www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
Well Come….to Mikrotik Tutorial..:)
Router mikrotik dikenal sebagai router yang irit hardware, memiliki banyak fitur, mudah dikonfigurasi dan dapat di install
pada PC. Tutorial ini ditulis secara khusus untuk para pemula, IT Support, IT Officer yang ingin menggunakan Router
Mikrotik didalam jaringan yang sedang dibangun.
1.
KONFIGURASI DASAR
Untuk melihta interface
#interface print
Melihat Ststus Inteface;
#interface ethernet print
Untuk menonaktifkan Interface ether5 (INt4)
#interface disable 4
Untuk merubah swithport (misal port 4 menjadi port biasa dengan induk mater port3)
#interface ethernet set 4 master-port=ether3
2.
KONFIGURASI IP ADDRESS
Memberikan IP Addres pada Iinterface
#ip address add address=192.168.1.254/24 interface=ether1
#ip address add address=192.168.2.254/24 interface=ether2
#ip address add address=192.168.3.254/24 interface=ether3
Memberikan IP Default Gateway (IP dari Router Provider/Modem), misalkan IP Modem/Router 192.168.1.7
#ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.7
…atau
#ip route add dst-address=0.0.0.0/0 gateway=192.168.1.7
Konfigurasi DNS Server
#ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes
Cek Ip Router , DNS
#ip route print
#ip dns print
MASQUERADE untuk menjalankan NAT untuk mengganti IP private menjadi IP Publik yang ada di Ether1 (yg menju ke
Internet) sehingga kita bias akses internet. Misalkan kita izinkan ip 192.168.2.0/24 bisa akses internet
#ip firewall nat add chain=srcnat src-address=192.168.2.0/24 out-interface=ether1 action=masquerade
atau hanya untuk range ip ternentu
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
MASQERADE IP TERNETENTU, JAM, HARI, PORT
#ip firewall nat add chain=srcnat src-address=192.168.2.1-192.168.2.50 protocol=tcp dst-port=80,443
time=08:00:00-14:00:0,mon,tue,wed,thu,fri out-interface=ether1 action=masquerade
Menbambah User, Merubah Identitas, waktu, system maintenance:
#user add name=bayu group=full password=bayu address=192.168.2.10
#system shutdown
#system reboot
#system backup save
#system identity set name=ITMEDIACENTER
#system ntp client set primary-ntp=203.130.193.74 enabled=yes mode=unicast
#system clock set time-zone-name=Asia/Jakarta
#user print
TOOLS & MONITORING
#tool torch ether2 src-address=192.168.2.0/24
#tool ip-scan interface=ether3 address-range=192.168.3.0/24
3.
FILTER
a.
(INPUT)
Untuk menetukan suatu paket dapat masuk atau tidak…; Sekarang kita buat dengan scenario berikut ini:
Tidak bisa ping, telnet, winbox dan SSH dari IP: 192.168.2.0/24 di Interface2 selain IP 192.168.2.10-15 (IP IT Admin)
#ip firewall filter add chain=input in-interface=ether2 src-address=192.168.2.10-192.168.2.15 action=accept
#ip firewall filter add chain=input in-interface=ether2 protocol=icmp connection-state=established action=accept
#ip firewall filter add chain=input in-interface=ether2 protocol=icmp action=drop
#ip firewall filter add chain=input in-interface=ether2 protocol=tcp dst-port=20,21,22,23,80,8291 action=drop
Mengecek Firewall
#ip firewall filter print
b.
FORWARD
Untuk Menangani Data yang melintas di Router/ pemeriksaan setiap data yg melintas di router. Tindakan yang digunakan
ada 3 (tiga)
-Drop
Simulasinya (blokk www.detik.com dan download file MP3
#ip firewall filter add chain=forward src-address=192.168.2.0/24 content=www.detik.com action=drop
#ip firewall filter add chain=forward src-address=192.168.2.0/24 content=.mp3 action=drop
-Reject
Jika user melakukan PING mak hasilnya DHU, jika drop maka RTO
#ip firewall filter add chain=forward src-address=192.168.2.0/24 action=reject reject-with=icmp-host-unreachable
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
4.
