1. KONFIGURASI DASAR Untuk melihta interface #interface print

(1)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

Well Come….to Mikrotik Tutorial..:)

Router mikrotik dikenal sebagai router yang irit hardware, memiliki banyak fitur, mudah dikonfigurasi dan dapat di install

pada PC. Tutorial ini ditulis secara khusus untuk para pemula, IT Support, IT Officer yang ingin menggunakan Router

Mikrotik didalam jaringan yang sedang dibangun.

1. KONFIGURASI DASAR

Untuk melihta interface

#interface print

Melihat Ststus Inteface;

#interface ethernet print

Untuk menonaktifkan Interface ether5 (INt4)

#interface disable 4

Untuk merubah swithport (misal port 4 menjadi port biasa dengan induk mater port3)

#interface ethernet set 4 master-port=ether3

2. KONFIGURASI IP ADDRESS

Memberikan IP Addres pada Iinterface

#ip address add address=192.168.1.254/24 interface=ether1

#ip address add address=192.168.2.254/24 interface=ether2

#ip address add address=192.168.3.254/24 interface=ether3

Memberikan IP Default Gateway (IP dari Router Provider/Modem), misalkan IP Modem/Router 192.168.1.7

#ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.7

…atau

#ip route add dst-address=0.0.0.0/0 gateway=192.168.1.7

Konfigurasi DNS Server

#ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes

Cek Ip Router , DNS

#ip route print

#ip dns print

MASQUERADE untuk menjalankan NAT untuk mengganti IP private menjadi IP Publik yang ada di Ether1 (yg menju ke

Internet) sehingga kita bias akses internet. Misalkan kita izinkan ip 192.168.2.0/24 bisa akses internet

#ip firewall nat add chain=srcnat src-address=192.168.2.0/24 out-interface=ether1 action=masquerade

atau hanya untuk range ip ternentu

(2)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

MASQERADE IP TERNETENTU, JAM, HARI, PORT

#ip firewall nat add chain=srcnat src-address=192.168.2.1-192.168.2.50 protocol=tcp dst-port=80,443

time=08:00:00-14:00:0,mon,tue,wed,thu,fri out-interface=ether1 action=masquerade

Menbambah User, Merubah Identitas, waktu, system maintenance:

#user add name=bayu group=full password=bayu address=192.168.2.10

#system shutdown

#system reboot

#system backup save

#system identity set name=ITMEDIACENTER

#system ntp client set primary-ntp=203.130.193.74 enabled=yes mode=unicast

#system clock set time-zone-name=Asia/Jakarta

#user print

TOOLS & MONITORING

#tool torch ether2 src-address=192.168.2.0/24

#tool ip-scan interface=ether3 address-range=192.168.3.0/24

3. FILTER

a.

(INPUT)

Untuk menetukan suatu paket dapat masuk atau tidak…; Sekarang kita buat dengan scenario berikut ini:

Tidak bisa ping, telnet, winbox dan SSH dari IP: 192.168.2.0/24 di Interface2 selain IP 192.168.2.10-15 (IP IT Admin)

#ip firewall filter add chain=input in-interface=ether2 src-address=192.168.2.10-192.168.2.15 action=accept

#ip firewall filter add chain=input in-interface=ether2 protocol=icmp connection-state=established action=accept

#ip firewall filter add chain=input in-interface=ether2 protocol=icmp action=drop

#ip firewall filter add chain=input in-interface=ether2 protocol=tcp dst-port=20,21,22,23,80,8291 action=drop

Mengecek Firewall

#ip firewall filter print

b.

