Scribd Logo
Carica

Benvenuto in Scribd!

  • Squid Plus Mikrotik

    Caricato da

    Safran Nuh
    214 visualizzazioni6 pagine
    The document describes network configuration settings for a Mikrotik routerboard including IP addresses for interfaces connected to a modem, server, hotspot and lab. It sets up routing, DHCP, firewall and traffic shaping rules as well as a transparent proxy and access restrictions for the hotspot network. Network address translation and queueing rules are also defined to manage bandwidth for different devices on the lab network.

    Descrizione originale:

    hnjficdsnfjcnsddncdsnicujncj nsndkcnisucd

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document describes network configuration settings for a Mikrotik routerboard including IP addresses for interfaces connected to a modem, server, hotspot and lab. It sets up routing, DHCP, firewall and traffic shaping rules as well as a transparent proxy and access restrictions for the hotspot network. Network address translation and queueing rules are also defined to manage bandwidth for different devices on the lab network.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    214 visualizzazioni6 pagine

    Squid Plus Mikrotik

    Caricato da

    Safran Nuh
    The document describes network configuration settings for a Mikrotik routerboard including IP addresses for interfaces connected to a modem, server, hotspot and lab. It sets up routing, DHCP, firewall and traffic shaping rules as well as a transparent proxy and access restrictions for the hotspot network. Network address translation and queueing rules are also defined to manage bandwidth for different devices on the lab network.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 6

    http://ictsentani.org/?

    p=258
    http://opensource.telkomspeedy.com/forum/viewtopic.php?pid=122506
    #------------------------------------------------------------------------------E1 Modem1 : 192.168.77.1 -> IP Modem1 : 192.168.77.2
    E2 Server : 192.168.88.1 -> IP Server : 192.168.88.2
    E3 Hotspot : 192.168.99.1 -> IP Hotspot : 192.168.99.10 - 192.168.99.250
    E4 Labkom : 10.10.10.254 -> IP Labkom : 10.10.10.1 - 10.10.10.20
    #-----------------------------------------------------------------------------------------------------[ mikrotik routerboard ]
    -----------------------E1 E2 E3 E4
    | | | |
    192.168.77.2
    | | | |
    10.10.10.x
    -------------| | | |
    -----------[ modem adsl ]------| | | |------[ labkom ]
    -------------| |
    -----------| |
    -------------| |
    ------------[ hub/switch ]---------| |---------[ hotspot ]
    -------------------------|
    192.168.99.x
    -------------[ edp server ]
    -------------192.168.88.2
    -------------------------------------------------------------------------------# Setting Interface
    -------------------------------------------------------------------------------/interface
    set ether1 name=Modem1
    set ether2 name=Server
    set ether3 name=Hotspot
    set ether4 name=Labkom
    print
    /ip address
    add disabled=no interface=Modem1
    7.0 broadcast=192.168.77.255
    add disabled=no interface=Server
    8.0 broadcast=192.168.88.255
    add disabled=no interface=Hotspot
    9.0 broadcast=192.168.99.255
    add disabled=no interface=Labkom
    0
    broadcast=10.10.10.255
    print

    address=192.168.77.1/24 network=192.168.7
    address=192.168.88.1/24 network=192.168.8
    address=192.168.99.1/24 network=192.168.9
    address=10.10.10.254/24 network=10.10.10.

    -------------------------------------------------------------------------------# Setting Route & DHCP


    -------------------------------------------------------------------------------/ip dns set servers=192.168.88.2,208.67.222.222 allow-remote-requests=yes
    /ip route add dst-address=0.0.0.0/0 gateway=192.168.77.2
    /ip firewall nat add chain=srcnat action=masquerade out-interface=Modem1
    /ip dhcp-server print
    /ip dhcp-server enable 0

    -------------------------------------------------------------------------------# Setting Hotspot


    -------------------------------------------------------------------------------/ip hotspot setup
    hotspot interface
    : Hotspot
    local address of network
    : 192.168.99.1/24
    masquerade network
    : yes
    address pool of network
    : 192.168.99.10-192.168.99.250
    select certificate
    : none
    ip address of smtp server : 119.235.250.172
    dns servers
    : 192.168.88.2,208.67.222.222
    dns name
    : hotspot.pasim
    name of local hotspot
    : admhotspot
    password for the user
    : naonwemoaldibejaan
    /ip hotspot user
    profile add name="EDP" shared-users=2 rate-limit="96k/768k" address-pool=non
    e session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-pa
    ge=always transparent-proxy=yes advertise=no
    profile add name="KDM" shared-users=2 rate-limit="64k/200k" address-pool=non
    e session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-pa
    ge=always transparent-proxy=yes advertise=no
    -------------------------------------------------------------------------------# Setting Sistem & Security
    -------------------------------------------------------------------------------/system ntp client set primary-ntp=203.160.128.178 secondary-ntp=203.89.24.3
    4 mode=unicast enabled=yes
    /ip service set www port=9090
    /ip firewall filter
    add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list ad
    dress-list="port scanners" address-list-timeout=2w comment="Port scanners to lis
    t " disabled=no
    add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=a
    dd-src-to-address-list address-list="port scanners" address-list-timeout=2w comm
    ent="NMAP FIN Stealth scan"
    add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-lis
    t address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
    add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-lis
    t address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
    add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add
    -src-to-address-list address-list="port scanners" address-list-timeout=2w commen
    t="FIN/PSH/URG scan"
    add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-sr
    c-to-address-list address-list="port scanners" address-list-timeout=2w comment="
    ALL/ALL scan"
    add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=
    add-src-to-address-list address-list="port scanners" address-list-timeout=2w com
    ment="NMAP NULL scan"
    add chain=input src-address-list="port scanners" action=drop comment="droppi
    ng port scanners" disabled=no
    -------------------------------------------------------------------------------# Setting Transparent Proxy
    -------------------------------------------------------------------------------/ip proxy
    set enabled=yes
    set src-address=0.0.0.0
    set port=8080
    set parent-proxy=0.0.0.0