ADDRESS LIST
Berfungsi dekalrasi IP Address menjadi sebuah nama untuk merujuk IP Address dengan sebutan nama:
#ip firewall address-list add address=192.168.2.0/24 list="JARINGAN KANTOR"
#ip firewall address-list add address=192.168.15 list="IT Support"
#ip filter address-list print
Contoh kita dapat menggunakan address-list untuk melihat IP Address yan g melakukan percobaan ping maupun aksess
(SSH, WinBox, Telnet) terhadap router.
#ip firewall filter add chain=input in-interface=ether2 protocol=icmp action=add-src-to-list
address-list="ping ilegal"
#ip firewall filter add chain=input in-interface=ether2 protocol=tcp dst-port=22,23
action=add-src-to-address-list address-action=add-src-to-address-list="akses ilegal"
Contoh lain addres list untuk melihat daftar akses illegal
#ip firewall filter add chain=input in-interface=ether2 protocol=tcp dst-port=22,23
action=add-src-to-address-list address-list="akses ilegal"
#ip firewall filter add chain=input in-interface=ether2 protocol=icmp action=add-src-to-address-list
address-list="ping ilegal"
Kemudian Lihat hasil
#ip firewall address-list print
5.
PROXY
Merupakan aplikasi yg menjadi perantara anatar server dan client, sehingga user tidak akan berhubungan langsung dengan
server
Keuntungan:
1.
Dapat menghemat bandwidth
2.
Dapat menerapakan caching content
3.
Pembatasn terhadap web content
#ip proxy set enabled=yes port=8080 cache-administrator=admin@itmediacenter.web.id max-cache-size=unlimited
cache-on-disk=yes
Mengaktifkan proxy untuk Range IP tertentu
#ip proxy access add src-address=192.168.2.0/24 action=allow
#ip proxy access add src-address=0.0.0.0/0 action=deny
Transparent Proxy maka
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
6.
DHCP SERVER
[admin@MikroTik-IMC] > ip dhcp-server setup
Select interface to run DHCP server on
dhcp server interface: ether4
Select network for DHCP addresses
dhcp address space: 192.168.4.0/24
Select gateway for given network
gateway for dhcp network: 192.168.4.254
Select pool of ip addresses given out by DHCP server
addresses to give out: 192.168.4.100-192.168.4.200
Select DNS servers
dns servers: 8.8.8.8,8.8.4.4
Select lease time
lease time: 3d
6.1 Menetukan IP Tertentu Untuk Komputer Berdasrkan MAC-Address
#ip dhcp-server lease add address=192.168.3.150 mac-address=2C-76-8A-D1-ED-78
Untuk bias akses internet di ether4 pada range ip 192.168.3.100-192.168.3.200
#ip firewall nat add chain=srcnat src-address=192.168.3.100-192.168.3.200 out-interface=ether1 action=masquerade
6.2 Menampilkan Komputer yang menggunakan DHCP
#ip dhcp-server lease print
6.3 KEAMANAN DHCP
Untuk membatasi pengguna IP Address, untuk memaksa pengguna memakai DHCP server, jika ada user menggunakan IP
static dengan perubahan sendiri, maka tdk akan terhubung ke server
#ip dhcp-server set 0 add-arp=yes
#ip dhcp-server lease print
#interface ethernet set 2 arp=reply-only
7.
SIMPLE MANAGEMENET BANWIDTH
Manajemen banwidth sangat penting dalam mengelola jaringan untuk mengendalikan setipa user yang mengakses internet,
sehingga tidak terjadi pemakaian banwidth yang berlebihan pada user tertentu.
1.
Maximum Information Rate (MIR) alokasi baswidth maksimum yang bias didapatkan komputer user jika alokasi
bandwidth tidak dialokasikan oleh user lain:
Anggap kita sudah memilki banwidth internet 2 Mbps dan akan dibagika ke 8 user (komputer) sekaligus. Langsung saja ke
perintahnya.
