# jun/23/2012 16:28:35 by RouterOS 5.6
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Route-1-Speedy1 \
connection-mark=Speedy1 disabled=no in-interface=ether5-LOCAL \
new-routing-mark=ROUTE-1 passthrough=no
add action=mark-routing chain=prerouting comment=Route-2-Speedy2 \
connection-mark=Speedy2 disabled=no in-interface=ether5-LOCAL \
new-routing-mark=ROUTE-2 passthrough=no
add action=mark-routing chain=prerouting comment=Route-3-Speedy3 \
connection-mark=Speedy3 disabled=no in-interface=ether5-LOCAL \
new-routing-mark=ROUTE-3 passthrough=no
add action=mark-routing chain=prerouting comment=Route-4-VPN connection-mark=\
VPN disabled=no in-interface=ether5-LOCAL new-routing-mark=ROUTE-4-VPN \
passthrough=no
Saturday, June 23, 2012
MENERUSKAN KONEKSI MELALUI ROUTE TERTENTU
# jun/23/2012 16:28:35 by RouterOS 5.6
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Port ICMP ( PING )" \
disabled=no in-interface=ether5-LOCAL new-connection-mark=VPN \
passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment="Speedy3 --. Video" \
disabled=no in-interface=ether5-LOCAL layer7-protocol=Video \
new-connection-mark=Speedy3 passthrough=yes
add action=mark-connection chain=prerouting comment="Speedy3 --. Youtube" \
disabled=no in-interface=ether5-LOCAL layer7-protocol=Youtube \
new-connection-mark=Speedy3 passthrough=yes
add action=mark-connection chain=prerouting comment=\
"Speedy3 --> Mivo.TV Port" disabled=no dst-port=1935 in-interface=\
ether5-LOCAL new-connection-mark=Speedy3 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"VPN --> Download Ekstensi" disabled=no in-interface=ether5-LOCAL \
layer7-protocol=Ekstensi new-connection-mark=VPN passthrough=yes
add action=mark-connection chain=prerouting comment="VPN --> Download FTP" \
disabled=no in-interface=ether5-LOCAL layer7-protocol=FTP \
new-connection-mark=VPN passthrough=yes
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=2900 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=8890 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=9339 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=843 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=39190 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=40000-40010 in-interface=ether5-LOCAL \
new-connection-mark=Speedy2 passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=40000-40010 in-interface=ether5-LOCAL \
new-connection-mark=Speedy2 passthrough=yes protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Port ICMP ( PING )" \
disabled=no in-interface=ether5-LOCAL new-connection-mark=VPN \
passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment="Speedy3 --. Video" \
disabled=no in-interface=ether5-LOCAL layer7-protocol=Video \
new-connection-mark=Speedy3 passthrough=yes
add action=mark-connection chain=prerouting comment="Speedy3 --. Youtube" \
disabled=no in-interface=ether5-LOCAL layer7-protocol=Youtube \
new-connection-mark=Speedy3 passthrough=yes
add action=mark-connection chain=prerouting comment=\
"Speedy3 --> Mivo.TV Port" disabled=no dst-port=1935 in-interface=\
ether5-LOCAL new-connection-mark=Speedy3 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"VPN --> Download Ekstensi" disabled=no in-interface=ether5-LOCAL \
layer7-protocol=Ekstensi new-connection-mark=VPN passthrough=yes
add action=mark-connection chain=prerouting comment="VPN --> Download FTP" \
disabled=no in-interface=ether5-LOCAL layer7-protocol=FTP \
new-connection-mark=VPN passthrough=yes
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=2900 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=8890 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=9339 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=843 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=39190 in-interface=ether5-LOCAL new-connection-mark=\
Speedy2 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=40000-40010 in-interface=ether5-LOCAL \
new-connection-mark=Speedy2 passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Speedy2 --> Port Game" \
disabled=no dst-port=40000-40010 in-interface=ether5-LOCAL \
new-connection-mark=Speedy2 passthrough=yes protocol=tcp
MENANDAI PAKET YANG TELAH DICAPTURE DI LAYER 7
# jun/23/2012 16:28:35 by RouterOS 5.6
/ip firewall mangle
