Tutorial, Internet, Hardware, Software, Os, Linux, Android, Security, Mikrotik

22 December, 2010

Win ARP attacker. Bagi teman2 yang suka jahilin orang di local network, mungkin sudah tahu keampuhan tool ini,Win ARP attacker. Tool ini sangat ampuh untuk melumpuhkan suatu jaringan local dengan cepat plus cara yang sangat mudah. Tinggal scan, lalu pilih attack type, kemudian lancarkan serangan. Nie ada beberapa screenshotnya:

[Image: 3743725-holder-c282f3624fe84a704ebc142bcfaa41d5.jpg]

[Image: 3743728-holder-112b177c982f5c6a6fbb2516d5a9847d.jpg]
[Image: 3743732-holder-ea29abc6125eb1cbd12eb9a6faac6feb.jpg]
[Image: 3743736-holder-476d4735075683cb6d0775a9a5d83571.jpg]
[Image: 3743777-holder-7417cd7e7d20da46730c0c3b427934aa.jpg]

Klo ada yang berminat mencoba silakan sedot di sini
Ane gak bermaksud ngajak jahil lho,cuma bagi ilmu n pengalaman aja...AlienAlien

Flooding Tester

Wednesday, December 22, 2010 0 Comments
flooding pake tools lanAttacker
download link
http://www.4shared.com/file/98817918/29a...rr=no-sess

kalau udah download lang sung aja stef by steff

1 .buka file lan attacker yang tadi di download

[Image: lanns.jpg]

terus langsung klik install...nah kalau udah selesai install baru klik attack

2. setelah terbuka programnya terus klik scan
[Image: anattcker.jpg]


3. kemudian klik option - adapter buat setting file seberapa gede yang mau dikirim ke komputer target
[Image: 75751441.jpg]

4.nah dah selesai setting konfigurasinya kita langsung aja floodin target kebetulan yang mau ane isengin komputer no 4 dengan ip 192.168.1.14
setelah itu ceklist di ip tersebut terus klik kanan kemudian klik flood


[Image: lanaatck.jpg]

5. kemudian lihat hasil dikomputer korban
[Image: flooding.jpg]

hehheheh.....ne hanya untuk pembelajaran..tinggal di explore lagi biar tambah ajib..... ok

firewall di linux

Wednesday, December 22, 2010 0 Comments
### IPTABLES ###
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
-------------------------------------------------------------------
klo nda salah baris diatas untuk ngeflush semua rule iptables baik itu rule nat rule mark dan rule2 lain, terus di lanjutkan dengan mengaktifkan semua rule policy ..

-------------------------------------------------------------------
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6969
iptables -t nat -A PREROUTING -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6969
iptables -t nat -A PREROUTING -s 192.168.3.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6969
iptables -t nat -A PREROUTING -s 117.103.59.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6969
--------------------------------------------------
klo nda salah bari 4 diatas ini untuke meNAT ip2 localnet , dan me redirect aksess port 80 ke port 6969 , mungkin ini di gunakan untuk squid proxy..

-------------------------------------------------------------------
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 117.103.59.0/24 -d 0.0.0.0/0 -j MASQUERADE
---------------------------------------------------------------------
klo untuk inie kira2 me nat iplocalnet untuk mengakses ke semua jenis ip dan mengisinkan keluar ke internet klo ini di gunakan untuk buat router kira2 sih..hwhwh
-----------------------------------------------------------------------
TCP_PORTS="67:69 135:139 445 213 7001:7009"
for PORTS in $TCP_PORTS; do
iptables -A INPUT -p tcp -m tcp --dport $PORTS -j DROP
iptables -A INPUT -p udp -m udp --dport $PORTS -j DROP
iptables -A OUTPUT -p tcp -m tcp --dport $PORTS -j DROP
iptables -A OUTPUT -p udp -m udp --dport $PORTS -j DROP
done
----------------------------------------------------
klo nda salah ini untuk memblock port2 spesial windows yang sering dilewati virus2 ...
----------------------------------------------------
sementara basisi sisanya...untuk memberikan delay access yang sedang mengaksess port2 yang terisi di script tersebut
...

mohon maaf klo kurang jelas..tp sy cmn bahasakan dgn simple...
Assalamu'alaikum...

