah, kini kita bisa mulai mengkonfigurasi dnsmasq:
1. Konfigurasi dnsmasq sebagai dnsserver (lihat artikel sebelumnya).
2. Untuk mengaktifkannya sebagai dhcp server, astaga, ternyata mudah sekali. Cukup edit /etc/dnsmasq.conf pada bagian-bagian berikut:
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
domain=kampus.lan
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.0.128,192.168.0.191,12h
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need any
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# For reference, the common options are:
# subnet mask - 1
# default router - 3
# DNS server - 6
# broadcast address - 28
dhcp-option=1,255.255.255.0
dhcp-option=3,192.168.0.254
dhcp-option=6,192.168.0.254
dhcp-option=28,192.168.0.255
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
dhcp-leasefile=/var/run/dnsmasq/dnsmasq.leases
3. Jangan lupa menyediakan tempat untuk lease file
# mkdir -p /var/run/dnsmasq
# touch /var/run/dnsmasq/dnsmasq.leases
Silahkan start atau restart dnsmasq. Kini tinggal set client (Linux maupun Windows) agar memakai IP dinamik (auto). Jika semuanya berjalan benar, maka saat diaktifkan client akan mendapat salah satu alamat IP antara 192.168.0.128 s/d 192.168.0.191, demikian pula setting netmask, gateway dan dns server yang sesuai.
DHCP SERVER LEBIH JAUH
Ada beberapa setting di dnsmasq.conf untuk fitur-fitur lebih kompleks, misalkan saja:
* Atur agar client dengan nama domain tertentu selalu mendapat IP khusus
# Give the machine which says it's name is "dosen01" IP address
# 192.168.0.130 and an infinite lease
dhcp-host=dosen01,192.168.0.130,infinite
Agar hal ini bisa bekerja, pastikan tiap client memiliki nama yang benar. Di Linux, set /etc/HOSTNAME. Sementara itu di Windows, isikan nama domain pada setting TCP/IP.
* Atur agar client tertentu mendapat IP yang sesuai dengan nama domain di /etc/hosts
# Enable the address given for "lab01" in /etc/hosts
# to be given to a machine presenting the name "lab01" when
# it asks for a DHCP lease.
dhcp-host=lab01
Hal ini memungkinkan sinkronisasi otomatis dengan dns server.
* Atur agar client dengan MAC address tertentu selalu mendapat IP khusus
# Always allocate the host with ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.129
dhcp-host=11:22:33:44:55:66,192.168.0.129
Untuk yang satu ini, anda perlu mendata semua MAC address client. Untuk mengetahui MAC address sebuah Linux client, panggil saja ifconfig. Sementara di Windows client gunakan ipconfig.
* Blok komputer yang anda tahu suka nakal
# Never offer DHCP service to a machine whose ethernet
# address is 11:22:33:44:55:66
dhcp-host=11:22:33:44:55:66,ignore
Sekian dulu soal dnsmasq. Silahkan coba, ditanggung beres dalam 30 menit tanpa pusing teori DNS+DHCP yang biasanya harus dibaca dulu kalau mau setting BIND atau DHCPD :)
Bandwith Manajemen Queue Tree Vs Simple Queue di Mikrotik
Bagi anda yang akan menjadikan mikrotik sebagai bandwith management mungkin merasa sedikit bimbang, karna mikrotik menyediakan dua buah fitur limiter bandwith di dalamnya, yaitu Simple Queue dan Queue Tree.
Mikrotik yang memang mempunyai keunggulan sebagai bandwith management ini tentu telah merancang keduanya dengan baik sehingga kita tidak kecolongan oleh user yang rakus bandwith atau saya menyebutnya dengan Pardon ( Partai Download), karna berapa bandwith maximal yang kita setting ke user maka memang hanya itulah bandwith yang mereka dapatkan so bandwith yang ada dapat kita bagi dengan dengan adil ke semua user, hanya saja memang keduanya mempunyai kelebihan dan kekurangan masing-masing. Simple Queue sesuai dengan namanya juga cukup simple dalam meng-configurasinya, namun di Simple Queue kita tidak bisa meng alokasikan bandwith kusus buat icmp sehingga apabila pemakaian bandwith di client sudah full ping time nya akan naik dan bahkan rto ( request time out), Berbeda halnya dengan di Que tree, untuk men-seting nya kita membutuhkan sedikit konsentrasi karna lumayan rumit bagi pemula atau kita yang baru belajar mikrotik, Namun di Que tree kita bisa meng alokasikan bandwit icmp , sehingga walaupun bandwith di client full ping time nya pun masih stabil, Saya akan memberikan contoh konfigurasi Simple queues dan Que tree mudah mudahan bisa menjadi referensi untuk anda yang akan menggunakan limiter bandwith with mikrotik.
Configurasi Simple Queue:
Anda bisa membuat kelompok (parent) untuk client-kusus dengan bandwith 256kbps yang didalamnya terdiri dari 3 user sehingga bandwith 256 tadi akan di share untuk 3 user tesebut, dan parent2 yang lainpun bisa anda buat sesuai keinginan anda.
[nanang@Mikrotik] queue> simple
[nanang@Mikrotik] queue simple
add name=”WARNET” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 max-limit=1000000/1000000 total-queue=default-small \
disabled=no
add name=”USER” target-addresses=192.168.0.2/32,192.168.0.3/32,192.168.0.4/32,192.168.0.5/32,192.168.0.6/32,192.168.0.7/32\
,192.168.0.8/32,192.168.0.9/32,192.168.0.10/32 dst-address=0.0.0.0/0 interface=all parent=WARNET direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 max-limit=384000/384000 total-queue=default-small \
disabled=no
add name=”Client-1″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=Lan parent=USER direction=both \
priority=8 queue=default-small/default-small limit-at=16000/16000 max-limit=32000/64000 total-queue=default-small \
disabled=no
Contoh configurasi Queue Tree:
Mangle
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
[nanang@Mikrotik] > ip firewall mangle
[nanang@Mikrotik] ip firewall mangle>
add chain=forward src-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" \
disabled=no
add chain=forward dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" \
disabled=no
add chain=forward protocol=icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-icmp passthrough=no \
comment=”" disabled=no
add chain=forward src-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet \
new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet \
new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet \
new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet \
new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
Queue-tree:
[nanang@LimiTer] queue> tree
[nanang@LimiTer] queue tree>
add name=”upload” parent=ether1 packet-mark=”" limit-at=0 queue=default priority=1 max-limit=256000 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name=”icmd-upload” parent=upload packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=32000 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-upload” parent=upload packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=64000 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-upload” parent=upload packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=64000 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”download” parent=global-out packet-mark=”" limit-at=0 queue=default priority=1 max-limit=512000 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name=”icmp-download” parent=download packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=64000 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-download” parent=download packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=128000 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-download” parent=download packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=128000 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
Note : Disini anda bisa membuat alokasi bandwith kusus buat icmp download dan upload.