add action=mark-packet chain=forward comment=Ekstensi disabled=no \
layer7-protocol=Ekstensi new-packet-mark=Ekstensi passthrough=no \
protocol=tcp src-address=!203.89.146.0/23
add action=mark-packet chain=forward comment=FTP disabled=no layer7-protocol=\
FTP new-packet-mark=FTP passthrough=no
add action=mark-packet chain=forward comment=Youtube disabled=no \
layer7-protocol=Youtube new-packet-mark=Youtube passthrough=no protocol=\
tcp
add action=mark-packet chain=forward comment=Video disabled=no \
layer7-protocol=Video new-packet-mark=Video passthrough=no protocol=tcp
/ip firewall mangle
add action=mark-packet chain=forward comment=Ekstensi disabled=no \
layer7-protocol=Ekstensi new-packet-mark=Ekstensi passthrough=no \
protocol=tcp src-address=!203.89.146.0/23
add action=mark-packet chain=forward comment=FTP disabled=no layer7-protocol=\
FTP new-packet-mark=FTP passthrough=no
add action=mark-packet chain=forward comment=Youtube disabled=no \
layer7-protocol=Youtube new-packet-mark=Youtube passthrough=no protocol=\
tcp
add action=mark-packet chain=forward comment=Video disabled=no \
layer7-protocol=Video new-packet-mark=Video passthrough=no protocol=tcp
MEMBUAT ROUTE
# jun/23/2012 16:30:26 by RouterOS 5.6
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy1-pppoe \
routing-mark=ROUTE-1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy2-pppoe \
routing-mark=ROUTE-2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy3-pppoe \
routing-mark=ROUTE-3 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.1 \
routing-mark=ROUTE-4 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy1-pppoe scope=\
30 target-scope=10
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy1-pppoe \
routing-mark=ROUTE-1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy2-pppoe \
routing-mark=ROUTE-2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy3-pppoe \
routing-mark=ROUTE-3 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.1 \
routing-mark=ROUTE-4 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Speedy1-pppoe scope=\
30 target-scope=10
FIREWALL FILTER
# jun/23/2012 16:26:56 by RouterOS 5.6
/ip firewall filter
add action=drop chain=forward comment="Drop Port Terlarang" disabled=no \
dst-port=40016 protocol=udp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="Drop Port Scanner" disabled=\
no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,syn
/ip firewall filter
add action=drop chain=forward comment="Drop Port Terlarang" disabled=no \
dst-port=40016 protocol=udp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="Drop Port Scanner" disabled=\
no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,syn
LAYER 7 PROTOCOL
Layer 7 protocol untuk mengcapture Audio, Video, Youtube, Download Ekstensi, dan Download FTP
# jun/23/2012 16:29:17 by RouterOS 5.6
/ip firewall layer7-protocol
add name=Video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\
\\x09-\\x0d -~]*(content-type: video)"
add name=Ekstensi regexp="\\.(exe|rar|zip|7z|cab|asf|mov|wmv|mpg|mpeg|mkv|avi|\
flv|pdf|wav|rm|mp3|mp4|ram|rmvb|dat|daa|iso|nrg|bin|vcd|mp2|3gp|mpe|qt|raw\
|wma|ogg|doc|deb|tar|bzip|gzip|gzip2)"
add name=Youtube regexp="o-o.preferred.pttelkom-|a.youtube.com|b.youtube.com|c\
.youtube.com|d.youtube.com|e.youtube.com|f.youtube.com|g.youtube.com|h.you\
tube.com|i.youtube.com|j.youtube.kom|l.youtube.com"
add name=Audio regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\
\\x09-\\x0d -~]*(content-type: audio)"
add name=FTP regexp="^220[\\x09-\\x0d -~]*ftp"
# jun/23/2012 16:29:17 by RouterOS 5.6
/ip firewall layer7-protocol
add name=Video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\
\\x09-\\x0d -~]*(content-type: video)"
add name=Ekstensi regexp="\\.(exe|rar|zip|7z|cab|asf|mov|wmv|mpg|mpeg|mkv|avi|\
flv|pdf|wav|rm|mp3|mp4|ram|rmvb|dat|daa|iso|nrg|bin|vcd|mp2|3gp|mpe|qt|raw\
|wma|ogg|doc|deb|tar|bzip|gzip|gzip2)"
add name=Youtube regexp="o-o.preferred.pttelkom-|a.youtube.com|b.youtube.com|c\
.youtube.com|d.youtube.com|e.youtube.com|f.youtube.com|g.youtube.com|h.you\
tube.com|i.youtube.com|j.youtube.kom|l.youtube.com"
add name=Audio regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\
\\x09-\\x0d -~]*(content-type: audio)"
add name=FTP regexp="^220[\\x09-\\x0d -~]*ftp"
Subscribe to:
Comments (Atom)