Kita membuat batasan untuk bandwith akses internet ke IP: 192.168.20/24.Langsung saja ketik command yang dibwah ini:
#queue simple add name=Limit-All target-addresses=192.168.2.0/24 interface=ether2 max-limit=2M/2M
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
#queue simple add name=PC-HRD target-addresses=192.168.2.10 interface=ether2 max-limit=2M/2M
limit-at=256000/256000 parent=Limit-All
#queue simple add name=PC-KTU target-addresses=192.168.2.11 interface=ether2 max-limit=2M/2M
limit-at=256000/256000 parent=Limit-All
#queue simple add name=PC-Engineering target-addresses=192.168.2.12 interface=ether2 max-limit=2M/2M
limit-at=256000/256000 parent=Limit-All
#queue simple add name=PC-Accounting target-addresses=192.168.2.13 interface=ether2 max-limit=2M/2M
limit-at=256000/256000 parent=Limit-All
#queue simple add name=PC-IT target-addresses=192.168.2.20 interface=ether2 max-limit=2M/2M
limit-at=256000/256000 parent=Limit-All
Sekarng kita lihat hasilnya, seblmunya lakukan browsing, kemudian lakukan browsing…
#tool torch interface=ether2 src-address=192.168.2.0/24
Sekarang Limit Bandwidth Dwonload Berdasrkan Exension File
Untuk membatasi user yang sering menghabiskan bandwidth untuk download satu file tertentu. Dengan car ini kita
membatasi setiap user yang melakukan download. Mangle yang ada di firewall nantinya digunakan untuk memberikan label
(tanda) pada paket-paket data yang berisi extension file-file tersebut.
JIka ada user yang memulai download file dengan extension .rar (ditandai dengan opsi content=.rar ) maka koneksi tersebut
akan diberi nama paket terlimit conn, begitu juga untuk jenis file lainnya. Misal
zip, flv, mp3, iso,exe dll. Command yang
digunakan adalah sbb:
#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80
content=.rar action=mark-connection new-connection-mark="paket terlimit-conn"
#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80
content=.exe action=mark-connection new-connection-mark="paket terlimit-conn"
#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80
content=.mp3 action=mark-connection new-connection-mark="paket terlimit-conn"
#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80
content=.mp4 action=mark-connection new-connection-mark="paket terlimit-conn"
#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80
content=.zip action=mark-connection new-connection-mark="paket terlimit-conn"
#ip firewall mangle add chain=prerouting src-address=192.168.2.0/24 protocol=tcp dst-port=80
content=.iso action=mark-connection new-connection-mark="paket terlimit-conn"
Selanjutnya membuat mark-paket berdaskan mark-connection tadi. Paket-paket yang bersala dari koneksi “paket
terlimit-conn akan diberi nama “paket terlimit”. Perintahnya adalah:
#ip firewall mangle add chain=prerouting connection-mark="paket terlimit-conn" action=mark-packet
new-packet-mark="paket terlmit"
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
Yang terahir adalah konfigurasi Queue untuk membatasi aktifitas download file-file tersebut. Opsi yg harus ditambahkan
pada peket mark =”paket terlimit”. Kita membatasi download file-file tersebut hanya 128kbps untuk beberpa komputer.
Commandnya
#queue simple add name=Limit-Paket target-addresses=192.168.2.0/24 interface=ether2 packet-marks="paket
terlimit" max-limit=128k/128k
8.
MANGLE
Mangle merupakan salah satu fitur pada firewall mikrotik yang dugunakan untuk memberi tanda (mark) pada paket data.
Tujuan memberikan paket data ini agar lebih mudah dikenali, yang pada ahirnya mempermudah pengaturan batasan
banwidth dengan menerapakn mangle, Layer 7 dan QUEUE TREE. Inilah yang mendasari penggunaan mangle dalam
manajemen jaringan, untuk mempermudah kita dalam mengelola paket.