Minggu, 20 April 2008
Setting Modem 3G di Linux
Langkah-langkah konfigurasi 3G modem Huawei E220 pada Linux
Cek keberadaan modem menggunakan perintah dmesg
3daya@3daya:~> dmesg | grep usb
usb 1-2: new full speed USB device using uhci_hcd and address 2
usb 1-2: new device found, idVendor=12d1, idProduct=1003
usb 1-2: new device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-2: Product: HUAWEI Mobile
usb 1-2: Manufacturer: HUAWEI Technologies
usb 1-2: configuration #1 chosen from 1 choice
usb-storage: device found at 2
usb-storage: waiting for device to settle before scanning
usbcore: registered new driver usb-storage
usb-storage: device scan complete
tabel 1. dmesg
Ketika kita grep, modem kita dikenali sebagai :
HUAWEI Mobile
idVendor=12d1
idProduct=1003
pada opensuse10.2, menggunakan kernel 2.6.18, dimana pada kernel ini, modem juga dianggap sebagai usb-storage. Karenanya, perlu sedikit modifikasi pada bagian kernel (hacking kernel ….) ^_^
Dengan menggunakan root, edit file /etc/modprobe.conf.local Pada informasi di atas kita telah mendapatkan informasi vendor dan product. Kedua informasi ini kita butuhkan untuk konfigurasi lebih lanjut.
3daya@3daya:~> su -
Password:
3daya:~ #
3daya:~ # vi /etc/modprobe.conf.local
#
# please add local extensions to this file
#
#add by 3daya
options usbserial vendor=0×12d1 product=0×1003
options usb_storage delay_use=0
tabel 2. /etc/modprobe.conf.local
Langkah selanjutnya menambahkan parameter usbserial pada kernel
3daya:~ # vi /etc/sysconfig/kernel
#add by 3daya
MODULES_LOADED_ON_BOOT=”usbserial”
tabel 3. Kernel akan meload modul ubserial
Agar tidak perlu restart, langkah selanjutnya adalah memanggil modul usbserial
3daya:~ # modprobe usbserial
3daya:~ #
Selanjutnya, download file huaweiAktBbo-i386.out di
http://www.kanoistika.sk/bobovsky/archiv/umts/
Kemudian, ubah menjadi executable files, lalu copikan file tersebut ke dalam direktory /bin
3daya:~ # chmod +x /media/e/tools/linux\ util/modem3g/huaweiAktBbo-i386.out
3daya:~ # cp /media/e/tools/linux\ util/modem3g/huaweiAktBbo-i386.out /bin
Jalankan huaweiAktBbo-i386.out
3daya:~ # huaweiAktBbo-i386.out
Hladam HUAWEI E220 a prepnem na modem - bbo 06
4 set feature request returned 0
Prepnute-OK, Mas ttyUSB0 ttyUSB1 (cez usbserial vendor=0×12d1 product=0×1003)
pozri /proc/bus/usb/devices
Langkah selanjutnya adalah menggunakan tool wvial,namun sebelumnya, ada 2 paket yang perlu kita install terlebih dulu, yaitu huawei, dan huawei stat.
Download paketnya di :
http://oozie.fm.interia.pl/src/huawei.tar.bz2
http://oozie.fm.interia.pl/src/he220stat.tar.bz2
setelah di download lakukan kompilasi, berikut langkah-langkahnya:
3daya:~ # tar -xvjf /media/e/tools/linux\ util/modem3g/huawei.tar.bz2
huawei/
huawei/conf/
huawei/conf/huawei-e220
huawei/conf/wvdial-huawei.conf
huawei/conf/huawei-e220.chat
huawei/Makefile
huawei/files/
huawei/files/huawei-mobile.sh
huawei/files/99-huawei.rules
huawei/PROVIDERS
huawei/README
huawei/VERSION
3daya:~ #
3daya:~ # cd huawei/
3daya:~/huawei #
3daya:~/huawei # make install_suse
Installing sample configuration for Linux
cp conf/wvdial-huawei.conf /etc/
mkdir -p /etc/chatscripts/
cp conf/huawei-e220.chat /etc/chatscripts/
cp conf/huawei-e220 /etc/ppp/peers/
cp files/99-huawei.rules /etc/udev/rules.d/
cp files/huawei-mobile.sh /lib/udev/
udevcontrol reload_rules
Go ahead and replug your HUAWEI modem.
3daya:~/huawei #
Setelah huawei terinstall, kita akan menginstall paket statistik huawei,
3daya:~ # tar -xvjf /media/e/tools/linux\ util/modem3g/he220stat.tar.bz2
he220stat-0×02/
he220stat-0×02/flowreport.c
he220stat-0×02/init_ncurses.c
he220stat-0×02/modechange.c
he220stat-0×02/LICENSE
he220stat-0×02/rssi.c
he220stat-0×02/he220ui.h
he220stat-0×02/xhe220stat
he220stat-0×02/Makefile.in
he220stat-0×02/CHANGELOG
he220stat-0×02/configure
he220stat-0×02/README
he220stat-0×02/main.c
3daya:~ #
3daya:~ # cd he220stat-0×02/
3daya:~/he220stat-0×02 #
Lakukan kompilasi, pastikan C Compiler, serta ncurse-developer telah ada di opensuse10.2 kita
3daya:~/he220stat-0×02 # rpm -qa | grep gcc
gcc41-gij-4.1.2_20061115-7
gcc41-c++-4.1.2_20061115-5
gcc-c++-4.1.3-29
libgcc41-4.1.2_20061115-5
gcc-gij-4.1.3-29
gcc-info-4.1.3-29
gcc41-4.1.2_20061115-5
gcc41-info-4.1.2_20061115-5
gcc-4.1.3-29
gcc41-java-4.1.2_20061115-5
gcc-java-4.1.3-29
3daya:~/he220stat-0×02 # rpm -qa | grep ncurse
ncurses-5.5-42
ncurses-devel-5.5-42
yast2-ncurses-2.14.4-3
3daya:~/he220stat-0×02 #
3daya:~/he220stat-0×02 #
3daya:~/he220stat-0×02 # ./configure
checking for gcc… gcc
checking for C compiler default output file name… a.out
checking whether the C compiler works… yes
checking whether we are cross compiling… no
checking for suffix of executables…
checking for suffix of object files… o
checking whether we are using the GNU C compiler… yes
checking whether gcc accepts -g… yes
checking for gcc option to accept ISO C89… none needed
checking how to run the C preprocessor… gcc -E
checking for grep that handles long lines and -e… /usr/bin/grep
checking for egrep… /usr/bin/grep -E
checking for ANSI C header files… yes
checking for sys/types.h… yes
checking for sys/stat.h… yes
checking for stdlib.h… yes
checking for string.h… yes
checking for memory.h… yes
checking for strings.h… yes
checking for inttypes.h… yes
checking for stdint.h… yes
checking for unistd.h… yes
checking fcntl.h usability… yes
checking fcntl.h presence… yes
checking for fcntl.h… yes
checking for stdlib.h… (cached) yes
checking for string.h… (cached) yes
checking termios.h usability… yes
checking termios.h presence… yes
checking for termios.h… yes
checking for unistd.h… (cached) yes
checking for stdlib.h… (cached) yes
checking for GNU libc compatible malloc… yes
configure: creating ./config.status
config.status: creating Makefile
3daya:~/he220stat-0×02 #
3daya:~/he220stat-0×02 # make
gcc -Wall -lncurses init_ncurses.c main.c flowreport.c rssi.c modechange.c -o he220stat
3daya:~/he220stat-0×02 #
3daya:~/he220stat-0×02 # make install
chmod +x ./xhe220stat
cp *he220stat /usr/local/bin
3daya:~/he220stat-0×02 #
Done, sampai di sini, ritual instalasi sudah selesai. tahap selanjutnya adalah mengkonfigurasi wvdial. edit file sesuai dengan kebutuhan kita
3daya:~/he220stat-0×02 # vi /etc/wvdial-huawei.conf
[Dialer Defaults]
Modem = /dev/ttyUSB0
Baud = 3600000
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
Init3 =
Area Code =
Phone = *99#
Username = 3daya
Password = ***
Ask Password = 0
Dial Command = ATDT
Stupid Mode = 1
Compuserve = 0
Force Address =
Idle Seconds = 0
DialMessage1 =
DialMessage2 =
ISDN = 0
Auto DNS = 1
l Sekarang, tiba saat yang ditunggu-tunggu, yaitu menjalankan modem 3G kita, jika semuanya berjalan normal, maka muncul baris berikut :
3daya:~/he220stat-0×02 # wvdial –config /etc/wvdial-huawei.conf
–> WvDial: Internet dialer version 1.54.0
–> Cannot get information for serial port.