    set
    set
    set
    set
    set
    set
    set
    set
    set
    set

    parent-proxy-port=0
    cache-administrator="webmaster@stmikpasim.ac.id"
    max-cache-size=unlimited
    cache-on-disk=yes
    max-client-connections=600
    max-server-connections=600
    max-fresh-time=3d
    serialize-connections=no
    always-from-cache=no
    cache-hit-dscp=4

    /ip
    add
    add
    add

    firewall nat
    chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
    chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
    chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080

    -------------------------------------------------------------------------------# Blok Akses Tertentu


    -------------------------------------------------------------------------------/ip proxy access
    #------[Blok Situs]-----------------------add dst-host="*porn*.com" action=deny
    add dst-host="*sex*.com" action=deny
    add dst-host=twitter.com action=deny
    add dst-host=facebook.com action=deny
    #------[Blok File]-----------------------add path=*.rar action=deny
    add path=*.zip action=deny
    add path=*.mov action=deny
    add path=*.exe action=deny
    add path=*.msi action=deny
    add path=*.dat action=deny
    add path=*.mkv action=deny
    add path=*.mp4 action=deny
    add path=*.3gp action=deny
    add path=*.avi action=deny
    add path=*.mp3 action=deny
    #------[Blok Keyword]-------------------add dst-host=:sex action=deny
    add dst-host=:nude action=deny
    add dst-host=:porn action=deny
    add dst-host=:adult action=deny
    -------------------------------------------------------------------------------# Batasi Speed Download
    -------------------------------------------------------------------------------/ip firewall filter
    add chain=forward address-list-timeout=00:05:00 content=.mp3 src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.mp4 src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.3gp src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.avi src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.mkv src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads

    add chain=forward address-list-timeout=00:05:00 content=.mov src-address=0.0


    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.exe src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.msi src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.iso src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.zip src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    add chain=forward address-list-timeout=00:05:00 content=.rar src-address=0.0
    .0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
    /ip firewall mangle add chain=forward protocol=tcp src-address-list=download
    s action=mark-packet new-packet-mark=downloads-paket
    /queue simple add name=downloads-files max-limit=128000/128000 packet-marks=
    downloads-paket
    -------------------------------------------------------------------------------# Setting Simple Queue
    -------------------------------------------------------------------------------/queue simple
    add name=LABKOM-01 target-addresses=10.10.10.1 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-02 target-addresses=10.10.10.2 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-03 target-addresses=10.10.10.3 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-04 target-addresses=10.10.10.4 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-05 target-addresses=10.10.10.5 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-06 target-addresses=10.10.10.6 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-07 target-addresses=10.10.10.7 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-08 target-addresses=10.10.10.8 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-09 target-addresses=10.10.10.9 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-10 target-addresses=10.10.10.10 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-11 target-addresses=10.10.10.11 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-12 target-addresses=10.10.10.12 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-13 target-addresses=10.10.10.13 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-14 target-addresses=10.10.10.14 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-15 target-addresses=10.10.10.15 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-16 target-addresses=10.10.10.16 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-17 target-addresses=10.10.10.17 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-18 target-addresses=10.10.10.18 max-limit=64k/128k interface
    =Labkom
    add name=LABKOM-19 target-addresses=10.10.10.19 max-limit=64k/128k interface
    =Labkom