[Image: pic-squidbox.jpg]


Banyak persoalan yg sering dialami pada web proxy di mikrotik, yaitu diantaranya tidak bisa di opreknya squid di mikrotik ini.
Disini saya akan mencoba berbagi ilmu, dan mohon koreksi bila ada yang salah. Ok..

Mikrotik
Public = 202.134.1.100
LAN = 192.168.0.1

di asumsikan bahwa sebelum adanya squidbox terpisah ini, mikrotik server anda telah berjalan dengan sempurna..

dan squidbox linux sudah terinstall


tambahkan pada box mikrotik seperti berikut :
1.
Code:
/ip firewall nat chain=dstnat in-interface=LAN src-address=!192.168.0.254 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.254 to-ports=3121

dari input diatas bahwa src-address atau sumbernya dari ip address mana saja kecuali ip squuidbox itu sendiri. dengan tujuan port 80 atau browsing. akan dialihkan ke ip squidbox dengan port squidbox adalah 3121 (port di squid linux).
Tambahkan juga di mikrotik

2.
Code:
/ip firewall nat chain=dstnat in-interface=LAN src-address=!192.168.0.254 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.254 to-ports=3121

3.
Code:
/ip firewall nat chain=srcnat out-interface=LAN src-address=192.168.0.0/24 action=src-nat to-addresses=192.168.0.1 to-ports=0-65535

nb: aslinya pakai konfigurasi no 1 dan 3 aja juga bisa kok.

selamat mencoba, mudah2an berhasil...

bila ada salah mohon koreksinya.

Wassalamu'alaikum...
Contoh 2 ISP load balance
interface ethernet set ether4 name=LAN
interface ethernet set ether3 name=WAN1
interface ethernet set ether2 name=WAN2
interface ethernet set ether1 name=WAN3
/ ip address
add address=10.1.0.1/27 network=10.1.0.0 broadcast=10.1.0.31 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.4/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="Fastnet A1/17" disabled=no
add address=10.112.0.2/29 network=10.112.0.0 broadcast=10.112.0.7 interface=WAN2 comment="Fastnet A1/1" disabled=no
ip dns set primary-dns=202.73.99.8 allow-remote-request=no
ip dns set secondary-dns=61.247.0.8 allow-remote-request=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=2,2 action=mark-connection new-connection-mark=odd passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.112.0.6 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.111.0.6 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 comment="" disabled=no
/ip pool add name=dhcp-pool ranges=192.168.0.31-192.168.0.100
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.2
/ip dhcp-server add interface=LAN address-pool=dhcp-pool

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh 3 koneksi load balance

/ ip address
add address=172.15.15.1/25 network=172.15.15.0 broadcast=172.15.15.127 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.2/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="WAN1" disabled=no
add address=172.16.1.15/24 network=172.16.1.0 broadcast=172.16.1.255 interface=WAN2 comment="Fastnet Dari PERAK" disabled=no
add address=172.15.15.2/29 network=172.15.15.0 broadcast=172.15.15.7 interface=WAN3 comment="Fastnet Dari TP" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,0 action=mark-connection new-connection-mark=odd passthrough=yes comment="” disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,3,2 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=172.15.15.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=172.16.1.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.113.0.2 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=172.15.15.1 scope=7 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=172.16.1.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.113.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
****add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh mengabungkan 5 koneksi speedy

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-1 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-2 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-3 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-4 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-5 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ADSL-1 passthrough=yes connection-state=new in-interface=HotSpot nth=5,1 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-1 passthrough=no in-interface=HotSpot connection-mark=ADSL-1 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-2 passthrough=yes connection-state=new in-interface=HotSpot nth=5,2 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-2 passthrough=no in-interface=HotSpot connection-mark=ADSL-2 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-3 passthrough=yes connection-state=new in-interface=HotSpot nth=5,3 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-3 passthrough=no in-interface=HotSpot connection-mark=ADSL-3 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-4 passthrough=yes connection-state=new in-interface=HotSpot nth=5,4 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-4 passthrough=no in-interface=HotSpot connection-mark=ADSL-4 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-5 passthrough=yes connection-state=new in-interface=HotSpot nth=5,5 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-5 passthrough=no in-interface=HotSpot connection-mark=ADSL-5 comment="" disabled=no
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-1] to-ports=0-65535 connection-mark=ADSL-1 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-2] to-ports=0-65535 connection-mark=ADSL-2 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-3] to-ports=0-65535 connection-mark=ADSL-3 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-4] to-ports=0-65535 connection-mark=ADSL-4 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-5] to-ports=0-65535 connection-mark=ADSL-5 comment="" disabled=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1 routing-mark=ADSL-1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-2 routing-mark=ADSL-2
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-3 routing-mark=ADSL-3
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-4 routing-mark=ADSL-4
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-5 routing-mark=ADSL-5
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Filtering Virus