–> Initializing modem.
–> Sending: ATZ
ATZ
OK
–> Sending: ATQ0 V1 E1 S0=0 &C1 &D2
ATQ0 V1 E1 S0=0 &C1 &D2
OK
–> Modem initialized.
–> Sending: ATDT*99#
–> Waiting for carrier.
ATDT*99#
CONNECT
–> Carrier detected. Starting PPP immediately.
–> Starting pppd at Thu Jul 12 23:04:14 2007
–> pid of pppd: 12531
–> Using interface ppp0
–> local IP address 124.81.146.153
–> remote IP address 10.64.64.64
–> primary DNS address 202.155.0.10
–> secondary DNS address 202.155.0.15
–> Script /etc/ppp/ip-up run successful
–> Default route Ok.
–> Nameserver (DNS) Ok.
–> Connected… Press Ctrl-C to disconnect
Cek, apakah kita sudah mendapatkan ip
3daya@3daya:~> /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:90:F5:54:23:CC
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:169 Base address:0×2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2608 (2.5 Kb) TX bytes:2608 (2.5 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:124.81.146.153 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:540 (540.0 b) TX bytes:272 (272.0 b)
3daya@3daya:~>
tampak, kita telah mendapatkan ip dari provider Indosatm2, melalui protokol PPP, yaitu 124.81.146.153
Selanjutnya, kita coba menggunakan browser
Keterangan:
pada saat melakukan tes, lampu 3g Modem berwarna seperti ini :
tempat melakukan tes kamar kos, di daerah kebagusan 1 Jaksel (^_^)
OS yang digunakan adalah :
3daya:~/he220stat-0×02 # uname -a
Linux 3daya 2.6.18.2-34-default #1 SMP Mon Nov 27 11:46:27 UTC 2006 i686 i686 i386 GNU/Linux
3daya:~/he220stat-0×02 #
OPENSUSE10.2
Kesimpulan
3G modem huawei dapat dijalankan dengan linux opensuse10.2
Untuk melihat statistik 3g modem kita, jalankan perintah
#he220stato
Tutorial ini juga dapat digunakan pada distro linux yang lain. Saya telah mencoba menginstallnya di fedora.
Karena koneksi menggunakan provider indosatm2, maka sebaiknya dns servernya di set ke
202.155.0.10 dan 202.155.0.15, serta parameter Auto DNS = 1 pada /etc/wvdial-huawei.conf di set menjadi
Auto DNS = 0
Netbios Session, Bikin Jaringan Macet
Protokol yang satu ini - Netbios session, membuat trafik jaringan di 2 kebun macet. Penyebaran ini terjadi dari salah satu komputer yang terinfeksi (Win2K-SP4) virus, dan dalam tempo 30 menit (kurang lebih) menyerang Win XP SP1. Bersyukur hari ini sudah bisa ditangkal, baik disisi client (Win XP SP1) maupun di gateway (GNU/Linux)
Dari sisi client, disable saja netbios-nya - mengakibatkan sharing file/printer tidak berfungsi.
Dari sisi gateway, drop paketnya. Sudah beberapa tahun baru kali ini kebobolan.
iptables -A FORWARD -s 192.168.1.0/24 -d ! 192.168.1.0/24 -p tcp –dport 137 -j DROP
ipchains -A forward -s -p tcp 192.168.1.0/24 -d ! 192.168.1.0/24 137 -j DROP
Lebih baiknya - default policy-nya DROP, setelah itu kita memfilter paket-paket yang diijinkan saja, seperti penggunaan untuk browsing (tcp/80), email (tcp/25, tcp/110, tcp/143), Y!M (tcp/5000:5100), dan aplikasi yang sesuai dengan kebutuhan.
iptables -P FORWARD DROP
ipchains -P forward DROP
more details, see man iptables or ipchains : depend on kernel’s version
Updated: (03/04/2007)
Jika Anda hanya memiliki Cisco Router, dapat dilakukan caranya sbb:
belitung(config)# logging buffered 3072
belitung(config)# access-list 104 deny tcp any any eq 137 log
belitung(config)# access-list 104 permit ip any any
belitung(config)# int e0
belitung(config-if)#ip access-group 104 in
belitung(config-if)# exit
1-99 : Standard Access List
100-199 : Extended Access List (Source IP, Destination IP, Source Port, Destination Port)
Rule Load Balancing Pak Ono
sebenernya gak susah sih bikin N link load balancer
asal PCI slot di PC router linux-nya cukup buat di taro-in N ethernet card
yang saya pake di rumah cuma 2 link load balancer & NAT pake Ubuntu
bisa di kembangin jadi N link gak susah sama sekali sih
Saya gak bisa upload tu catatan ke forum ini
soalnya gede banget ini cuplikan load balancer-nya ..
