Langsung ke konten utama

Basic Firewall Mikrotik

Firewall filter drop virus dan anti netcut, diwinbox pilih “New Terminal”. Copy scripts di bawah dan pastekan di “New Terminal” winbox.


/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=jump chain=forward disabled=no jump-target=virus
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=accept chain=input disabled=no dst-port=21 protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s
\
chain=input disabled=no dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m
\
chain=input disabled=no dst-port=7331 protocol=tcp
src-address-list=knock
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners
to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan"
disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan"
disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG
scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan"
disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL
scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=203.84.204.1-203.84.204.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=63.245.213.1-63.245.213.254

Komentar

Posting Komentar

Postingan populer dari blog ini

Whitelist URL di Mikrotik dengan layer 7 protocol

Whitelist URL Mikrotik dengan layer 7 protocol Pada kasus kali ini user hanya boleh akses website kompas.com dan detik.com saja, selain itu di blok (drop). Hanya dua step yang perlu dilakukan: Step1. Create regexp at ip firewall, layer 7 protocol. /ip firewall layer7-protocol add name=whitelist regexp=^.+kompas|detik.* /ip firewall layer7-protocol add name=blacklist regexp=^.*.*$ Step2. Create filter rules /ip firewall filter add chain=forward layer7-protocol=whitelist action=accept /ip firewall filter add chain=forward layer7-protocol=blacklist action=drop Pastikan posisi filter rules dengan action accept diatas drop, jika posisi ini terbalik dipastikan semua website tidak bisa diakses. Jika dua step diatas dilakukan dengan benar, dipastikan hanya dua website di whitelist yang bisa diakses oleh user. Selesai. Mei, 2014 – Riri Rizal
Posting Komentar
Baca selengkapnya

Setup Bridge on Mikrotik

Pada kasus ini, router yang digunakan adalah RB450. Reset semua konfigurasi pada router, kemudian lakukan konfigurasi seperti ini: via terminal: > interface bridge add name=bridge1 > interface bridge port add interface=ether1 bridge=bridge1 > interface bridge port add interface=ether2 bridge=bridge1 > interface bridge port add interface=ether3 bridge=bridge1 > interface bridge port add interface=ether4 bridge=bridge1 > interface bridge port add interface=ether5 bridge=bridge1 Konfigurasi diatas akan memfungsikan semua port pada RB450 menjadi switch. Untuk memproses traffic yang lewat melalui firewall, tinggal ditambahkan konfigurasi seperti dibawah ini. > interface bridge settings set use-ip-firewall=yes Tap jangan lupa untuk menambah konfigurasi firewall pada ip firewall filter (sesuai kebutuhan)
Posting Komentar
Baca selengkapnya

SSTP Configuration Mikrotik

Make certificate templates /certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign add name=server-template common-name=server add name=client1-template common-name=client1 add name=client2-template common-name=client2 Sign certificates and add CRL url.  We will use IP address of the server as CRL URL. /certificate sign ca-template ca-crl-host=10.5.101.16 name=myCa sign server-template ca=myCa name=server sign client1-template ca=myCa name=client1 sign client2-template ca=myCa name=client2 Note:  If signing certificates on mipbe cpu based devices(RB7xx,RB2011,RB9xx) then this process might take a while depending on key-size of specific certificate. With values 4k and higher it might take a substantial time to sign this specific certificate. If certificate does not have   T  flag then you need to set it as trusted before using it: /certificate set myCa trusted=yes set server trusted=yes Exp...
Posting Komentar
Baca selengkapnya