Sekarang langsung saja kita pada studi kasus. Kali ini kita membatasi (limit banwitdh) berdasarkan: download, streaming
(video) dan browsing. Contoh kali ini saya punya komputer dengan ip 192.168.2.10/24.
1.
Langkah pertama, Buat layer 7
#ip firewall layer7-protocol add comment=download name=download \
regexp="^.*get.+\\.(exe|rar|iso|zip|7zip|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*\$"
#ip firewall layer7-protocol add comment=streaming3 name=streaming3 regexp=videoplayback|video
2.
Langkah kedua adalah..
Pembuatan Mangle untuk IN dan OUT pada paket
#ip firewall mangle add action=mark-connection chain=prerouting comment="CONNECTION IN" disabled=no
dst-address-list=!MikroTik in-interface=ether1 new-connection-mark=All-Inconn passthrough= yes
#ip firewall mangle add action=mark-packet chain=prerouting connection-mark=All-Inconn disabled=no
new-packet-mark=All-Inpkt passthrough=yes
#ip firewall mangle add action=mark-connection chain=forward comment="CONNECTION OUT" disabled=no
new-connection-mark=All-Outconn out-interface=ether2 passthrough=yes
#ip firewall mangle add action=mark-packet chain=forward connection-mark=All-Outconn disabled=no
new-packet-mark=All-Outpkt passthrough=yes
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
Sekarang untuk per user (dengan PC10 IP:192.168.2.10)
#ip firewall mangle add action=mark-connection chain=forward comment="PC-10 PAKET" connection-mark=All-Outconn
#ip firewall mangle disabled=no dst-address=192.168.2.10 new-connection-mark=PC-10-conn passthrough=yes
#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-10-conn disabled=no
new-packet-mark=PC-10-paket passthrough=yes
#ip firewall mangle add action=mark-packet chain=forward comment=PC-10-Download connection-mark=PC-10-conn
disabled=no layer7-protocol=download new-packet-mark="pc-10 dwpkt" passthrough=no
#ip firewall mangle add action=mark-packet chain=forward comment=PC-10-Streaming connection-mark=PC-10-conn
disabled=no layer7-protocol=streaming3 new-packet-mark=PC-10-strrmpkt passthrough=no
#ip firewall mangle add action=mark-connection chain=forward comment="PC-10 Browsing" connection-bytes=0-1000000
connection-mark=PC-10-conn
disabled=no
dst-port=80,443
new-connection-mark=PC-10-conn
passthrough=no
protocol=tcp
#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-10-conn disabled=no
new-packet-mark=PC-10-brwpkt packet-mark="!PC-10-streamingpkt,pc-10 dwpkt" passthrough=no
Sekarang masih untuk per user (dengan PC11 IP:192.168.2.11)
#ip firewall mangle add action=mark-connection chain=forward comment="PC-11 PAKET" connection-mark=All-Outconn
disabled=no dst-address=192.168.2.11 new-connection-mark=PC-11-conn passthrough=yes
#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-11-conn disabled=no
new-packet-mark=PC-11-paket passthrough=yes
#ip firewall mangle add action=mark-packet chain=forward comment=PC-15-Download connection-mark=PC-11-conn
disabled=no layer7-protocol=download new-packet-mark="PC-11 dwpkt" passthrough=no
#ip firewall mangle add action=mark-packet chain=forward comment=PC-15-Streaming connection-mark=PC-11-conn
disabled=no layer7-protocol=streaming3 new-packet-mark=PC-11-strmpkt passthrough=no
#ip firewall mangle add action=mark-connection chain=forward comment="PC-15 Browsing"
connection-bytes=0-1000000 connection-mark=PC-11-conn disabled=no dst-port=80,443 new-connection-mark=PC-11-conn passthrough=no
protocol=tcp
#ip firewall mangle add action=mark-packet chain=forward connection-mark=PC-11-conn disabled=no
new-packet-mark=PC-11-brwpkt packet-mark="!pc-11 dwpkt,PC-11-strmpkt" passthrough=no
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
3.