/sbin/ip link set lo up
/sbin/ip link set eth0 up
/sbin/ip link set eth1 up
/sbin/ip link set eth2 up
/sbin/ip route flush table adsl
/sbin/ip route flush table rtrwnet
/sbin/ip route flush table internet
/sbin/ip addr add 127.0.0.1/8 brd 127.0.0.255 dev lo
/sbin/ip addr add 192.168.1.222/24 brd 192.168.1.255 dev eth2
# /sbin/ip addr add 10.0.148.48/24 brd 10.0.148.255 dev eth0
/sbin/ip addr add 192.168.0.222/24 brd 192.168.0.255 dev eth1
/sbin/ip route add 127.0.0.0/8 dev lo
/sbin/ip route add 10.5.148.0/24 via 10.0.148.254 dev eth0
/sbin/ip route add 192.168.0.0/24 dev eth1
/sbin/ip route add 44.132.33.0/24 via 192.168.0.10 dev eth1
/sbin/ip route add 192.168.11.0/24 via 192.168.0.10 dev eth1
/sbin/ip route add 125.160.6.0/24 via 192.168.1.1 dev eth2
/sbin/ip route add 202.159.32.0/24 via 192.168.1.1 dev eth2
/sbin/ip rule add prio 10 table main
/sbin/ip rule add prio 20 table adsl
/sbin/ip rule add prio 30 table rtrwnet
/sbin/ip rule add prio 40 table internet
/sbin/ip route del default table main
/sbin/ip route del default table adsl
/sbin/ip route del default table rtrwnet
/sbin/ip route del default table internet
/sbin/ip rule add prio 20 from 192.168.1.0/24 table adsl
/sbin/ip route add default via 192.168.1.1 dev eth2 src 192.168.1.222 proto static table adsl
/sbin/ip route append prohibit default table adsl metric 1 proto static
/sbin/ip rule add prio 30 from 10.0.148.0/24 table rtrwnet
/sbin/ip route add default via 10.0.148.254 dev eth0 src 10.0.148.48 proto static table rtrwnet
/sbin/ip route append prohibit default table rtrwnet metric 5 proto static
# Set up load balancing gateways
/sbin/ip rule add prio 40 table internet
/sbin/ip route add default proto static table internet \
nexthop via 192.168.1.1 dev eth2 weight 1 \
nexthop via 10.0.148.254 dev eth0 weight 10
# Setup routing to ISPs
/sbin/ip route add 202.138.236.0/24 proto static table internet \
nexthop via 192.168.1.1 dev eth2 weight 10 \
nexthop via 10.0.148.254 dev eth0 weight 1
Install SNORT di Ubuntu
# apt-get install libpcre3 libpcre3-dev libpcrecpp0
# apt-get install libpcap0.8 libpcap0.8-dev
# apt-get install libmysqlclient15-dev
# apt-get install libphp-adodb
# apt-get install libgd2-xpm libgd2-xpm-dev
# apt-get install php5-mysql
# apt-get install php5-gd
# apt-get install php-image-graph php-image-canvas php-pear
# apt-get install libpcre3 libpcre3-dev libpcrecpp0
# apt-get install libpcap0.8 libpcap0.8-dev
# apt-get install libmysqlclient15-dev
# apt-get install libphp-adodb
# apt-get install libgd2-xpm libgd2-xpm-dev
# apt-get install php5-mysql
# apt-get install php5-gd
# apt-get install php-image-graph php-image-canvas php-pear
Web Access
http://localhost/base
Setup page
CREATE BASE AG
Install Snort in Ubuntu
By: Onno W. Purbo
Main page
Dasar-Dasar Sistem Operasi Linux (Direktori dan Sistem Berkas)
Di Linux dan Unix segala sesuatu adalah berkas. Direktori adalah berkas, berkas adalah berkas, dan peranti juga merupakan berkas. Peranti yang seringkali dirujuk sebagai node; tetap saja, mereka dianggap sebagai berkas.Sistem berkas di Linux dan Unix diorganisasikan secara hirarki, seperti struktur pohon. Leveltertinggi dari sistem berkas adalah direktori root atau /. Semua berkas dan direktori yang lain berada dibawah direktori root. Sebagai contoh, /home/jebediah/cheeses.odt menunjukkan path penuh ke berkas cheeses.odt yang berada di direktori jebediah, yang juga berada dibawah direktori home, dan semuanya berada dibawah direktori root (/).Dibawah direktori root (/) terdapat sejumlah direktori-direktori penting yang ada dalam distribusiLinux lainnya. Berikut ini adalah daftar direktori-direktori yang berada langsung dibawah direktori(/):
• /bin - lokasi perintah penting, yang biasanya adalah aplikasi biner, tetapi bisa juga skrip shell
• /boot - berkas konfigurasi boot, kernel, dan berkas lain yang dibutuhkan ketika sistem booting
• /dev - berkas peranti (device)• /etc - berkas konfigurasi, skrip startup, dll (etc).
• /home - direktori pangkal (home) bagi masing-masing pengguna
• /initrd - digunakan untuk meng-customize initial RAM Disk
• /lib - libraries yang diperlukan oleh sistem• /lost+found - menyediakan sistem lost+found untuk berkas yang berada dibawah direktori root(/)
• /media - lokasi me-mount removable media secara otomatis seperti CD, kamera digital, dll.
• /mnt - mounted sistem berkas secara manual pada harddisk
• /opt - lokasi untuk instalasi aplikasi dari pihak ketiga (optional); aplikasi ini biasanya di-compilesecara statik dan dapat digunakan pada distro Linux lainnya
• /proc - direktori dinamis khusus yang menangani informasi mengenai kondisi sistem, termasukproses-proses (processes) yang sedang berjalan
• /root - direktori pangkal (home) bagi pengguna root, diucapkan “slash-root”.
• /sbin - sistem biner dan skrip penting, biasanya untuk dijalankan oleh pengguna root
• /srv - dapat berisi berkas yang served (melayani) sistem lain.• /sys - mirip dengan sistem berkas /proc tetapi memuat informasi system yang tidak berhubungandengan proses yang berjalan
• /tmp - berkas sementara (temporary)
• /usr - lokasi untuk aplikasi dan berkas read-only yang biasanya tersedia untuk diakses olehseluruh users
• /var - berkas variabel seperti log dan database
Apa Itu Kernel
Sebagai pengguna komputer, kadang kita pernah mengalami hal-hal yang membingungkan seperti komputer hank atau tidak berfungsi dengan baik, sebagai contohnya adalah ketika menggunakan OS Windows, ketika terjadi hank kadang-kadang mulcul layar biru atau di kenal dengan Blue Screen, dan biasanya ada informasi atau kata-kata KERNEL bla .. bla .. bla … sejauh ini sebagai orang awam maka jika terjadi hal tersebut maka pasti akan membooting ulang komputernya tanpa mengetahui apa yang sebenarnya terjadi. Nah berlandaskan hal tersebut maka ada artikel yang menarik menyangkut istilah KERNEL .. selamat membaca.
Dalam sains komputer, kernel merupakan inti dari sistem pengoperasian yang mengatur penggunaan ingatan/memori, peranti masukan dan keluaran, proses-proses, penggunaan fail pada sistem fail dan lain-lain. Kernel juga menyediakan sekumpulan layanan yang digunakan untuk mengakses kernel yang disebut system call. System call ini digunakan untuk mengimplementasikan berbagai layanan yang diberikan oleh sistem pengoperasian. Program sistem dan semua program-program lainnya yang dijalankan di atas kernel disebut user mode.Kernel Linux terdiri dari beberapa bagian penting, seperti: pengurusan proses, pengurusan ingatan, pemacu perkakasan, pemacu sistem fail, pengurusan jaringan dan lain-lain. Namun bahagian yang terpenting ialah pengurusan proses dan pengurusan ingatan. Pengurusan ingatan meliputi penggunaan ingatan, kawasan pertukaran, bahagian-bahagian kernel dan untuk cache penimbal (buffer cache). Pengurusan proses menangani penggunaan proses-proses dan penjadualan proses. Pada bahagian dasar kernel terdapat pemacu perkakasan untuk setiap jenis perkakasan komputer yang disokong.Fungsi-fungsi kernel
1. Pengurusan proses
Tugas utama sebuah system pengoperasian kernel ialah membenarkan aplikasi yang lain untuk berjalan dan menyokong mereka dengan ciri-ciri tambahan, seperti pengabstrakan perkakasan, untuk menjalan proses, kernel mesti memuat turun failnya kepada ingatan, menyediakan stack untuk program dan pergi ke lokasi yang diberikan di dalam program, ini memulakan perjalanan sesebuah program, cara ini dipanggil scheduling. Dalam sistem berbilang kerja, kernel secara asasnya akan memberikan setiap program sedikit masa dan menukarkan dari proses ke proses dengan cepat dengan itu ia akan muncul kepada pengguna jika proses ini dijalankan secara terus menerus. Kernel mesti juga menyediakan proses ini untuk berkomunikasi, ini dikenali sebagai inter-process communication. Ini kemungkinan ada multipemprosesan yang menyokong kernel tersebut.