FORWARD

Untuk Menangani Data yang melintas di Router/ pemeriksaan setiap data yg melintas di router. Tindakan yang digunakan

ada 3 (tiga)

-Drop

Simulasinya (blokk www.detik.com dan download file MP3

#ip firewall filter add chain=forward src-address=192.168.2.0/24 content=www.detik.com action=drop

#ip firewall filter add chain=forward src-address=192.168.2.0/24 content=.mp3 action=drop

-Reject

Jika user melakukan PING mak hasilnya DHU, jika drop maka RTO

#ip firewall filter add chain=forward src-address=192.168.2.0/24 action=reject reject-with=icmp-host-unreachable

(3)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

4. ADDRESS LIST

Berfungsi dekalrasi IP Address menjadi sebuah nama untuk merujuk IP Address dengan sebutan nama:

#ip firewall address-list add address=192.168.2.0/24 list="JARINGAN KANTOR"

#ip firewall address-list add address=192.168.15 list="IT Support"

#ip filter address-list print

Contoh kita dapat menggunakan address-list untuk melihat IP Address yan g melakukan percobaan ping maupun aksess

(SSH, WinBox, Telnet) terhadap router.

#ip firewall filter add chain=input in-interface=ether2 protocol=icmp action=add-src-to-list

address-list="ping ilegal"

#ip firewall filter add chain=input in-interface=ether2 protocol=tcp dst-port=22,23

action=add-src-to-address-list address-action=add-src-to-address-list="akses ilegal"

Contoh lain addres list untuk melihat daftar akses illegal

#ip firewall filter add chain=input in-interface=ether2 protocol=tcp dst-port=22,23

action=add-src-to-address-list address-list="akses ilegal"

#ip firewall filter add chain=input in-interface=ether2 protocol=icmp action=add-src-to-address-list

address-list="ping ilegal"

Kemudian Lihat hasil

#ip firewall address-list print

5. PROXY

Merupakan aplikasi yg menjadi perantara anatar server dan client, sehingga user tidak akan berhubungan langsung dengan

server

Keuntungan:

1. Dapat menghemat bandwidth

2. Dapat menerapakan caching content

3. Pembatasn terhadap web content

#ip proxy set enabled=yes port=8080 cache-administrator=admin@itmediacenter.web.id max-cache-size=unlimited

cache-on-disk=yes

Mengaktifkan proxy untuk Range IP tertentu

#ip proxy access add src-address=192.168.2.0/24 action=allow

#ip proxy access add src-address=0.0.0.0/0 action=deny

Transparent Proxy maka

(4)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

6. DHCP SERVER

[admin@MikroTik-IMC] > ip dhcp-server setup

Select interface to run DHCP server on

dhcp server interface: ether4

Select network for DHCP addresses

dhcp address space: 192.168.4.0/24

Select gateway for given network

gateway for dhcp network: 192.168.4.254

Select pool of ip addresses given out by DHCP server

addresses to give out: 192.168.4.100-192.168.4.200

Select DNS servers

dns servers: 8.8.8.8,8.8.4.4

Select lease time

lease time: 3d

6.1 Menetukan IP Tertentu Untuk Komputer Berdasrkan MAC-Address

#ip dhcp-server lease add address=192.168.3.150 mac-address=2C-76-8A-D1-ED-78

Untuk bias akses internet di ether4 pada range ip 192.168.3.100-192.168.3.200

#ip firewall nat add chain=srcnat src-address=192.168.3.100-192.168.3.200 out-interface=ether1 action=masquerade

6.2 Menampilkan Komputer yang menggunakan DHCP

#ip dhcp-server lease print

6.3 KEAMANAN DHCP

Untuk membatasi pengguna IP Address, untuk memaksa pengguna memakai DHCP server, jika ada user menggunakan IP

static dengan perubahan sendiri, maka tdk akan terhubung ke server

#ip dhcp-server set 0 add-arp=yes

#ip dhcp-server lease print

#interface ethernet set 2 arp=reply-only

7. SIMPLE MANAGEMENET BANWIDTH

Manajemen banwidth sangat penting dalam mengelola jaringan untuk mengendalikan setipa user yang mengakses internet,

sehingga tidak terjadi pemakaian banwidth yang berlebihan pada user tertentu.