Langkah Ketiga kita ke QUEUE TREE, Commandnya adalah;
Pertama….(Parent)
#queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M
name=All-Banwitdh packet-mark=All-Outpkt parent=global-out priority=1
Kedua…(pembatasan paket berdasrkan mangle yang sudah dibuat pada User PC10,)
#queue tree add burst-limit=256k burst-threshold=192k burst-time=2s disabled=no limit-at=112k max-limit=112k
name=PC-10 packet-mark=PC-10-paket parent=All-Banwitdh priority=1
#queue tree add burst-limit=256k burst-threshold=192 burst-time=5s disabled=no limit-at=112k max-limit=112k
name=PC10-Browsing packet-mark=PC-10-brwpkt parent=PC-10 priority=2 queue=default
#queue tree add burst-limit=256k burst-threshold=192 burst-time=6s disabled=no limit-at=112k max-limit=112k
name=PC10-Download packet-mark="pc-10 dwpkt" parent=PC-10 priority=6 queue=default
#queue tree add burst-limit=256k burst-threshold=192 burst-time=3s disabled=no limit-at=128k max-limit=128k
name=PC10-Streaming packet-mark=PC-10-strrmpkt parent=PC-10 priority=3 queue=default
Selanjutnya …(pembatasan paket berdasrkan mangle yang sudah dibuat pada User PC11,)
#queue tree add burst-limit=256k burst-threshold=192k burst-time=2s disabled=no limit-at=112k max-limit=112k
name=PC-11 packet-mark=PC-11-paket parent=All-Banwitdh priority=1
#queue tree add burst-limit=256k burst-threshold=192 burst-time=5s disabled=no limit-at=112k max-limit=112k
name=PC11-Browsing packet-mark=PC-11-brwpkt parent=PC-11 priority=2 queue=default
#queue tree add burst-limit=256k burst-threshold=192 burst-time=6s disabled=no limit-at=112k max-limit=112k
name=PC11-Download packet-mark="PC-11 dwpkt" parent=PC-11 priority=6 queue=default
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
#queue tree add burst-limit=256k burst-threshold=192 burst-time=3s disabled=no limit-at=128k max-limit=128k
name=PC11-Streaming packet-mark=PC-11-strmpkt parent=PC-11 priority=3 queue=default
9.
WIRELESS NETWORK / WIFI INTERNET HOTSPOT
9.1 Hostspot Setup
Langsung saja ke perintahnya:
#ip hotspot setup
Select interface to run HotSpot on
#hotspot interface: ether4
Set HotSpot address for interface
local address of network: 192.168.4.254/24
masquerade network: yes
Set pool for HotSpot addresses
address pool of network: 192.168.4.100-192.168.4.200
select certificate: none
Select SMTP server
ip address of smtp server: 0.0.0.0
Setup DNS configuration
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
dns servers: 8.8.8.8,8.8.4.4
DNS name of local hotspot server
dns name:
Create local hotspot user
name of local hotspot user: admin
password for the user: admin123
9.2 Kemudian buat user, contoh: user; joni dan agus
#ip hotspot user add name=joni password=admin123
#ip hotspot user add name=agus password=admin123
Walden Garde (ijinkan user tanpa athentifikasi tuk host tertentu)
ip hotspot walled-garden add dst-host=www.itmediacenter.web.id action=allow
Melihat user, Melihat user yang AKTIF
#ip hotspot user print
#ip hotspot active print
#ip hotspot host print
#ip hotspot user print
9.3 Membuat Profile untuk pembatasan bandwidth
#ip hotspot user profile add name=karyawan rate-limit=128k/128k shared-users=1
#ip hotspot user profile add name=tamu rate-limit=256k/256k shared-users=1
#ip hotspot user add name=agung password=admin123 profile=karyawan
#ip hotspot user add name=jokowi password=admin123 profile=tamu
Sekian
CEO ITMEDIACENTER
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
Catatan:
File Dwonload layer7:
^.*get.+\.(exe|rar|iso|zip|7zip|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*$
File Streaming
videoplayback|video
Scripr Filtering
MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 5.20 (c) 1999-2012 http://www.mikrotik.com/ [admin@MikroTik-IMC] > ip firewall filter[admin@MikroTik-IMC] /ip firewall filter> export # jan/02/1970 08:50:10 by RouterOS 5.20
# software id = 9PIW-IX55 #
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.2.1-192.168.2.250 add action=accept chain=input connection-state=established disabled=no in-interface=ether2 protocol=icmp
add action=drop chain=input comment="Dilarang PING" disabled=yes in-interface=ether2 protocol=icmp src-address=!192.18.2.10-192.18.2.200
add action=drop chain=input disabled=no dst-port=23,22,8291 in-interface=ether2 protocol=tcp