2. Pengurusan ingatan
Kernel mempunyai akses penuh dalam ingatan sistem dan menyediakan cara-cara untuk membenarkan userland program untuk mengakses memori ini dengan selamat. Cara pertama untuk mengurus ingatan ialah virtual addressing, biasanya arkib dengan mukasurat atau segmentation. Virtual addressing membenarkan kernel untuk memberikan alamat fizikal yang muncul sebagai alamat yang lain iaitu virtual address, ini membenarkan setiap program mempercayai ia hanya satu program (sebahagian daripada kernel) yang berjalan, dan ini mengelakkan aplikasi daripada berlanggar antara satu sama lain.
3. Pengurusan peranti
Dalam arahan untuk melakukan sesuatu tugas, kernel perlu untuk mengakses perbagai peranti yang bersambungan di dalam komputer, sebagai contoh, dalam arahan untuk memaparkan pengguna apa-apa sahaja, pemacu monitor perlu untuk muncul, peranti ini boleh dikawal melalui pemacu, di mana ia mesti dibuat oleh pembangun dan/atau disediakan oleh pengilang sesuatu peranti tersebut.
Pengurus peranti pertamanya akan melakukan semakan keatas bas perkakasan yang berbeza (seperti USB, PCI), dalam arahan unruk mengesan semua peranti yang telah dipasang dan kemudiannya mencari pemacu yang bersesuaian, selepas ini, semuanya bergantung kepada jenis kernel dan rekaan kernel.
4. Sistem panggilan
Dalam arahan untuk menyediakan kerja yang berguna, program userland mesti mempunyai akses kepada semua perkhidmatan yang disediakan oleh kernel. Ini dilaksanakan secaar berbeza-beza oleh kernel yang berlainan, tetapi mesti disediakan oleh C library, dimana ia menukarkan kelemahan kesemua system panggilan, sama ada diberikan atau melalui memori yang dikongsi.
5. Shell
Shell adalah perisian atau aplikasi yang menjadi alat untuk perhubungan antara pangguna untuk berhubung dengan sistem operasi, shella akan membaca apa sahaja yang dimasukkan oleh pengguna dan memahaminya sebagai arahan untuk menjalankan perisian lain, memanipulasi fail, dan memberikan output. Shell juga turut dikenali sebagai command line interface
Terdapat pelbagai shell untuk Unix/Linux. Korn shell atau POSIX shell adalah shell yang biasa di kebanyakkan jenis unix atau linux.
Kedudukan kernel dalam sistem komputer
Kedudukkan kernel pada sistem komputer adalah pada root directory yang mengandungi kedua-dua boot program dan fail yang mengandungi kernel untuk sistem. Kernel biasanya menpunyai pelbagai nama, berbeza dari pengilang mesin antara satu sama lain, tetapi kebiasannya ia mempunyai perkataan nix supaya pengguna dapat mencarinya dengan wildcard characters.
Sebagai contoh:
ls /*nix*
-rwxr—– 1 root 1558734 Sep 24 1992 /vmunix
Kesimpulan
Kernel adalah inti OS (Operating System)
Load Balancing TPLINK 2 WAN
Hardware
1. 2 modem adsl
modem a 192.168.5.1/24
modem b 192.168.4.1/24
2. Load Balancing 2 wan and 4 lan (192.168.1.1/24)
wan ip modem a 192.168.5.2/24
wan ip modem b 192.168.4.2/24
3. Mikrotik with pc using 2 etnertnet
Local –>> 192.168.0.30/27
Public ->> 192.168.1.2/24
4. linux proxy using 1 ethernet ( 192.168.1.3/24)
Detail Configuration
1. Loadbalancing Machine Using TPLINK
Router Status
Firmware Version: 3.5.0 Build 070423 Rel.31354s
Hardware Version: R480T+ v2
LAN
MAC Address: 00-19-E0-A3-24-3C
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
WAN 1
Status: Link Up
MAC Address: 00-19-E0-A3-24-3D
IP Address: 192.168.5.2 Static IP
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.5.1
DNS Server: 203.130.193.74, 202.134.0.155
WAN 2
Status: Link Up
MAC Address: 00-19-E0-A3-24-3E
IP Address: 192.168.4.2 Static IP
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.4.1
DNS Server: 203.130.193.74, 202.134.0.155
Traffic Statistics
Received (Bytes) Sent (Bytes) Received (Packets) Sent (Packets)
Total 7429303 1853471 22800 21923
WAN 1 7248061 1671933 20351 19470
WAN 2 181242 181538 2449 2453
Load Balancing Flow
ID WAN Port Address Type protocol IP address(es) Port(s) Status Modify
1 prior to W2 source IP from LAN ALL 0.0.0.0-255.255.255.255 1-1000 Enabled
2 prior to W1 source IP from LAN ALL 0.0.0.0-255.255.255.255 1001-3127 Enabled
3 prior to W2 source IP from LAN ALL 0.0.0.0-255.255.255.255 3128 Enabled
4 prior to W1 source IP from LAN ALL 0.0.0.0-255.255.255.255 3129-8079 Enabled
5 prior to W2 source IP from LAN ALL 0.0.0.0-255.255.255.255 8080 Enabled
6 prior to W1 source IP from LAN ALL 0.0.0.0-255.255.255.255 8081-65000 Enabled
7 prior to W2 source IP from LAN ALL 0.0.0.0-255.255.255.255 5050-5061 Enabled
8 prior to W2 source IP from LAN ALL 0.0.0.0-255.255.255.255 6667-7000 Enabled
B. Mikrotik Configuration
/ interface ethernet
set Public name=”Public” mtu=1500 mac-address=00:15:E9:EF:86:FE arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Local name=”Local” mtu=1500 mac-address=00:01:02:97:D0:BE arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Proxy name=”Proxy” mtu=1500 mac-address=00:01:02:97:CE:C5 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
/ interface wireless security-profiles
set default name=”default” mode=none authentication-types=”" \
unicast-ciphers=”" group-ciphers=”" wpa-pre-shared-key=”" \
wpa2-pre-shared-key=”" eap-methods=passthrough tls-mode=no-certificates \
tls-certificate=none static-algo-0=none static-key-0=”" static-algo-1=none \
static-key-1=”" static-algo-2=none static-key-2=”" static-algo-3=none \
static-key-3=”" static-transmit-key=key-0 static-sta-private-algo=none \
static-sta-private-key=”" radius-mac-authentication=no group-key-update=5m
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no \
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssid-all=no \
frames-per-second=25 audio-min=-100 audio-max=-20
/ interface wireless snooper
set multiple-channels=yes channel-time=200ms receive-errors=no
/ interface wireless sniffer
set multiple-channels=no channel-time=200ms only-headers=no receive-errors=no \
memory-limit=10 file-name=”" file-limit=10 streaming-enabled=no \
streaming-server=0.0.0.0 streaming-max-rate=0
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name=”dhcp_pool1″ ranges=192.168.0.1-192.168.0.29
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id=”" remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=192.168.1.3 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip address
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Public comment=”" disabled=no
add address=192.168.0.30/27 network=192.168.0.0 broadcast=192.168.0.31 \
interface=Local comment=”" disabled=no
add address=192.168.2.1/30 network=192.168.2.0 broadcast=192.168.2.3 \
interface=Proxy comment=”" disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:1 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \
disabled=yes
/ ip neighbor discovery
set Public discover=yes
set Local discover=yes
set Proxy discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \
comment=”" disabled=no
/ ip firewall mangle
add chain=prerouting src-address=192.168.0.0/27 protocol=icmp \
action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \
comment=”ToS” disabled=no
add chain=prerouting connection-mark=ICMP-CM action=mark-packet \
new-packet-mark=ICMP-PM passthrough=yes comment=”" disabled=no
add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \
comment=”" disabled=no
add chain=prerouting src-address=192.168.0.0/27 protocol=tcp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment=”" disabled=no
add chain=prerouting src-address=192.168.0.0/27 protocol=udp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment=”" disabled=no
add chain=prerouting connection-mark=DNS-CM action=mark-packet \
new-packet-mark=DNS-PM passthrough=yes comment=”" disabled=no
add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \
comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”Services” \
disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=21 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \
new-connection-mark=ym_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=ym_conn action=mark-packet \
new-packet-mark=ym passthrough=no comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=27015 action=mark-connection \
new-connection-mark=cs_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=cs_conn action=mark-packet \
new-packet-mark=cs passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=6661-7000 action=mark-connection \
new-connection-mark=irc_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=irc_conn action=mark-packet \
new-packet-mark=irc passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \
new-connection-mark=mt_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=mt_conn action=mark-packet \