1. Maximum Information Rate (MIR) alokasi baswidth maksimum yang bias didapatkan komputer user jika alokasi

bandwidth tidak dialokasikan oleh user lain:

Anggap kita sudah memilki banwidth internet 2 Mbps dan akan dibagika ke 8 user (komputer) sekaligus. Langsung saja ke

perintahnya.

Kita membuat batasan untuk bandwith akses internet ke IP: 192.168.20/24.Langsung saja ketik command yang dibwah ini:

#queue simple add name=Limit-All target-addresses=192.168.2.0/24 interface=ether2 max-limit=2M/2M

(5)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

#queue simple add name=PC-HRD target-addresses=192.168.2.10 interface=ether2 max-limit=2M/2M

limit-at=256000/256000 parent=Limit-All

#queue simple add name=PC-KTU target-addresses=192.168.2.11 interface=ether2 max-limit=2M/2M

limit-at=256000/256000 parent=Limit-All

#queue simple add name=PC-Engineering target-addresses=192.168.2.12 interface=ether2 max-limit=2M/2M

limit-at=256000/256000 parent=Limit-All

#queue simple add name=PC-Accounting target-addresses=192.168.2.13 interface=ether2 max-limit=2M/2M

limit-at=256000/256000 parent=Limit-All

#queue simple add name=PC-IT target-addresses=192.168.2.20 interface=ether2 max-limit=2M/2M

limit-at=256000/256000 parent=Limit-All

Sekarng kita lihat hasilnya, seblmunya lakukan browsing, kemudian lakukan browsing…

#tool torch interface=ether2 src-address=192.168.2.0/24

Sekarang Limit Bandwidth Dwonload Berdasrkan Exension File

Untuk membatasi user yang sering menghabiskan bandwidth untuk download satu file tertentu. Dengan car ini kita

membatasi setiap user yang melakukan download. Mangle yang ada di firewall nantinya digunakan untuk memberikan label

(tanda) pada paket-paket data yang berisi extension file-file tersebut.

JIka ada user yang memulai download file dengan extension .rar (ditandai dengan opsi content=.rar ) maka koneksi tersebut

akan diberi nama paket terlimit conn, begitu juga untuk jenis file lainnya. Misal

zip, flv, mp3, iso,exe dll. Command yang

digunakan adalah sbb:

#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80

content=.rar action=mark-connection new-connection-mark="paket terlimit-conn"

#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80

content=.exe action=mark-connection new-connection-mark="paket terlimit-conn"

#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80

content=.mp3 action=mark-connection new-connection-mark="paket terlimit-conn"

#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80

content=.mp4 action=mark-connection new-connection-mark="paket terlimit-conn"

#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80

content=.zip action=mark-connection new-connection-mark="paket terlimit-conn"

#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80

content=.iso action=mark-connection new-connection-mark="paket terlimit-conn"

Selanjutnya membuat mark-paket berdaskan mark-connection tadi. Paket-paket yang bersala dari koneksi “paket

terlimit-conn akan diberi nama “paket terlimit”. Perintahnya adalah:

#ip firewall mangle add chain=prerouting connection-mark="paket terlimit-conn" action=mark-packet

new-packet-mark="paket terlmit"

(6)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

Yang terahir adalah konfigurasi Queue untuk membatasi aktifitas download file-file tersebut. Opsi yg harus ditambahkan

pada peket mark =”paket terlimit”. Kita membatasi download file-file tersebut hanya 128kbps untuk beberpa komputer.

Commandnya

#queue simple add name=Limit-Paket target-addresses=192.168.2.0/24 interface=ether2 packet-marks="paket

terlimit" max-limit=128k/128k

8. MANGLE

Mangle merupakan salah satu fitur pada firewall mikrotik yang dugunakan untuk memberi tanda (mark) pada paket data.

Tujuan memberikan paket data ini agar lebih mudah dikenali, yang pada ahirnya mempermudah pengaturan batasan

banwidth dengan menerapakn mangle, Layer 7 dan QUEUE TREE. Inilah yang mendasari penggunaan mangle dalam

manajemen jaringan, untuk mempermudah kita dalam mengelola paket.

