Home » » Seting MikroTik Router OS ver. 2.9.27, Speedy, Web-Proxy, Advance Firewall

Seting MikroTik Router OS ver. 2.9.27, Speedy, Web-Proxy, Advance Firewall

Berikut ini settingan mikrotik versi 2.9.27, copy pastekan saja di terminal/console di dalam winbox. Jika sebelumnya router sudah pernah di konfigurasi sebaiknya di hapus  terlebih dahulu, untuk cara mereset akan saya bahas di artikel lainnya. Kondisi jaringan untuk setingan berikut adalah :
ip modem : 192.168.1.1 ( dengan modem yang terlah terkoneksi dengan ADSL Telkom Speedy)
ip local/client : 192.168.2.xx (selain 192.168.2.100)
ip router : 192.168.2.100

#1. seting nama router
/system identity set name=RouterKu
#2. Cek dan beri nama pada ethernet
/interface ethernet set ether1 name=modem
/interface ethernet set ether2 name=local
#3. beri ip address
/ip address add address=192.168.2.100/24 network=192.168.2.0 broadcast=192.168.2.255 interface=local
/ip address add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=modem
#4. Beri gateway
/ip route add gateway=192.168.1.1
#5. buat masquared
/ip firewall nat add chain=srcnat action=masquerade out-interface=modem comment="Masquarade"
#6. kasih dns
/ip dns set primary-dns=203.130.196.5
/ip dns set secondary-dns=202.134.0.61
/ip dns set allow-remote-request=yes
#7.aktifkan web proxy
/ip web-proxy set src-address=0.0.0.0 port=8080 hostname=proxy.nama.net transparent-proxy=yes parent-proxy=0.0.0.0:0 cache-administrator=" administrator@RouterKu.com" max-object-size=131072 cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited enabled=yes
#8. kasih rerouting buat web proxy
/ip firewall nat add in-interface=local dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!192.168.1.1 comment="Untuk web-proxy"
/ip firewall nat add in-interface=local dst-port=3128 protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!192.168.1.1
/ip firewall nat add in-interface=local dst-port=8000 protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!192.168.1.1
#8b. Set sebagai close proxy
/ip firewall filter
add chain=input in-interface=modem src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop comment="Close proxy buat blok situs porno"
#9. blok situs dengan kata kunci atau nama website
/ip web-proxy access add url="lalatx.com" action=deny comment="" disabled=no
/ip web-proxy access add url="porntube.com" action=deny comment="" disabled=no
/ip web-proxy access add url="sextube.com" action=deny comment="" disabled=no
/ip web-proxy access add url="pornhub.com" action=deny comment="" disabled=no
/ip web-proxy access add url="freeporn.com" action=deny comment="" disabled=no
/ip web-proxy access add url="porntube.com" action=deny comment="" disabled=no
/ip web-proxy access add url="youjizz.com" action=deny comment="" disabled=no
#10. NTP Server setting
/system ntp client set primary-ntp=203.160.128.6 secondary-ntp=202.169.224.16 mode=unicast enabled=yes
#11. Advance Firewall
/ip firewall filter
add chain=input src-address=0.0.0.0/0 in-interface=modem protocol=tcp dst-port=8080 action=drop comment="Closed proxy untuk blok situs porno" disabled=no
add chain=input protocol=udp dst-port=12667 action=drop comment="Trinoo" disabled=no
add chain=input protocol=udp dst-port=27665 action=drop comment="" disabled=no
add chain=input protocol=udp dst-port=31335 action=drop comment="" disabled=no
add chain=input protocol=udp dst-port=27444 action=drop comment="" disabled=no
add chain=input protocol=udp dst-port=34555 action=drop comment="" disabled=no
add chain=input protocol=udp dst-port=35555 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=27444 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=27665 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=31335 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=31846 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=34555 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=35555 action=drop comment="" disabled=no
add chain=input connection-state=established action=accept comment="Allow Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input action=drop comment="di disable untuk remote" disabled=yes
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="" disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=tcp protocol=tcp dst-port=25 action=reject reject-with=icmp-network-unreachable comment="Smtp" disabled=yes
add chain=tcp protocol=udp dst-port=25 action=reject reject-with=icmp-network-unreachable comment="Smtp" disabled=yes
add chain=tcp protocol=tcp dst-port=110 action=reject reject-with=icmp-network-unreachable comment="Smtp" disabled=yes
add chain=tcp protocol=udp dst-port=110 action=reject reject-with=icmp-network-unreachable comment="Smtp" disabled=yes
add chain=tcp protocol=udp dst-port=110 action=reject reject-with=icmp-network-unreachable comment="Smtp" disabled=yes
#12. Remote using Radmin (cth IP server 192.168.2.254 )
/ip firewall nat add chain=dstnat protocol=tcp dst-port=4899 action=dst-nat to-addresses=192.168.2.254 to-ports=4899 comment="Remote via Radmin"

1 komentar:

Anonim mengatakan...

makasih, ini membantu banget.. :)

Diberdayakan oleh Blogger.