new-packet-mark=mt passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=email_conn action=mark-packet \
new-packet-mark=email passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=22 action=mark-connection \
new-connection-mark=ssh_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=ssh_conn action=mark-packet \
new-packet-mark=ssh passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3129-6660 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=games_conn action=mark-packet \
new-packet-mark=games passthrough=no comment=”" disabled=no
add chain=prerouting src-address=192.168.0.0/27 action=mark-packet \
new-packet-mark=Naik passthrough=no comment=”Up Traffic” disabled=no
add chain=forward src-address=192.168.0.0/27 action=mark-connection \
new-connection-mark=Koneksi passthrough=yes comment=”Conn-Mark” \
disabled=no
add chain=forward in-interface=Public connection-mark=Koneksi \
action=mark-packet new-packet-mark=Turun passthrough=no \
comment=”Down-Direct Connection” disabled=no
add chain=output out-interface=Local dst-address=192.168.0.0/27 \
action=mark-packet new-packet-mark=Turun passthrough=no comment=”Down-Via \
Proxy” disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Public action=masquerade comment=”Masquerading \
ke IP Public \[modem\]” disabled=no
add chain=dstnat protocol=tcp dst-port=80 dst-address-list=!servergames \
action=dst-nat to-addresses=192.168.1.3 to-ports=8080 comment=”" \
disabled=no
add chain=dstnat protocol=tcp dst-port=3128 dst-address-list=!servergames \
action=dst-nat to-addresses=192.168.1.3 to-ports=8080 comment=”" \
disabled=no
add chain=dstnat protocol=tcp dst-port=8000 dst-address-list=!servergames \
action=dst-nat to-addresses=192.168.1.3 to-ports=8080 comment=”" \
disabled=no
add chain=dstnat protocol=tcp dst-port=8080 dst-address-list=!servergames \
action=dst-nat to-addresses=192.168.1.3 to-ports=8080 comment=”" \
disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=”Drop Invalid \
connections” disabled=no
add chain=input src-address=!192.168.0.0/27 protocol=tcp src-port=1024-65535 \
dst-port=8080 action=drop comment=”Block to Proxy” disabled=no
add chain=input protocol=udp dst-port=12667 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=udp dst-port=27665 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=udp dst-port=31335 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=udp dst-port=27444 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=udp dst-port=34555 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=udp dst-port=35555 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=tcp dst-port=27444 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=tcp dst-port=27665 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=tcp dst-port=31335 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=tcp dst-port=31846 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=tcp dst-port=34555 action=drop comment=”Trinoo” \
disabled=no
add chain=input protocol=tcp dst-port=35555 action=drop comment=”Trinoo” \
disabled=no
add chain=input connection-state=established action=accept comment=”Allow \
Established connections” disabled=no
add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no
add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no
add chain=input src-address=192.168.0.0/27 action=accept comment=”Allow access \
to router from known network” disabled=no
add chain=input src-address=192.168.1.0/24 action=accept comment=”" \
disabled=no
add chain=input action=drop comment=”Drop anything else” disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop \
comment=”drop invalid connections” disabled=no
add chain=forward connection-state=established action=accept comment=”allow \
already established connections” disabled=no
add chain=forward connection-state=related action=accept comment=”allow \
related connections” disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=”" \
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=”" \
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=”" \
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP” \
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC \
portmapper” disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC \
portmapper” disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT” \
disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs” \
disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS” \
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny \
NetBus” disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus” \
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny \
BackOriffice” disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP” \
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP” \
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC \
portmapper” disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC \
portmapper” disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT” \
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS” \
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment=”deny \
BackOriffice” disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”Port \
scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”ALL/ALL scan” disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP NULL scan” disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”dropping \
port scanners” disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop \
invalid connections” disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow \
established connections” disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow \
already established connections” disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow \
source quench” disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow \
echo request” disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow \
time exceed” disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow \
parameter bad” disabled=no
add chain=icmp action=drop comment=”deny all other types” disabled=no
add chain=tcp protocol=tcp dst-port=25 action=reject \
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=udp dst-port=25 action=reject \
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=tcp dst-port=110 action=reject \
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject \
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject \
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
/ ip firewall address-list
add list=servergames address=202.93.20.214 comment=”" disabled=no
add list=servergames address=202.93.20.201 comment=”Rf” disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=yes
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name=”default” hotspot-address=0.0.0.0 dns-name=”" \
html-directory=hotspot rate-limit=”" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name=”default” idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
/ ip dhcp-server
add name=”dhcp1″ interface=Local lease-time=3d address-pool=dhcp_pool1 \
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
add address=192.168.0.1 mac-address=00:13:D3:E4:FA:52 \
client-id=”1:0:13:d3:e4:fa:52″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.2 mac-address=00:13:D3:FD:36:98 \
client-id=”1:0:13:d3:fd:36:98″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.3 mac-address=00:13:D3:E4:FA:9D \
client-id=”1:0:13:d3:e4:fa:9d” server=dhcp1 comment=”" disabled=no
add address=192.168.0.4 mac-address=00:13:D3:FD:02:7E \
client-id=”1:0:13:d3:fd:2:7e” server=dhcp1 always-broadcast=yes comment=”" \
disabled=no
add address=192.168.0.5 mac-address=00:13:D3:E4:FA:30 \
client-id=”1:0:13:d3:e4:fa:30″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.6 mac-address=00:13:D3:FD:36:61 \
client-id=”1:0:13:d3:fd:36:61″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.11 mac-address=00:18:F3:43:D4:66 \
client-id=”1:0:18:f3:43:d4:66″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.10 mac-address=00:13:D3:FD:37:BA \
client-id=”1:0:13:d3:fd:37:ba” server=dhcp1 comment=”" disabled=no
add address=192.168.0.9 mac-address=00:13:D3:C9:E7:C1 \
client-id=”1:0:13:d3:c9:e7:c1″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.8 mac-address=00:13:D3:FD:36:6A \
client-id=”1:0:13:d3:fd:36:6a” server=dhcp1 comment=”" disabled=no
add address=192.168.0.7 mac-address=00:13:D3:E4:FA:2A \
client-id=”1:0:13:d3:e4:fa:2a” server=dhcp1 comment=”" disabled=no
add address=192.168.0.18 mac-address=00:15:F2:93:B1:53 \
client-id=”1:0:15:f2:93:b1:53″ server=dhcp1 comment=”" disabled=no
add address=192.168.0.12 mac-address=00:18:F3:43:D4:7D \