Sekarang langsung saja kita pada studi kasus. Kali ini kita membatasi (limit banwitdh) berdasarkan: download, streaming

(video) dan browsing. Contoh kali ini saya punya komputer dengan ip 192.168.2.10/24.

1. Langkah pertama, Buat layer 7

#ip firewall layer7-protocol add comment=download name=download \

regexp="^.get.+\\.(exe|rar|iso|zip|7zip|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).\$"

#ip firewall layer7-protocol add comment=streaming3 name=streaming3 regexp=videoplayback|video

2. Langkah kedua adalah..

Pembuatan Mangle untuk IN dan OUT pada paket

#ip firewall mangle add action=mark-connection chain=prerouting comment="CONNECTION IN" disabled=no

dst-address-list=!MikroTik in-interface=ether1 new-connection-mark=All-Inconn passthrough= yes

#ip firewall mangle add action=mark-packet chain=prerouting connection-mark=All-Inconn disabled=no

new-packet-mark=All-Inpkt passthrough=yes

#ip firewall mangle add action=mark-connection chain=forward comment="CONNECTION OUT" disabled=no

new-connection-mark=All-Outconn out-interface=ether2 passthrough=yes

#ip firewall mangle add action=mark-packet chain=forward connection-mark=All-Outconn disabled=no

new-packet-mark=All-Outpkt passthrough=yes

(7)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

Sekarang untuk per user (dengan PC10 IP:192.168.2.10)

#ip firewall mangle add action=mark-connection chain=forward comment="PC-10 PAKET" connection-mark=All-Outconn

#ip firewall mangle disabled=no dst-address=192.168.2.10 new-connection-mark=PC-10-conn passthrough=yes

#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-10-conn disabled=no

new-packet-mark=PC-10-paket passthrough=yes

#ip firewall mangle add action=mark-packet chain=forward comment=PC-10-Download connection-mark=PC-10-conn

disabled=no layer7-protocol=download new-packet-mark="pc-10 dwpkt" passthrough=no

#ip firewall mangle add action=mark-packet chain=forward comment=PC-10-Streaming connection-mark=PC-10-conn

disabled=no layer7-protocol=streaming3 new-packet-mark=PC-10-strrmpkt passthrough=no

#ip firewall mangle add action=mark-connection chain=forward comment="PC-10 Browsing" connection-bytes=0-1000000

connection-mark=PC-10-conn

disabled=no

dst-port=80,443

new-connection-mark=PC-10-conn

passthrough=no

protocol=tcp

#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-10-conn disabled=no

new-packet-mark=PC-10-brwpkt packet-mark="!PC-10-streamingpkt,pc-10 dwpkt" passthrough=no

Sekarang masih untuk per user (dengan PC11 IP:192.168.2.11)

#ip firewall mangle add action=mark-connection chain=forward comment="PC-11 PAKET" connection-mark=All-Outconn

disabled=no dst-address=192.168.2.11 new-connection-mark=PC-11-conn passthrough=yes

#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-11-conn disabled=no

new-packet-mark=PC-11-paket passthrough=yes

#ip firewall mangle add action=mark-packet chain=forward comment=PC-15-Download connection-mark=PC-11-conn

disabled=no layer7-protocol=download new-packet-mark="PC-11 dwpkt" passthrough=no

#ip firewall mangle add action=mark-packet chain=forward comment=PC-15-Streaming connection-mark=PC-11-conn

disabled=no layer7-protocol=streaming3 new-packet-mark=PC-11-strmpkt passthrough=no

#ip firewall mangle add action=mark-connection chain=forward comment="PC-15 Browsing"

connection-bytes=0-1000000 connection-mark=PC-11-conn disabled=no dst-port=80,443 new-connection-mark=PC-11-conn passthrough=no

protocol=tcp

#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-11-conn disabled=no

new-packet-mark=PC-11-brwpkt packet-mark="!pc-11 dwpkt,PC-11-strmpkt" passthrough=no