/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
/ip firewall filter
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=””
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=””
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=””
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2”
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”

Another Port Filtering

/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan

ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop

Setup Web proxy

/ ip web-proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set hostname=”proxy.xps”
set transparent-proxy=yes
set parent-proxy=0.0.0.0:0
set cache-administrator=”progtel2004@yahoo.com”
set max-object-size=4096KiB
set cache-drive=system
set max-cache-size=unlimited
set max-ram-cache-size=unlimited
add nat for redirect port for squid to make transparant
/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade comment="" disabled=no
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 action=redirect to-ports=8080 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Pemisahan IIX dan IX

# Script untuk menambahkan IP Address BGP yang terdaftar di Router INDO(OIXP)
# ke RouterOS dalam ADDRESS-LIST dengan nama "indo"
/sys note set show-at-login=yes note="XP Solution Surabaya "
/ip firewall address-list
add list=indo address="1.2.3.4"
rem [find list=indo]
add list=indo address="167.205.0.0/16"
add list=indo address="222.124.0.0/16"
add list=indo address="61.94.0.0/16"
add list=indo address="125.162.0.0/16"
add list=indo address="125.163.0.0/16"
add list=indo address="125.160.0.0/16"
add list=indo address="125.161.0.0/16"
add list=indo address="125.164.0.0/16"
/ ip firewall mangle
add chain=forward src-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia source connection traffic” disabled=no
add chain=forward dst-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia destination connection traffic” disabled=no
add chain=forward src-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas source connection traffic” disabled=no
add chain=forward dst-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas destination connection traffic” disabled=no
add chain=prerouting connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia passthrough=yes comment=”mark all Indonesia traffic” disabled=no
add chain=prerouting connection-mark=mark-con-overseas action=mark-packet new-packet-mark=overseas passthrough=yes comment=”mark all overseas traffic” disabled=no

Queing

/ queue simple
add name=”RTRW Net” target-addresses=10.111.0.2/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia direction=both priority=8 queue=default/default limit-at=0/0 maxlimit=
256000/256000 total-queue=default disabled=no
add name=”Laptop Acer Intl” target-addresses=192.168.2.0/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas direction=both priority=8 queue=default/default limit-at=0/0
max-limit=128000/128000 total-queue=default disabled=no

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Script untuk melakukan Reset Mikrotik

system script add name=destroy source={system reset}
system scheduler add name=ancur on-event=destroy start-date=masukkin_tanggalnya
start-time=masukiin_jamnya

Backup, Restore, Export dan Import Setting
Backup berlaku untuk semua setting yang ada saat itu.
>system backup save name=backup_setting
Restore berlaku untuk semua setting yang ada saat itu.
>system backup load name=backup_setting
Export berlaku untuk semua setting pada directory aktif saat itu. Contoh : bila aktif pada directory simple queue, maka hanya directory tersebut yang disimpan ke file. Sehingga, bila aktif pada directory
root “/” maka semua setting akan diexport.
>queue simple export file=simple_queue
Import hanya berjalan dari root “/” dan hanya berlaku untuk file dengan ext .rsc.
>import simple_queue.rsc
Perbedaan export dan backup terletak pada file hasil, dimana file hasil dari backup berupa file binary dan file dari proses export berupa text file, dan hal itu merupakan suatu kelebihan, misal bisa dicetak
untuk dokumentasi dsb.