add action=drop chain=forward comment="BLOK detik.com" content=www.detik.com disabled=yes src-address=192.168.2.10/31
add action=add-src-to-address-list address-list="akses ilegal" address-list-timeout=0s chain=input disabled=no dst-port=22,23 in-interface=ether2 protocol=tcp
add action=add-src-to-address-list address-list="ping ilegal" address-list-timeout=0s chain=input disabled=no in-interface=ether2 protocol=icmp
add action=drop chain=virus comment="Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus comment="Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=445 protocol=udp add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=udp
add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus comment="Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=445 protocol=tcp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=445 protocol=udp add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp add action=drop chain=virus comment="Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus comment=Dumaru.Y disabled=no dst-port=2283 protocol=tcp add action=drop chain=virus comment=Beagle disabled=no dst-port=2535 protocol=tcp add action=drop chain=virus comment=Beagle.C-K disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus comment=MyDoom disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udpadd action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot,Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo disabled=no dst-port=27665 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=31335 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=27444 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=34555 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=35555 protocol=udp add action=drop chain=virus comment=Trinoo disabled=no dst-port=27444 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=27665 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=31335 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=31846 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=34555 protocol=tcp add action=drop chain=virus comment=Trinoo disabled=no dst-port=35555 protocol=tcp
add action=drop chain=forward comment=";;Block W32.Kido - Conficker" disabled=no protocol=udp src-port=135-139,445 add action=drop chain=forward disabled=no dst-port=135-139,445 protocol=udp
add action=drop chain=forward disabled=no protocol=tcp src-port=135-139,445,593 add action=drop chain=forward disabled=no dst-port=135-139,445,593 protocol=tcp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="drop FTP Brute Forcers" disabled=no dst-port=21 protocol=tcp src-address-list=FTP_BlackList
add action=drop chain=input disabled=no dst-port=21 protocol=tcp src-address-list=FTP_BlackList
add action=accept chain=output content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP_BlackList address-list-timeout=1d chain=output content="530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="drop SSH&TELNET Brute Forcers" disabled=no dst-port=22-23 protocol=tcp src-address-list=IP_BlackList
add action=add-src-to-address-list address-list=IP_BlackList address-list-timeout=1d chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp \
src-address-list=SSH_BlackList_3
add action=add-src-to-address-list address-list=SSH_BlackList_3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp \
src-address-list=SSH_BlackList_2
add action=add-src-to-address-list address-list=SSH_BlackList_2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp \
src-address-list=SSH_BlackList_1
add action=add-src-to-address-list address-list=SSH_BlackList_1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22-23 protocol=tcp
add action=drop chain=input comment="drop port scanners" disabled=no src-address-list=port_scanners
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward disabled=no p2p=bit-torrent
add action=drop chain=forward comment="Blokir Torrent1" disabled=no p2p=all-p2p add action=drop chain=forward comment="Blokir Torrent" disabled=no p2p=bit-torrent
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254
www.itmediacenter.web.id | E-mail:hasugianmail@gmail.com
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254
add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.2.10-192.168.2.15 [admin@MikroTik-IMC] /ip firewall filter>