Scribd Logo
Upload

Welcome to Scribd!

  • Simple and Powerfull Firewall Filter

    Uploaded by

    Dedl Supra
    20 views4 pages
    Firewall Filter

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Firewall Filter

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views4 pages

    Simple and Powerfull Firewall Filter

    Uploaded by

    Dedl Supra
    Firewall Filter

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Simple and Powerfull Firewall Filter Mikrotik

    14DEC

    Firewall, merupakan benteng baik server maupun router untuk memfilter traffict jaringan. Demikian juga
    dengan Mikrotik. Dengan settingan seminimal mungkin tetapi mampu memfilter traffict sehingga kinerja
    Mikrotik semakin optimal.

    Settingan berikut merupakan settingan yang sudah penulis uji coba dan penulis merasa perlu untuk di
    share di blog ini. Bagaimana cara setting nya.. silakan di lanjut…
    Sebelum anda melakukan settingan ini, sebaiknya anda pahami :

    ether1=ip public/internet

    ether2=ip local/network /lan

    oleh karena itu sesuaikan dengan konfigurasi jaringan anda.. berikut ini srcipt nya :

    ===========================================================

    /ip firewall filter


    add action=drop chain=input comment=”Drop Invalid connections” connection-state=invalid disabled=no
    add action=accept chain=input comment=”Allow UDP” disabled=no protocol=udp
    add action=accept chain=input comment=”Allow Established connections” connection-state=established
    disabled=no
    add action=drop chain=forward connection-state=invalid disabled=no protocol=tcp
    add action=accept chain=input comment=”Allow ICMP” disabled=no protocol=icmp
    add action=accept chain=forward connection-state=established disabled=no
    add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.1.0/24
    add action=accept chain=forward comment=”allow related connections” connection-state=related
    disabled=no
    add action=drop chain=forward disabled=no src-address=0.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
    add action=drop chain=forward disabled=no src-address=127.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
    add action=drop chain=forward disabled=no src-address=224.0.0.0/3
    add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
    add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
    add action=jump chain=forward disabled=no jump-target=udp protocol=udp
    add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
    add action=drop chain=tcp comment=”deny TFTP” disabled=no dst-port=69 protocol=tcp
    add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=111 protocol=tcp
    add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=135 protocol=tcp
    add action=reject chain=tcp comment=”deny NBT” disabled=no dst-port=137-139 protocol=tcp reject-
    with=icmp-network-unreachable
    add action=reject chain=tcp comment=”deny cifs” disabled=no dst-port=445 protocol=tcp reject-
    with=icmp-network-unreachable
    add action=drop chain=tcp comment=”deny NFS” disabled=no dst-port=2049 protocol=tcp
    add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=12345-12346 protocol=tcp
    add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=20034 protocol=tcp
    add action=drop chain=tcp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=tcp
    add action=drop chain=tcp comment=”deny DHCP” disabled=no dst-port=67-68 protocol=tcp
    add action=drop chain=udp comment=”deny TFTP” disabled=no dst-port=69 protocol=udp
    add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=111 protocol=udp
    add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=135 protocol=udp
    add action=drop chain=udp comment=”deny NBT” disabled=no dst-port=137-139 protocol=udp
    add action=drop chain=udp comment=”deny NFS” disabled=no dst-port=2049 protocol=udp
    add action=reject chain=forward content=whatsmyipaddress.org disabled=no reject-with=icmp-network-
    unreachable
    add action=drop chain=udp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=udp
    add action=accept chain=icmp comment=”drop invalid connections” disabled=no icmp-options=0:0
    protocol=icmp
    add action=accept chain=icmp comment=”allow established connections” disabled=no icmp-options=3:0
    protocol=icmp
    add action=accept chain=icmp comment=”allow already established connections” disabled=no icmp-
    options=3:1 protocol=icmp
    add action=accept chain=icmp comment=”allow source quench” disabled=no icmp-options=4:0
    protocol=icmp
    add action=accept chain=icmp comment=”allow echo request” disabled=no icmp-options=8:0
    protocol=icmp
    add action=accept chain=icmp comment=”allow time exceed” disabled=no icmp-options=11:0
    protocol=icmp
    add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
    add action=drop chain=icmp comment=”deny all other types” disabled=no
    add action=drop chain=input comment=”;;;INPUT SELAIN IP NETWORK LAN, DROP” disabled=no in-
    interface=ether2 src-address=!192.168.1.0/24
    add action=drop chain=forward disabled=no in-interface=ether2 src-address=!192.168.1.0/24
    add action=drop chain=forward comment=”;;;CONTOH DROP AKSES FB PER IP KLIEN”
    content=youtube.com disabled=no src-address=192.168.1.12
    add action=reject chain=forward comment=”CONTOH DROP VIRUS DAN AKSES ”
    content=.internetdownloadmanager.com disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
    add action=reject chain=input disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
    add action=reject chain=input content=loader.exe disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=forward content=loader.exe disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=input content=svchost.exe disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=forward content=www.wieistmeineip.de disabled=no reject-with=icmp-network-
    unreachable
    add action=reject chain=forward content=dialer.exe disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
    add action=reject chain=forward content=svchost.exe disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=input content=dialer.exe disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=forward content=downloader.exe disabled=no reject-with=icmp-network-
    unreachable
    add action=reject chain=forward content=.downloader disabled=no reject-with=icmp-network-unreachable
    add action=reject chain=input content=whatsmyipaddress.org disabled=no reject-with=icmp-network-
    unreachable
    add action=drop chain=forward content=getmyip.org disabled=no
    add action=drop chain=input comment=”::::::::DROP PING ON PUBLIC :::::;” disabled=no in-
    interface=ether1 protocol=icmp
    add action=drop chain=forward disabled=no in-interface=ether1 protocol=icmp
    add action=drop chain=forward comment=”::::::::LIMIT PORT OUT IN ON PUBLIC INTERFACE:::::;”
    disabled=no dst-address=0.0.0.0/0 dst-port=!53,843,9339,5000-15000,2778,6005,2112,600-6005 out-
    interface=ether1 protocol=udp src-address=\
    0.0.0.0/0
    add action=drop chain=input comment=”::::::::INPUT SELAIN PORT REMOTE IP PUBLIC, DROP:::::;”
    disabled=no dst-address=0.0.0.0/0 dst-port=!8291,22,10000 in-interface=ether1 protocol=tcp src-
    address=0.0.0.0/0
    add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-
    target=SYN-Protect protocol=tcp tcp-flags=syn
    add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-
    target=SYN-Protect protocol=tcp tcp-flags=syn
    add action=accept chain=SYN-Protect disabled=no protocol=tcp
    add action=jump chain=input disabled=no jump-target=icmp protocol=icmp
    add action=accept chain=icmp comment=”Limited Ping Flood” disabled=no icmp-options=0:0-255
    limit=5,5 protocol=icmp
    add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
    add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
    add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
    add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
    add action=drop chain=icmp disabled=no protocol=icmp
    ================================================================================

    Sekali lagi jangan asal copy paste pelajari terlebih dahulu dengan baik… intinya masing-masing
    administrator jaringan beda orang beda selera… settingan di atas adalah settingan minimal dengan hasil
    maksimal..

    Untuk mengoptimalkan kerja mikrotik tunggu posting berikutnya tentang SNTP Client, flushing, scheduler
    sehingga Mikrotik kita betul-betul optimal… Selamat mencoba

    You might also like