(8)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

3. Langkah Ketiga kita ke QUEUE TREE, Commandnya adalah;

Pertama….(Parent)

#queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M

name=All-Banwitdh packet-mark=All-Outpkt parent=global-out priority=1

Kedua…(pembatasan paket berdasrkan mangle yang sudah dibuat pada User PC10,)

#queue tree add burst-limit=256k burst-threshold=192k burst-time=2s disabled=no limit-at=112k max-limit=112k

name=PC-10 packet-mark=PC-10-paket parent=All-Banwitdh priority=1

#queue tree add burst-limit=256k burst-threshold=192 burst-time=5s disabled=no limit-at=112k max-limit=112k

name=PC10-Browsing packet-mark=PC-10-brwpkt parent=PC-10 priority=2 queue=default

#queue tree add burst-limit=256k burst-threshold=192 burst-time=6s disabled=no limit-at=112k max-limit=112k

name=PC10-Download packet-mark="pc-10 dwpkt" parent=PC-10 priority=6 queue=default

#queue tree add burst-limit=256k burst-threshold=192 burst-time=3s disabled=no limit-at=128k max-limit=128k

name=PC10-Streaming packet-mark=PC-10-strrmpkt parent=PC-10 priority=3 queue=default

Selanjutnya …(pembatasan paket berdasrkan mangle yang sudah dibuat pada User PC11,)

#queue tree add burst-limit=256k burst-threshold=192k burst-time=2s disabled=no limit-at=112k max-limit=112k

name=PC-11 packet-mark=PC-11-paket parent=All-Banwitdh priority=1

#queue tree add burst-limit=256k burst-threshold=192 burst-time=5s disabled=no limit-at=112k max-limit=112k

name=PC11-Browsing packet-mark=PC-11-brwpkt parent=PC-11 priority=2 queue=default

#queue tree add burst-limit=256k burst-threshold=192 burst-time=6s disabled=no limit-at=112k max-limit=112k

name=PC11-Download packet-mark="PC-11 dwpkt" parent=PC-11 priority=6 queue=default

(9)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

#queue tree add burst-limit=256k burst-threshold=192 burst-time=3s disabled=no limit-at=128k max-limit=128k

name=PC11-Streaming packet-mark=PC-11-strmpkt parent=PC-11 priority=3 queue=default

9. WIRELESS NETWORK / WIFI INTERNET HOTSPOT

9.1 Hostspot Setup

Langsung saja ke perintahnya:

#ip hotspot setup

Select interface to run HotSpot on

#hotspot interface: ether4

Set HotSpot address for interface

local address of network: 192.168.4.254/24

masquerade network: yes

Set pool for HotSpot addresses

address pool of network: 192.168.4.100-192.168.4.200

select certificate: none

Select SMTP server

ip address of smtp server: 0.0.0.0

Setup DNS configuration

(10)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

dns servers: 8.8.8.8,8.8.4.4

DNS name of local hotspot server

dns name:

Create local hotspot user

name of local hotspot user: admin

password for the user: admin123

9.2 Kemudian buat user, contoh: user; joni dan agus

#ip hotspot user add name=joni password=admin123

#ip hotspot user add name=agus password=admin123

Walden Garde (ijinkan user tanpa athentifikasi tuk host tertentu)

ip hotspot walled-garden add dst-host=www.itmediacenter.web.id action=allow

Melihat user, Melihat user yang AKTIF

#ip hotspot user print

#ip hotspot active print

#ip hotspot host print

#ip hotspot user print

9.3 Membuat Profile untuk pembatasan bandwidth

#ip hotspot user profile add name=karyawan rate-limit=128k/128k shared-users=1

#ip hotspot user profile add name=tamu rate-limit=256k/256k shared-users=1

#ip hotspot user add name=agung password=admin123 profile=karyawan

#ip hotspot user add name=jokowi password=admin123 profile=tamu

Sekian

CEO ITMEDIACENTER

(11)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

Catatan:

File Dwonload layer7:

