Anda di halaman 1dari 4

-------->>Setting MIKROTIK SDSL SPEEDY

BANDWITH MANAGEMENT<<-----------

Sebelumnya saya gambarkan dulu skema jaringannya: LAN > Mikrotik RouterOS > Modem ADSL > INTERNET Untuk LAN, kita pake kelas C, dengan network 192.168.0.0/24. Untuk Mikrotik Rout erOS, kita perlu dua ethernet card. Satu (ether1 192.168.1.2/24) untuk sambungan ke Modem ADSL dan satu lagi (ether2 192.168.0.1/24) untuk sambungan ke LAN. Unt uk Modem ADSL, IP kita set 192.168.1.1/24. #set name interface# /set ether1 name=speedy /set ether2 name=lan #set ip address# /ip address add address=192.168.1.2/24 interface=speedy /ip address add address=192.168.0.1/24 interface=lan # Menambahkan Routing /ip route add gateway=192.168.1.1 # Setting DNS /ip dns set primary-dns=202.134.1.10 allow-remote-requests=yes /ip dns set secondary-dns=202.134.0.155 allow-remote-requests=yes # Agar semua komputer yg ada di LAN bisa terhubung ke internet juga, maka perlu menambahkan NAT (masquerade) /ip firewall nat add chain=srcnat action=masquerade out-interface=speedy # DHCP (DynamicHost Configuration Protocol) untuk IP otomatis -->> Membuat IP Address Pool /ip pool add name=dhcp-pool ranges=192.168.0.2-192.168.0.254 -->> Menambahkan DHCP Network /ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 dns-serve r=202.134.1.10,202.134.0.155 -->> Menambahkan Server DHCP /ip dhcp-server add name=DHCP_LAN disabled=no interface=lan address-pool=dhcp-po ol # Bandwith monitor dan Manajemen -->> Tandai semua paket yg asalnya dari LAN /ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 action=markconnection new-connection-mark=user-conn /ip firewall mangle add chain=prerouting connection-mark=user-conn action=mark-p acket new-packet-mark=user-paket -->> Menambahkan rule yg akan membatasi kecepatan download dan upload /queue tree add name=user-down parent=lan packet-mark=user-paket limit-at=30720 max-limit=38912 /queue tree add name=user-upload parent=speedy packet-mark=user-paket limit-at=5 120 max-limit=6144 ------------------->>>Web proxy setting<<<<------------------------/ip web-proxy set enabled=yes src-address=0.0.0.0 port=3128 hostname= proxy transpa rent-proxy=yes parent-proxy=0.0.0.0:0 cache-administrator= webmaster max-object-siz

e=131072KiB cache drive=system max-cache-size=unlimited max-ram-cache-size=unlim ited Tambahkan rule REDIRECTING untuk membelokkan traffic HTTP menuju ke WEB-PROXY. # Setting firewall untuk Transparant Proxy / ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128 comment= " disabled=no add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=3128 commen t= " disabled=no add chain=dstnat protocol=tcp dst-port=8000 action=redirect to-ports=3128 perintah diatas dimaksudkan, agar semua trafik yang menuju Port 80,8080,8000 dibelokkan menuju port 3128 yaitu portnya Web-Proxy. -------------------->>> pengamanan mikrotik dengan firewall <<<<------------------>drop ssh brute force<----/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=d rop add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-li mit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=d rop comment="drop ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s sh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list -timeout=10d comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s sh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-ti meout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s sh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-ti meout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-toaddress-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled =no ---->Protect customer <----/ip firewall filter add chain=forward connection-state=established comment="allow established connec tions" add chain=forward connection-state=related comment="allow related connections" add chain=forward connection-state=invalid action=drop comment="drop invalid con nections" add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenge r Worm" add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm " add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm " add chain=virus protocol=tcp dst-port=593 action=drop comment="________"

add add add add add add add add add add add add add

chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus chain=virus

protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp

dst-port=1024-1030 action=drop comment="________" dst-port=1080 action=drop comment="Drop MyDoom" dst-port=1214 action=drop comment="________" dst-port=1363 action=drop comment="ndm requester" dst-port=1364 action=drop comment="ndm server" dst-port=1368 action=drop comment="screen cast" dst-port=1373 action=drop comment="hromgrafx" dst-port=1377 action=drop comment="cichlid" dst-port=1433-1434 action=drop comment="Worm" dst-port=2745 action=drop comment="Bagle Virus" dst-port=2283 action=drop comment="Drop Dumaru.Y" dst-port=2535 action=drop comment="Drop Beagle" dst-port=2745 action=drop comment="Drop Beagle.C-K"

add chain=virus " add chain=virus tixPro" add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus

protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor Op protocol=tcp protocol=udp protocol=tcp protocol=tcp protocol=tcp dst-port=4444 dst-port=4444 dst-port=5554 dst-port=8866 dst-port=9898 action=drop action=drop action=drop action=drop action=drop comment="Worm" comment="Worm" comment="Drop Sasser" comment="Drop Beagle.B" comment="Drop Dabber.A-B"

add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,Ag obot, Gaobot" add chain=forward action=jump jump-target=virus comment="jump to the virus chain " add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" add chain=forward protocol=tcp comment="allow TCP" add chain=forward protocol=icmp comment="allow ping" add chain=forward protocol=udp comment="allow udp" add chain=forward action=drop comment="drop everything else" --->Drop port scanner<----/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list addres s-list="port scanners" address-list-timeout=2w comment="Port scanners to list" d isabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-s rc-to-address-list address-list="port scanners" address-list-timeout=2w comment= "NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list ad dress-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list ad dress-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src -to-address-list address-list="port scanners" address-list-timeout=2w comment="F IN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to -address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=addsrc-to-address-list address-list="port scanners" address-list-timeout=2w comment ="NMAP NULL scan" add chain=input src-address-list="port scanners" action=drop comment="dropping p ort scanners" disabled=no