client-id=”1:0:18:f3:43:d4:7d” server=dhcp1 comment=”" disabled=no
/ ip dhcp-server network
add address=192.168.0.0/27 gateway=192.168.0.30 \
dns-server=192.168.0.30,203.130.193.74,202.134.0.155 comment=”"
/ ip ipsec proposal
add name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=8080 hostname=”proxy” \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system \
max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add action=allow comment=”" disabled=yes
/ ip web-proxy cache
add url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” \
disabled=yes
/ ip web-proxy direct
add action=allow comment=”" disabled=yes
/ system logging
add topics=info prefix=”" action=disk disabled=no
add topics=error prefix=”" action=disk disabled=no
add topics=warning prefix=”" action=disk disabled=no
add topics=critical prefix=”" action=echo disabled=no
add topics=watchdog prefix=”" action=disk disabled=no
add topics=web-proxy prefix=”" action=disk disabled=no
add topics=debug prefix=”" action=disk disabled=no
add topics=firewall prefix=”" action=disk disabled=no
add topics=route prefix=”" action=disk disabled=no
/ system logging action
set memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=no
set disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=no
set echo name=”echo” target=echo remember=yes
set remote name=”remote” target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=”"
/ system clock dst
set dst-delta=+00:00 dst-start=”jan/01/1970 00:00:00″ dst-end=”jan/01/1970 \
00:00:00″
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term=”" disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
/ system console screen
set line-count=25
/ system identity
set name=”Oasis.war.net.id”
/ system note
set show-at-login=yes note=”"
/ system gps
set enabled=no set-system-time=yes
/ system lcd
set enabled=no type=24×4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set Public display-time=5s disabled=yes
set Local display-time=5s disabled=yes
set Proxy display-time=5s disabled=yes
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ system routerboard bios
set
/ system health
set state-after-reboot=enabled
/ port
set serial0 name=”serial0″ baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name=”serial1″ baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name=”default” use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=”"
set default-encryption name=”default-encryption” use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=”"
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name=”default” kind=pfifo pfifo-limit=50
set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50
set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name=”synchronous-default” kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name=”pcq-download” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name=”pcq-upload” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name=”PFIFO-64″ kind=pfifo pfifo-limit=64
add name=”default-small” kind=pfifo pfifo-limit=10
add name=”default-small” kind=pfifo pfifo-limit=10
/ queue simple
add name=”Q.war.net” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 \
interface=Local parent=none packet-marks=http direction=both priority=1 \
queue=ethernet-default/ethernet-default limit-at=0/768000 \
max-limit=0/768000 total-queue=default disabled=no
add name=”Operator” target-addresses=192.168.0.18/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/64000 total-queue=default disabled=yes
add name=”Meja-1″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-2″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-3″ target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=all parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-4″ target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-5″ target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-6″ target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-7″ target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-8″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-9″ target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
add name=”Meja-10″ target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Local parent=Q.war.net packet-marks=http direction=both \
priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 \
max-limit=16000/48000 total-queue=default disabled=no
/ queue tree
add name=”ICMP” parent=global-in packet-mark=ICMP-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”DNS” parent=global-in packet-mark=DNS-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”downstream” parent=Local packet-mark=Turun limit-at=0 \
queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”upstream” parent=global-in packet-mark=Naik limit-at=0 \
queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
/ user
add name=”admin” group=full address=0.0.0.0/0 comment=”system default user” \
disabled=no
/ user group
add name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=yes port=1700
/ driver
/ snmp
set enabled=yes contact=”admin” location=”admin”
/ snmp community
set public name=”public” address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from=”<>”
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name=”" file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \
filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-static=no redistribute-rip=no \
redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none prefix-list-import=”" \
prefix-list-export=”" disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no redistribute-rip=no \
redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
C. proxy server setting
[root@proxy ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
]DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:02:B3:30:64:CD
IPADDR=192.168.1.3
NETMASK=225.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
TYPE=Ethernet
[root@proxy ~]# route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
[root@proxy ~]# cat /etc/resolv.conf
search oasis.war.net.id
nameserver 192.168.1.1
nameserver 203.130.193.74
nameserver 202.134.0.155
[root@proxy ~]#
insert in /etc/named
forwarders {
192.168.1.1;
203.130.193.74;
202.134.0.155;
202.134.2.5;
};
[root@proxy ~]# cat /etc/squid/squid.conf
http_port 8080
#icp_port 3130
icp_query_timeout 0
maximum_icp_query_timeout 5000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ? localhost
acl QUERY urlpath_regex cgi-bin \? localhost
### Opsi Cache
cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 128 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
ipcache_size 10240
ipcache_low 98
ipcache_high 99
fqdncache_size 256
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
### Opsi Tuning Squid
refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i \.(mov|mpg|mpeg|flv|avi|mp3|3gp|sis|wma) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i \.(zip|rar|ace|bz|bz2|tar|gz|exe) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 43200 90% 1440 reload-into-ims override-lastmod
refresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
### Direktori cache
#cache_dir aufs /cache 20000 16 256
#cache_dir diskd /squid/cache 70000 16 256 Q1=72 Q2=88
cache_dir aufs /cache 30000 16 256
### Log
cache_access_log /var/log/squid/access.log
logfile_rotate 1
cache_log none
cache_store_log none
emulate_httpd_log off
log_ip_on_direct on
log_fqdn off
log_icp_queries off
### DNS server
dns_nameservers 127.0.0.1
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98%
negative_ttl 15 minute
positive_dns_ttl 24 hours
negative_dns_ttl 5 minutes
range_offset_limit 0 KB
### Opsi Timeout
connect_timeout 1 minute
peer_connect_timeout 5 seconds
read_timeout 30 minute
request_timeout 1 minute
#client_lifetime 10 hour
half_closed_clients off
pconn_timeout 15 second
shutdown_lifetime 15 second
### Opsi ACL
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl client src 192.168.0.0/24 192.168.1.0/29
acl file_terlarang url_regex -i hot_indonesia.exe
acl file_terlarang url_regex -i hotsurprise_id.exe
acl file_terlarang url_regex -i best-mp3-download.exe
acl file_terlarang url_regex -i R32.exe
acl file_terlarang url_regex -i rb32.exe
acl file_terlarang url_regex -i mp3.exe
acl file_terlarang url_regex -i HOTSEX.exe
acl file_terlarang url_regex -i Browser_Plugin.exe
acl file_terlarang url_regex -i DDialer.exe
acl file_terlarang url_regex -i od-teen
acl file_terlarang url_regex -i URLDownload.exe
acl file_terlarang url_regex -i od-stnd67.exe
acl file_terlarang url_regex -i Download_Plugin.exe
acl file_terlarang url_regex -i od-teen52.exe