    add name=LABKOM-20 target-addresses=10.10.10.20 max-limit=64k/128k interface


    =Labkom
    -------------------------------------------------------------------------------# Instalasi & Setting Proxy
    -------------------------------------------------------------------------------# Partisi
    /
    ext4
    40GB
    primary
    /boot
    ext4
    100mb
    /cache
    reiserfs
    20GB
    swap
    ---2GB
    /home
    ext4
    ~~~~
    # Catatan
    btrFs
    : untuk OS 64bit
    reiserFs : untuk OS 32bit
    # Ganti Repo & Install paket dasar
    mv /etc/apt/sources.list /etc/apt/sources.list.asli
    cat > /etc/apt/sources.list <<EOF
    deb http://debian.indika.net.id/debian squeeze main non-free contrib
    deb http://debian.indika.net.id/debian-security squeeze/updates main non-f
    ree contrib
    EOF
    apt-get update
    apt-get install gcc build-essential sharutils libzip-dev automake
    # Download paket yang diperlukan
    cd /tmp
    wget http://lusca-cache.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz
    wget http://faisal-sani-project.googlecode.com/files/patch.tar.gz
    wget http://faisal-sani-project.googlecode.com/files/storeurl.pl
    wget http://xenstack.googlecode.com/files/konfig_squid_lusca.tar.gz
    tar xzvf LUSCA_HEAD-r14809.tar.gz
    tar xzvf patch.tar.gz
    # Copy patch & install patch
    cp -r /tmp/patch/* /tmp/LUSCA*/
    cd LUSCA*
    patch -p0 < luscaVaryrR14697.diff
    patch -p0 < 3xx\ loop.diff
    patch -p0 < ignore-must-revalidate.diff
    patch -p2 < keblux-lusca-gzip.patch
    chmod bootstrap.sh
    ./bootstrap.sh
    # Configure & build
    ./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=
    /usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid \
    --localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-httpgzip --enable-async-io=24 --with-aufs-threads=24 --with-pthreads \
    --enable-storeio=aufs --enable-linux-netfilter --enable-arp-acl --enable-e
    poll --enable-removal-policies=heap --with-aio --with-dl --enable-snmp \
    --enable-delay-pools --enable-htcp --enable-cache-digests --disable-unlink
    d --enable-large-cache-files --with-large-files \
    --enable-err-languages=English --enable-default-err-language=English --wit
    h-maxfd=65536
    make && make install
    # Setting Squid

    mv
    mv
    mv
    mv

    /etc/squid/squid.conf.asli
    /tmp/storeurl.pl /etc/squid/
    /tmp/konfig_squid_lusca/squid.conf /etc/squid/
    /tmp/konfig_squid_lusca/squid.conf.pl /etc/squid/

    # Buat cache & jalankan squid


    squid -f /etc/squid/squid.conf -z
    squid -N -d 1 -D
    # -------------------------------------------------------------------------# Konfigurasi Firewall di Mikrotik
    # -------------------------------------------------------------------------/ip firewall mangle
    add chain=forward protocol=tcp src-address-list=downloads action=mark-pack
    et new-packet-mark=downloads-paket
    add disabled=no chain=prerouting action=mark-packet dscp=12 new-packet-mar
    k=proxy-hit passthrough=no
    add disabled=no chain=prerouting action=mark-connection dst-port=80 new-co
    nnection-mark=http-conn passthrough=no protocol=tcp
    add disabled=no chain=prerouting action=mark-packet connection-mark=http-c
    onn new-packet-mark=http passthrough=yes
    add disabled=no chain=prerouting action=mark-connection connection-state=n
    ew dst-port=443 new-connection-mark=https-conn passthrough=yes protocol=tcp
    add disabled=no chain=prerouting action=mark-routing connection-mark=https
    -conn new-routing-mark=https passthrough=no
    add disabled=no chain=prerouting action=mark-connection dst-port=53 new-co
    nnection-mark=DNS passthrough=yes protocol=tcp
    add disabled=no chain=prerouting action=mark-connection dst-port=53 new-co
    nnection-mark=DNS passthrough=yes protocol=udp
    add disabled=no chain=prerouting action=change-dscp connection-mark=DNS ne
    w-dscp=12
    add disabled=no chain=prerouting action=mark-packet connection-mark=DNS ne
    w-packet-mark=DNS_PACKET passthrough=no
    add disabled=no chain=prerouting action=mark-packet new-packet-mark=DNS_PA
    CKET passthrough=yes
    add disabled=no chain=forward action=mark-connection dst-port=5050,5100,50
    51 new-connection-mark=YM passthrough=no protocol=tcp
    add disabled=no chain=forward action=mark-connection connection-mark=YM di
    sabled=no new-connection-mark=YM passthrough=yes
    add disabled=no chain=forward action=mark-connection dst-port=843,9339,391
    00,39110,39220,39190,49100,19101,19000,4300 new-connection-mark=POKER passthroug
    h=no protocol=tcp
    add disabled=no chain=forward action=mark-connection connection-mark=POKER
    new-connection-mark=POKER passthrough=yes
    add disabled=no chain=forward action=change-mss comment= CHANGE MMS disabled=no i
    n-interface=ether1 new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
    add disabled=no chain=forward action=change-mss new-mss=1440 out-interface
    =ether1 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
    add disabled=no chain=forward action=accept comment= Total Pemakaian in-interface
    =ether1
    add disabled=no chain=input action=mark-connection comment=Winbox dst-po
    rt=8291 new-connection-mark=winbox passthrough=no protocol=tcp
    # Cek log squid
    tail f /var/log/squid/access.log |grep HIT

    Potrebbero piacerti anche