Monday, January 16, 2012

lengkap tinggal copas hehe

/ip address
add address=192.168.1.2/24 interface=ether1 comment="To Gateway"
add address=192.168.2.1/24 interface=ether2
add address=192.168.3.1/24 interface=ether3
add address=192.168.4.1/24 interface=ether4
add address=192.168.5.1/24 interface=ether5

/interface pppoe-client
add name="Speedy-PPPoE1" max-mtu=1480 max-mru=1480 mrru=disabled interface=ether1 user="id 14xxxxxxxxxxxxxxxx@telkom.net" password="xxxxxxYYxx" profile=default add-default-route=yes dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2

/ip fi na
add chain=srcnat action=masquerade out-interface=pppoe-out1 comment=ppoe
add chain=srcnat action=masquerade out-interface=ether1-inet
add chain=dstnat action=dst-nat to-addresses=192.168.3.2 to-ports=53 protocol=udp in-interface=ether2-warnet dst-port=53 comment=unbound
add chain=dstnat action=dst-nat to-addresses=192.168.3.2 to-ports=3128 protocol=tcp in-interface=ether2-warnet dst-port=80 comment=squid
add chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=50 protocol=tcp in-interface=pppoe-out1 dst-port=50 comment=server
add chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=100 protocol=tcp in-interface=pppoe-out1 dst-port=100
add chain=dstnat action=dst-nat to-addresses=192.168.2.12 to-ports=9999 protocol=tcp dst-address=192.168.1.2 dst-port=9999
add chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=5900 protocol=tcp in-interface=pppoe-out1 dst-port=5900


/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=icmp passthrough=no protocol=icmp comment=icmp
add action=mark-packet new-packet-mark=squid dscp=12 passthrough=no chain=prerouting comment=squid

:for e from=2 to=35 do={
/ip fi ma
add action mark-connection new-connection-mark="pc$e" src-address="192.168.2.$e" chain=prerouting
add action=mark-packet new-packet-mark="pc$e" connection-mark="pc$e" chain=prerouting passthrough=no

}

/queue tree add name=squid parent=ether2-warnet packet-mark=squid

/queue tree add parent=ether2-warnet max-limit=2M name=Downlink

/queue type add name=PCQ-1Mbps kind=pcq pcq-rate=1024k pcq-classifier=dst-address



:for e from=2 to=35 do={
/queue tree
add parent=Downlink limit-at=80k max-limit=512k name="pc$e" packet-mark="pc$e" queue=PCQ-1Mbps
}


/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

/ip firewall filter
add action=accept chain=forward comment="allow established connections" \
    connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=drop chain=input comment="drop FTP Brute Forcers" disabled=no \
    dst-port=21 in-interface=Speedy-PPPoE1 protocol=tcp src-address-list=\
    FTP_BlackList
add action=accept chain=output comment="" content="530 Login incorrect" \
    disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP_BlackList \
    address-list-timeout=1d chain=output comment="" content=\
    "530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="drop SSH Brute Forcers" disabled=no \
    dst-port=22-23 in-interface=Speedy-PPPoE1 protocol=tcp src-address-list=\
    IP_BlackList
add action=add-src-to-address-list address-list=IP_BlackList \
    address-list-timeout=1d chain=input comment="" connection-state=new \
    disabled=no dst-port=22-23 in-interface=Speedy-PPPoE1 protocol=tcp \
    src-address-list=SSH_BlackList_3
add action=add-src-to-address-list address-list=SSH_BlackList_3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22-23 in-interface=Speedy-PPPoE1 protocol=tcp \
    src-address-list=SSH_BlackList_2
add action=add-src-to-address-list address-list=SSH_BlackList_2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22-23 in-interface=Speedy-PPPoE1 protocol=tcp \
    src-address-list=SSH_BlackList_1
add action=add-src-to-address-list address-list=SSH_BlackList_1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22-23 in-interface=Speedy-PPPoE1 protocol=tcp
add action=drop chain=input comment="drop port scanners" disabled=no \
    in-interface=Speedy-PPPoE1 src-address-list=port_scanners
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=12h chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="" disabled=no in-interface=\
    Speedy-PPPoE1 protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="Allow limited pings" disabled=no \
    in-interface=Speedy-PPPoE1 limit=50/5s,2 protocol=icmp
add action=drop chain=forward comment=";;Block W32.Kido - Conficker" \
    disabled=no protocol=udp src-port=135-139
add action=drop chain=forward comment="" disabled=no dst-port=135-139 \
    protocol=udp
add action=drop chain=forward comment="" disabled=no protocol=udp src-port=\
    445
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=\
    udp
add action=drop chain=forward comment="" disabled=no protocol=tcp src-port=\
    135-139
add action=drop chain=forward comment="" disabled=no dst-port=135-139 \
    protocol=tcp
add action=drop chain=forward comment="" disabled=no protocol=tcp src-port=\
    445
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=\
    tcp
add action=drop chain=forward comment="" disabled=no dst-port=4691 protocol=\
    tcp
add action=drop chain=forward comment="" disabled=no dst-port=5933 protocol=\
    tcp
add action=drop chain=forward comment="Blok LLMNR" disabled=no dst-port=5355 \
    protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=4647 protocol=\
    udp
add action=drop chain=forward comment="SMTP Deny" disabled=no protocol=tcp \
    src-port=25
add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=7777 protocol=\
    tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no


tinggal kroscek hehe :p
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)