acl file_terlarang url_regex -i malaysex
acl file_terlarang url_regex -i edita.html
acl file_terlarang url_regex -i info.exe
acl file_terlarang url_regex -i run.exe
acl file_terlarang url_regex -i Lovers2Go
acl file_terlarang url_regex -i GlobalDialer
acl file_terlarang url_regex -i WebDialer
acl file_terlarang url_regex -i britneynude
acl file_terlarang url_regex -i download.exe
acl file_terlarang url_regex -i backup.exe
acl file_terlarang url_regex -i GnoOS2003
acl file_terlarang url_regex -i wintrim.exe
acl file_terlarang url_regex -i MPREXE.EXE
acl file_terlarang url_regex -i exengd.EXE
acl file_terlarang url_regex -i xxxvideo.exe
acl file_terlarang url_regex -i Save.exe
acl file_terlarang url_regex -i ATLBROWSER.DLL
acl file_terlarang url_regex -i NawaL_rm
acl file_terlarang url_regex -i Socks32.dll
acl file_terlarang url_regex -i Sc32Lnch.exe
acl file_terlarang url_regex -i dat0.exe
acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800
#acl block url_regex -i \.(aiff|asf|avi|dif|divx|mov|movie|mp3|mpe?g?|mpv2|ogg|ra?m|snd|qt|wav|wmf|wmv)$
acl local-domain dstdomain localhost
acl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514
acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535
acl Virus urlpath_regex winnt/system32/cmd.exe?
acl connect method CONNECT
acl post method POST
acl ssl method CONNECT
acl purge method PURGE
acl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$
acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$
no_cache deny QUERY manager
http_access allow manager IIX Safe_ports
http_access allow client
http_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURL
http_access deny file_terlarang
http_access deny all
### Paramater Administratif
cache_mgr support@oasis.war.net.id
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.oasis.war.net.id
### Opsi Akselerator
memory_pools off
forwarded_for on
log_icp_queries off
icp_hit_stale on
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 9900
netdb_high 10000
netdb_ping_period 30 seconds
query_icmp off
pipeline_prefetch on
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on
max_open_disk_fds 100
nonhierarchical_direct on
prefer_direct off
### Pendukung Transparan Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
### Membatasi Besar File untuk download
#reply_body_max_size 3512000 deny !client
### SNMP
#snmp_port 3401
#acl snmppublic snmp_community public
#snmp_access allow all
header_access User-Agent deny all
header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)
header_access Accept deny all
header_replace Accept */*
header_access Accept-Language deny all
header_replace Accept-Language id, en
Speedy Buat Game + Internetan
internet
||public ip
||
modem
||192.168.5.1
hub
||===========||========= LAN ip Private
mikrotik proxy 192.168.5.3
192.168.5.2
[admin@Primadona.net] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=Public action=masquerade
1 chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.5.3 to-ports=8080
2 chain=dstnat protocol=tcp dst-port=8080 action=dst-nat to-addresses=192.168.5.3 to-ports=3128
3 chain=dstnat protocol=tcp dst-port=3128 action=dst-nat to-addresses=192.168.5.3 to-ports=8080
[admin@Primadona.net] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X 192.168.0.2/24 192.168.0.0 192.168.0.255 Public
1 192.168.5.2/29 192.168.5.0 192.168.5.7 Public
2 192.168.0.2/24 192.168.0.0 192.168.0.255 Local
[admin@Primadona.net] ip address>
[admin@Primadona.net] ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.0.0/24 192.168.0.2 Local
1 ADC 192.168.5.0/29 192.168.5.2 Public
2 A S 0.0.0.0/0 r 192.168.5.1 Public
[admin@Primadona.net] ip route>
[admin@Primadona.net] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop
1 ;;; Allow esatblished connections
chain=input connection-state=established action=accept
2 ;;; Allow related connections
chain=input connection-state=related action=accept
3 ;;; Allow UDP
chain=input protocol=udp action=accept
4 ;;; Allow ICMP
chain=input protocol=icmp action=accept
5 ;;; Allow connection to router from local network
chain=input in-interface=!Public action=accept
6 ;;; Drop everything else
chain=input action=drop
7 chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock address-list-timeout=15s
8 chain=input protocol=tcp dst-port=7331 src-address-list=knock action=add-src-to-address-list address-list=safe
address-list-timeout=15m
9 ;;; accept established connection packets
chain=input connection-state=established action=accept
10 ;;; accept related connection packets
chain=input connection-state=related action=accept
11 ;;; drop invalid packets
chain=input connection-state=invalid action=drop
12 ;;; detect and drop port scan connections
chain=input protocol=tcp psd=21,3s,3,1 action=drop
13 ;;; suppress DoS attack
chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit
14 ;;; detect DoS attack
chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list
address-list-timeout=1d
15 ;;; jump to chain ICMP
chain=input protocol=icmp action=jump jump-target=ICMP
16 ;;; jump to chain services
chain=input action=jump jump-target=services
17 ;;; Allow Broadcast Traffic
chain=input dst-address-type=broadcast action=accept
18 chain=input action=log log-prefix=”Filter:”
19 ;;; Allow access to router from known network
chain=input action=accept
20 chain=input src-address=192.168.0.0/24 action=accept
21 chain=input src-address=192.168.5.0/26 action=accept
22 ;;; drop everything else
chain=input action=drop
23 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
24 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
25 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
26 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
27 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
28 ;;; Drop everything else
chain=ICMP protocol=icmp action=drop
29 ;;; Port scanners to list
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
30 ;;; NMAP FIN Stealth scan
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
31 ;;; SYN/FIN scan
chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
32 ;;; SYN/RST scan
chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
33 ;;; FIN/PSH/URG scan
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
34 ;;; ALL/ALL scan
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
35 ;;; NMAP NULL scan
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
36 ;;; dropping port scanners
chain=input src-address-list=port scanners action=drop
37 ;;; allow established connections
chain=forward connection-state=established action=accept
38 ;;; allow related connections
chain=forward connection-state=related action=accept
39 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop
40 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop
41 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop
42 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop
43 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop
44 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop
45 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop
46 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop
47 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop
48 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop
49 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop
50 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop
51 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop
52 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop
53 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop
54 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop
55 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop
56 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop
57 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop
58 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127 action=drop
59 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop
60 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop
61 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop
62 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop
63 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop
64 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop
65 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop
66 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop
67 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop
68 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop
69 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop
70 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop
71 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
