Langsung ke konten utama

Basic Firewall Mikrotik

Firewall filter drop virus dan anti netcut, diwinbox pilih “New Terminal”. Copy scripts di bawah dan pastekan di “New Terminal” winbox.


/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=jump chain=forward disabled=no jump-target=virus
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=accept chain=input disabled=no dst-port=21 protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s
\
chain=input disabled=no dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m
\
chain=input disabled=no dst-port=7331 protocol=tcp
src-address-list=knock
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners
to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan"
disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan"
disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG
scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan"
disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL
scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=203.84.204.1-203.84.204.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=\
0-65535 protocol=tcp
src-address=63.245.213.1-63.245.213.254

Komentar

Posting Komentar

Postingan populer dari blog ini

Whitelist URL di Mikrotik dengan layer 7 protocol

Whitelist URL Mikrotik dengan layer 7 protocol Pada kasus kali ini user hanya boleh akses website kompas.com dan detik.com saja, selain itu di blok (drop). Hanya dua step yang perlu dilakukan: Step1. Create regexp at ip firewall, layer 7 protocol. /ip firewall layer7-protocol add name=whitelist regexp=^.+kompas|detik.* /ip firewall layer7-protocol add name=blacklist regexp=^.*.*$ Step2. Create filter rules /ip firewall filter add chain=forward layer7-protocol=whitelist action=accept /ip firewall filter add chain=forward layer7-protocol=blacklist action=drop Pastikan posisi filter rules dengan action accept diatas drop, jika posisi ini terbalik dipastikan semua website tidak bisa diakses. Jika dua step diatas dilakukan dengan benar, dipastikan hanya dua website di whitelist yang bisa diakses oleh user. Selesai. Mei, 2014 – Riri Rizal
Posting Komentar
Baca selengkapnya

Setup Bridge on Mikrotik

Pada kasus ini, router yang digunakan adalah RB450. Reset semua konfigurasi pada router, kemudian lakukan konfigurasi seperti ini: via terminal: > interface bridge add name=bridge1 > interface bridge port add interface=ether1 bridge=bridge1 > interface bridge port add interface=ether2 bridge=bridge1 > interface bridge port add interface=ether3 bridge=bridge1 > interface bridge port add interface=ether4 bridge=bridge1 > interface bridge port add interface=ether5 bridge=bridge1 Konfigurasi diatas akan memfungsikan semua port pada RB450 menjadi switch. Untuk memproses traffic yang lewat melalui firewall, tinggal ditambahkan konfigurasi seperti dibawah ini. > interface bridge settings set use-ip-firewall=yes Tap jangan lupa untuk menambah konfigurasi firewall pada ip firewall filter (sesuai kebutuhan)
Posting Komentar
Baca selengkapnya

Pagefile size bigger than 4095MB on Windows Server 2003

The pagefile size on Windows Server 2003 x86 and other Windows x86 platforms is limited to 4095 MB per pagefile. But a lot of Windows Server 2003 systems already have 4GB RAM and are using PAE ( Physical Address Extension ) to use them. So it would be useful to create more than 4 GB pagefiles. Microsofts solution for this is to create multiple pagefiles. You can now create multiple pagefiles on different partitions. If you don’t have enough partitions or you just have one, you can create multiple pagefile in different folders by using the Windows Registry. Create the folders on the drive where the pagefiles should be located. For example, C:\Pagefile1, C:\Pagefile2, and C:\Pagefile3. Open regedit.exe I would recommend to create a backup of the registry locate this key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\MemoryManagement Edit the value “PagingFiles” Remove the existing values and add the following values: C:\Pagefile1\pagefile.sys 4096 4096 C...
Posting Komentar
Baca selengkapnya