Script dan Schedule
Setting schedule auto shutdown. Pertama buat script shutdown dalam contoh ini diberi nama “autodown”.
>system script add name=”autodown” source=”system shutdown”
Kemudian buat schedule untuk shutdown.
>system scheduler add name=”mikrotikdown” on-event=autodown start-date=nov/19/2007 start-time=18:10:00 interval=1d
Untuk memudahkan backup, selain disimpan pada server mikrotik sendiri, perlu juga di simpan pada komputer, lain, salah satu alternatif pengiriman file otomatis adalah menggunakan email, selain itu,
bisa juga dilakukan dengan menggunakan ftp.
>system script add name=”autobackup” source”/ export file=backup_setting\n/ tool e-mail send to=progtel2004@yahoo.co subject=”backup setting mikrotik” from=007@yahoo.com body=”file backup
setting mikrotik” server=192.168.1.103 file=”backup_setting.rsc”
Kemudian buat schedule untuk backup mingguan.
>system scheduler add name=”mikrotikbackup” on-event=autobackup start-date=dec/10/2007 start-time=08:30:00 interval=1w

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Simple Queue VS Que Tree :

/queue simple
add name=”XPS” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small disabled=no
add name=”USER” target-addresses=192.168.0.2/32,192.168.0.3/32,192.168.0.4/32,192.168.0.5/32,192.168.0.6/32,192.168.0.7/32 192.168.0.8/32,192.168.0.9/32,192.168.0.10/32 dst-address=0.0.0.0/0
interface=all parent=XPS direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=384000/384000 total-queue=default-small disabled=no
add name=”Client-1″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=Lan parent=USER direction=both priority=8 queue=default-small/default-small limit-at=16000/16000 maxlimit=
32000/64000 total-queue=default-small disabled=no
Contoh configurasi Queue Tree:
Mangle
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward protocol=icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-icmp passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
Queue-tree:
/queue tree
add name=”upload” parent=ether1 packet-mark=”" limit-at=0 queue=default priority=1 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmd-upload” parent=upload packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-upload” parent=upload packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-upload” parent=upload packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”download” parent=global-out packet-mark=”" limit-at=0 queue=default priority=1 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmp-download” parent=download packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-download” parent=download packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-download” parent=download packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

Another simple queue

Konfigurasi Simple queues dan Que tree mudah mudahan bisa menjadi referensi untuk anda yang akan menggunakan limiter bandwith with mikrotik.
Configurasi Simple Queue:
Anda bisa membuat kelompok (parent) untuk client-kusus dengan bandwith 256kbps yang didalamnya terdiri dari 3 user sehingga bandwith 256 tadi akan di share untuk 3 user tesebut, dan parent2 yang
lainpun bisa anda buat sesuai keinginan anda.

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan

/queue simple
add name=”CLIENT” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small
add name=”Client-kusus” target-addresses=192.168.0.1/32,192.168.0.2/32,192.168.0.3/32,dst-address=0.0.0.0/0 interface=all parent=CUSTOMER direction=both priority=8 queue=defaultsmall/
default-small limit-at=0/0 max-limit=256000/256000 total-queue=default-small
add name=”mylove” target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000 maxlimit=
32000/56000 total-queue=default-small
add name=”myfriend” target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000
max-limit=32000/56000 total-queue=default-small
add name=”maymay” target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/0 maxlimit=
32000/56000 total-queue=default-small
Contoh configurasi Queue Tree:
Mangle :
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward dst-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward protocol=icmp connection-mark=local action=mark-packet new-packet-mark=local-icmp passthrough=no
add chain=forward src-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward dst-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward src-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
add chain=forward dst-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
Queue-Tree :
/queue tree
add name=”upload” parent=[int-ke-internet] packet-mark=”” priority=1 max-limit=256K
add name=”icmp-upload” parent=upload packet-mark=”local-icmp” priority=3 max-limit=32K
add name=”local-1-upload” parent=upload packet-mark=”local-1″ priority=5 max-limit=64K
add name=”local-2-upload” parent=upload packet-mark=”local-2″ priority=5 max-limit=64K
add name=”download” parent=[int-ke-local] packet-mark=”” priority=1 max-limit=512K
add name=”icmp-download” parent=download packet-mark=”local-icmp” priority=3 max-limit=64K
add name=”local-1-download” parent=download packet-mark=”local-1″ priority=5 max-limit=128K
add name=”local-2-download” parent=download packet-mark=”local-2″ priority=5 max-limit=128

XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Memanipulasi ToS ICMP & DNS di MikroTik

Tujuan :
* Memperkecil delay ping dari sisi klien ke arah Internet.
* Mempercepat resolving hostname ke ip address.
Asumsi : Klien-klien berada pada subnet 10.10.10.0/28
1. Memanipulasi Type of Service untuk ICMP Packet :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
add chain=prerouting packet-mark=ICMP-PM action=change-dscp new-dscp=0
2. Memanipulasi Type of Service untuk DNS Resolving :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting src-address=0.0.0.0 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
add chain=prerouting packet-mark=DNS-PM action=change-dscp new-dscp=0
3. Menambahkan Queue Type :
/queue type add name="PFIFO-64” kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
/queue tree add name=ICMP parent=WAN packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
/queue tree add name=DNS parent=WAN packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
New Load Balance
/ip firewall mangle
add chain=prerouting src-address=10.1.0.1-10.1.0.6 action=mark-routing new-routing-mark=GroupA comment="IP 10.1.0.2-10.1.0.6"
add chain=prerouting src-address=10.1.0.9-10.1.0.14 action=mark-routing new-routing-mark=GroupB comment="IP 10.1.0.9-10.1.0.14"
add chain=prerouting src-address=10.1.0.17-10.1.0.22 action=mark-routing new-routing-mark=GroupC comment="IP 10.1.0.17-10.1.0.22"
add chain=prerouting src-address=10.1.0.25-10.1.0.30 action=mark-routing new-routing-mark=GroupD comment="IP 10.1.0.25-10.1.0.30"

Layer 7 Protocol Site
http://www.mikrotik.com/download/l7-protos.rsc
Marking Packet IIX & International
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=”IIX” passthrough=yes dst-address-list=indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet IIX” passthrough=no connection-mark=IIX
add chain=prerouting action=mark-connection new-connection-mark=”INTL” passthrough=yes dst-address-list=!indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet INTL” passthrough=no connection-mark=INTL
Assalamu'alaikum..

Dan sudah ada yang pernah di bahas di http://www.forummikrotik.com/
nah langsung saja, kita simak dengan seksama setting optimalisasi pada firewall di mikrotik.

Drop port scanners


Code:
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Redirect mail traffic to a specified server

Code:
ip firewall nat add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=10.0.0.1( ip server email ) to-ports=25

Block Websites & Stop Downloading Using Proxy

Code:
/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0:0
cache-drive: system
cache-administrator: "webmaster"
max-disk-cache-size: none
max-ram-cache-size: none
cache-only-on-disk: no
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 512KiB
max-fresh-time: 3d
Now, Make it Transparent
/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
Make sure that your proxy is NOT a Open Proxy
/ip firewall filter
chain=input in-interface= src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop
Now for Blocking Websites
/ip proxy access
dst-host=www.vansol27.com action=deny
We can also stop downloading files like.mp3, .exe, .dat, .avi,…etc.
/ip proxy access
path=*.exe action=deny
path=*.mp3 action=deny
path=*.zip action=deny
path=*.rar action=deny.
/ip proxy access
dst-host=:mail action=deny

How to autodetect infected or spammer users and temporary block the SMTP output

Code:
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"
add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"
/system script
add name="spammers" source=":log error \"----------Users detected like \
SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
error \$usser} };" policy=ftp,read,write,policy,test,winbox

Protect customer

Code:
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

Firewall Komplit

Components of the filter
• protocol classifier
• invalid packet filter
• port-scan detector
• policy classifier
• application protocol filter
• TCP-specific filters
• application protocol specific filters

Code:
/ ip firewall mangle
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
add chain=prerouting connection-state=new action=jump jump-target=other-services
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imaps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3s passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-connection new-connection-mark=kgs passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-connection new-connection-mark=win-ts passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection new-connection-mark=bittorrent passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox passthrough=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-connection new-connection-mark=ntp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype passthrough=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp passthrough=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no
add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no
add chain=other-services action=mark-connection new-connection-mark=other passthrough=no
Most generic invalid packet and port-scan detection techniques
/ip firewall mangle
add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet new-packet-mark=nat-traversal passthrough=no
/ ip firewall address-list
add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
add list=illegal-addr address=127.0.0.0/8
add list=illegal-addr address=224.0.0.0/3
add list=illegal-addr address=10.0.0.0/8
add list=illegal-addr address=172.16.0.0/12
add list=illegal-addr address=192.168.0.0/16
add list=local-addr address=172.31.255.0/29 comment="my local network"
add list=nat-addr address=172.31.255.0/29 comment="my local network"
/ ip firewall filter
add chain=forward in-interface=Local out-interface=Local action=accept comment="Allow traffic between wired and wireless networks"
/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from public interface but not to local address"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"
/ ip firewall filter
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
add chain=forward protocol=udp action=jump jump-target=restrict-udp
add chain=forward action=jump jump-target=restrict-ip
add chain=restrict-tcp connection-mark=auth action=reject
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy"
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
add chain=smtp-first-drop src-address-list=approved-smtp action=return
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
/ ip firewall filter
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
add chain=restrict-ip connection-mark=other action=jump jump-target=drop
/ ip firewall filter
add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic \(between router applications\)"
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic"
add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate \(5 per sec\)"
add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
add chain=local-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)"
add chain=local-services connection-mark=dns action=accept comment="DNS"
add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy \(3128/TCP\)"
add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)" disabled=no
add chain=local-services action=drop comment="Drop Other Local Services"
add chain=public-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)"
add chain=public-services connection-mark=pptp action=accept comment="PPTP \(1723/TCP\)"
add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP"
add chain=public-services action=drop comment="Drop Other Public Services"

Proxying everything

Code:
/ ip firewall nat
add chain=dstnat in-interface=Local connection-mark=dns action=redirect comment="proxy for DNS requests"
add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect to-ports=3128 comment="proxy for HTTP requests"
add chain=dstnat in-interface=Local connection-mark=ntp action=redirect comment="proxy for NTP requests"

Enable Proxy servers

Code:
/ system ntp server
set enabled=yes broadcast=no multicast=no manycast=no
/ system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0
/ ip proxy
set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000 maximal-server-connections=1000
/ ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

Bruteforce login prevention (FTP & SSH)

Code:
/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Wassalamu'alaikum...
Assalamu'alaikum...
di bagian filter:

Code:
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
Chain ini dipakai untuk mendaftar ip ke black-list address list
Chain selanjutnya untuk mendeteksi apakah ada indikasi aktifitas port scanner:

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

jika ada tanda tanda dari kejadian di atas, maka harus didrop scanning IPnya pakai perintah ini:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

sumber:
HTML Code:
http://wiki.mikrotik.com/wiki/Drop_port_scanners
Trik dari saya untuk memblokir access ISP anda

Assalamualaikum



maaf om-master semua, apabila penjelasan saya nanti kurang berkenan di hati...

begini ceritanya...



terlebih dahulu kita masukkan kabel ISP melalui Router Mikrotik, ini berguna untuk membuat semua access ISP dapat dikendalikan oleh kita sebagai client.


maka configurasi yang akan kita pakai sebagai berikut



ISP == Router (Mikrotik) == Firewall == Switch == Client





Nah dengan metode seperti inilah kita dapat membendung akses ISP ke jaringan private kita.



akan saya jelaskan 1 persatu rule nya :



Code:


0 ;;; default configuration
      chain=input action=accept protocol=icmp


rule pertama akan kita gunakan untuk menerima paket icmp dari isp ini berguna agar kita dapat mengakses layanan internet sebagaimana biasanya.



Code:

1 ;;; default configuration
      chain=input action=accept connection-state=established


rule kedua seluruh input menuju router kita terima selama koneksi menuju router lancar atau established




Code:

2 ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway


Nah ini inti dari semua ini disini, seluruh akses isp yang menggunakan LAN Card 1 (ether1-gateway) akan di drop (ditolak), maka ISP tidak serta merta akan keluar masuk ke jaringan private kita sesuka hatinya, meski kita sebagai client internetnya.



Code:

3 ;;; default configuration
      chain=input action=accept connection-state=related in-interface=ether1-gateway

untuk rule yang ketiga kita tetap akan menerima semua input dengan action=accept dengan catatan tetap terkoneksi di LAN router kita.



maaf apabila penjelasannya kurang berkenan.

sekian dari saya.