^.get.+\.(exe|rar|iso|zip|7zip|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).$

File Streaming

videoplayback|video

Scripr Filtering

MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 5.20 (c) 1999-2012 http://www.mikrotik.com/ [admin@MikroTik-IMC] > ip firewall filter

[admin@MikroTik-IMC] /ip firewall filter> export # jan/02/1970 08:50:10 by RouterOS 5.20

# software id = 9PIW-IX55 #

/ip firewall filter

add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.2.1-192.168.2.250 add action=accept chain=input connection-state=established disabled=no in-interface=ether2 protocol=icmp

add action=drop chain=input comment="Dilarang PING" disabled=yes in-interface=ether2 protocol=icmp src-address=!192.18.2.10-192.18.2.200

add action=drop chain=input disabled=no dst-port=23,22,8291 in-interface=ether2 protocol=tcp

add action=drop chain=forward comment="BLOK detik.com" content=www.detik.com disabled=yes src-address=192.168.2.10/31

add action=add-src-to-address-list address-list="akses ilegal" address-list-timeout=0s chain=input disabled=no dst-port=22,23 in-interface=ether2 protocol=tcp

add action=add-src-to-address-list address-list="ping ilegal" address-list-timeout=0s chain=input disabled=no in-interface=ether2 protocol=icmp

add action=drop chain=virus comment="Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus comment="Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=445 protocol=udp add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=udp

add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus comment="Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=445 protocol=tcp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=445 protocol=udp add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus comment=Dumaru.Y disabled=no dst-port=2283 protocol=tcp add action=drop chain=virus comment=Beagle disabled=no dst-port=2535 protocol=tcp add action=drop chain=virus comment=Beagle.C-K disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus comment=MyDoom disabled=no dst-port=3127-3128 protocol=tcp

add action=drop chain=virus comment="Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp

(12)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp

add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp

add action=drop chain=virus comment="Drop PhatBot,Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=12667 protocol=udp

add action=drop chain=virus comment=Trinoo disabled=no dst-port=27665 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=31335 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=27444 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=34555 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=35555 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=27444 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=27665 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=31335 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=31846 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=34555 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=35555 protocol=tcp

add action=drop chain=forward comment=";;Block W32.Kido - Conficker" disabled=no protocol=udp src-port=135-139,445 add action=drop chain=forward disabled=no dst-port=135-139,445 protocol=udp

add action=drop chain=forward disabled=no protocol=tcp src-port=135-139,445,593 add action=drop chain=forward disabled=no dst-port=135-139,445,593 protocol=tcp

add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp

add action=drop chain=input comment="drop FTP Brute Forcers" disabled=no dst-port=21 protocol=tcp src-address-list=FTP_BlackList

add action=drop chain=input disabled=no dst-port=21 protocol=tcp src-address-list=FTP_BlackList

add action=accept chain=output content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=FTP_BlackList address-list-timeout=1d chain=output content="530 Login incorrect" disabled=no protocol=tcp

add action=drop chain=input comment="drop SSH&TELNET Brute Forcers" disabled=no dst-port=22-23 protocol=tcp src-address-list=IP_BlackList

add action=add-src-to-address-list address-list=IP_BlackList address-list-timeout=1d chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp \

src-address-list=SSH_BlackList_3

add action=add-src-to-address-list address-list=SSH_BlackList_3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp \

add action=add-src-to-address-list address-list=SSH_BlackList_2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp \

add action=add-src-to-address-list address-list=SSH_BlackList_1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp

add action=drop chain=input comment="drop port scanners" disabled=no src-address-list=port_scanners

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,syn

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=syn,rst

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

add action=drop chain=forward disabled=no p2p=bit-torrent

add action=drop chain=forward comment="Blokir Torrent1" disabled=no p2p=all-p2p add action=drop chain=forward comment="Blokir Torrent" disabled=no p2p=bit-torrent

add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254

(13)

www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com

add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.2.10-192.168.2.15 [admin@MikroTik-IMC] /ip firewall filter>