internet
||public ip
||
modem
||192.168.5.1
hub
||===========||========= LAN ip Private
mikrotik proxy 192.168.5.3
192.168.5.2
[admin@Primadona.net] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=Public action=masquerade
1 chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.5.3 to-ports=8080
2 chain=dstnat protocol=tcp dst-port=8080 action=dst-nat to-addresses=192.168.5.3 to-ports=3128
3 chain=dstnat protocol=tcp dst-port=3128 action=dst-nat to-addresses=192.168.5.3 to-ports=8080
[admin@Primadona.net] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X 192.168.0.2/24 192.168.0.0 192.168.0.255 Public
1 192.168.5.2/29 192.168.5.0 192.168.5.7 Public
2 192.168.0.2/24 192.168.0.0 192.168.0.255 Local
[admin@Primadona.net] ip address>
[admin@Primadona.net] ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.0.0/24 192.168.0.2 Local
1 ADC 192.168.5.0/29 192.168.5.2 Public
2 A S 0.0.0.0/0 r 192.168.5.1 Public
[admin@Primadona.net] ip route>
[admin@Primadona.net] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop
1 ;;; Allow esatblished connections
chain=input connection-state=established action=accept
2 ;;; Allow related connections
chain=input connection-state=related action=accept
3 ;;; Allow UDP
chain=input protocol=udp action=accept
4 ;;; Allow ICMP
chain=input protocol=icmp action=accept
5 ;;; Allow connection to router from local network
chain=input in-interface=!Public action=accept
6 ;;; Drop everything else
chain=input action=drop
7 chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock address-list-timeout=15s
8 chain=input protocol=tcp dst-port=7331 src-address-list=knock action=add-src-to-address-list address-list=safe
address-list-timeout=15m
9 ;;; accept established connection packets
chain=input connection-state=established action=accept
10 ;;; accept related connection packets
chain=input connection-state=related action=accept
11 ;;; drop invalid packets
chain=input connection-state=invalid action=drop
12 ;;; detect and drop port scan connections
chain=input protocol=tcp psd=21,3s,3,1 action=drop
13 ;;; suppress DoS attack
chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit
14 ;;; detect DoS attack
chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list
address-list-timeout=1d
15 ;;; jump to chain ICMP
chain=input protocol=icmp action=jump jump-target=ICMP
16 ;;; jump to chain services
chain=input action=jump jump-target=services
17 ;;; Allow Broadcast Traffic
chain=input dst-address-type=broadcast action=accept
18 chain=input action=log log-prefix=”Filter:”
19 ;;; Allow access to router from known network
chain=input action=accept
20 chain=input src-address=192.168.0.0/24 action=accept
21 chain=input src-address=192.168.5.0/26 action=accept
22 ;;; drop everything else
chain=input action=drop
23 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
24 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
25 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
26 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
27 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
28 ;;; Drop everything else
chain=ICMP protocol=icmp action=drop
29 ;;; Port scanners to list
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
30 ;;; NMAP FIN Stealth scan
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
31 ;;; SYN/FIN scan
chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
32 ;;; SYN/RST scan
chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
33 ;;; FIN/PSH/URG scan
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
34 ;;; ALL/ALL scan
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
35 ;;; NMAP NULL scan
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
36 ;;; dropping port scanners
chain=input src-address-list=port scanners action=drop
37 ;;; allow established connections
chain=forward connection-state=established action=accept
38 ;;; allow related connections
chain=forward connection-state=related action=accept
39 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop
40 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop
41 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop
42 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop
43 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop
44 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop
45 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop
46 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop
47 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop
48 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop
49 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop
50 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop
51 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop
52 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop
53 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop
54 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop
55 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop
56 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop
57 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop
58 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127 action=drop
59 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop
60 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop
61 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop
62 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop
63 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop
64 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop
65 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop
66 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop
67 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop
68 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop
69 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop
70 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop
71 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
Minggu, 20 April 2008
Speedy Buat Game + Internetan
Label:
Mikrotik,
Networking,
Security
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar