Scribd Logo
Carica

Benvenuto in Scribd!

  • Firewall

    Caricato da

    Chio
    52 visualizzazioni4 pagine
    This document contains firewall configuration rules for network address translation and packet marking. It marks packets for different connection types like VOIP, gaming, and torrents. It also configures firewall chains for input, output, forwarding, and prerouting. Connections are marked and packets are tagged for routing to specific ISPs or given priority markings. Local network traffic is accepted and traffic to external networks is masqueraded or destination NAT is applied in some cases.

    Descrizione originale:

    Titolo originale

    firewall.txt

    Copyright

    © © All Rights Reserved

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document contains firewall configuration rules for network address translation and packet marking. It marks packets for different connection types like VOIP, gaming, and torrents. It also configures firewall chains for input, output, forwarding, and prerouting. Connections are marked and packets are tagged for routing to specific ISPs or given priority markings. Local network traffic is accepted and traffic to external networks is masqueraded or destination NAT is applied in some cases.

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    52 visualizzazioni4 pagine

    Firewall

    Caricato da

    Chio
    This document contains firewall configuration rules for network address translation and packet marking. It marks packets for different connection types like VOIP, gaming, and torrents. It also configures firewall chains for input, output, forwarding, and prerouting. Connections are marked and packets are tagged for routing to specific ISPs or given priority markings. Local network traffic is accepted and traffic to external networks is masqueraded or destination NAT is applied in some cases.

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    /ip firewall mangle

    add action=mark-connection chain=input comment=failover in-interface=\


    ether2-seamless new-connection-mark=ISP2_Conn passthrough=yes
    add action=mark-connection chain=input in-interface=ether1-ONT \
    new-connection-mark=ISP1_Conn passthrough=yes
    add action=mark-routing chain=output connection-mark=ISP1_Conn \
    new-routing-mark=to_ISP1 passthrough=no
    add action=mark-routing chain=output connection-mark=ISP2_Conn \
    new-routing-mark=to_ISP2 passthrough=no
    add action=accept chain=prerouting dst-address=192.100.1.0/24 in-interface=\
    ether4-wifi
    add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    ether4-wifi
    add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether4-wifi new-connection-mark=ISP1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
    add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether4-wifi new-connection-mark=ISP2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
    add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=ether4-wifi new-routing-mark=to_ISP1 passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=ether4-wifi new-routing-mark=to_ISP2 passthrough=yes
    add action=mark-connection chain=prerouting comment="===>PING-LANCAR" \
    new-connection-mark=icmp-conn passthrough=yes protocol=icmp
    add action=mark-packet chain=prerouting connection-mark=icmp-conn \
    new-packet-mark=icmp-p passthrough=no
    add action=change-dscp chain=prerouting new-dscp=0 packet-mark=icmp-p \
    passthrough=yes
    add action=mark-connection chain=prerouting comment="====>DNS" dst-port=53 \
    new-connection-mark=dns-conn passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=\
    dns-conn passthrough=yes protocol=udp
    add action=mark-packet chain=prerouting connection-mark=dns-conn \
    new-packet-mark=dns-p passthrough=yes
    add action=change-dscp chain=prerouting new-dscp=0 packet-mark=dns-p \
    passthrough=yes
    add action=mark-connection chain=forward comment=COC dst-port=9330-9340 \
    new-connection-mark=coc-conn passthrough=yes protocol=tcp
    add action=mark-packet chain=forward connection-mark=coc-conn \
    new-packet-mark=coc-packet passthrough=no
    add action=mark-connection chain=prerouting comment=#COC new-connection-mark=\
    COC passthrough=yes src-address-list=COC-raw
    add action=mark-packet chain=prerouting connection-mark=COC new-packet-mark=\
    COC_Down passthrough=yes
    add action=mark-connection chain=forward comment=AOV dst-port=10001-10094 \
    new-connection-mark=aov-conn passthrough=yes protocol=tcp
    add action=mark-connection chain=forward dst-port=10080-17000 \
    new-connection-mark=aov-conn passthrough=yes protocol=udp
    add action=mark-packet chain=forward connection-mark=aov-conn \
    new-packet-mark=aov-packet passthrough=no
    add action=mark-connection chain=prerouting comment=#AOV new-connection-mark=\
    AOV passthrough=yes src-address-list=AOV-raw
    add action=mark-packet chain=prerouting connection-mark=AOV new-packet-mark=\
    AOV_Down passthrough=no
    add action=mark-connection chain=forward comment=Mobile-Legend dst-port=\
    30100-30200 new-connection-mark=moba-conn passthrough=yes protocol=tcp
    add action=mark-connection chain=forward dst-port=5001-5009 \
    new-connection-mark=moba-conn passthrough=yes protocol=udp
    add action=mark-connection chain=forward dst-port=30091-30099 \
    new-connection-mark=moba-conn passthrough=yes protocol=udp
    add action=mark-packet chain=forward connection-mark=moba-conn \
    new-packet-mark=moba-packet passthrough=no
    add action=mark-connection chain=prerouting comment=#ML new-connection-mark=\
    MOBILE-LEGEND passthrough=yes src-address-list=mobile-legend-raw
    add action=mark-packet chain=prerouting connection-mark=MOBILE-LEGEND \
    new-packet-mark="MOBILE LEGEND_Down" passthrough=no
    add action=accept chain=input comment="mangel GGC" dst-address-list=\
    private-lokal src-address-list=private-lokal
    add action=accept chain=prerouting dst-address-list=private-lokal \
    src-address-list=private-lokal
    add action=accept chain=forward dst-address-list=private-lokal \
    src-address-list=private-lokal
    add action=accept chain=postrouting dst-address-list=private-lokal \
    src-address-list=private-lokal
    add action=accept chain=output dst-address-list=private-lokal \
    src-address-list=private-lokal
    add action=mark-connection chain=prerouting comment=icmp-dns \
    dst-address-list=!private-lokal new-connection-mark=icmp-dns passthrough=\
    yes protocol=icmp src-address-list=private-lokal
    add action=mark-connection chain=prerouting dst-address-list=!private-lokal \
    dst-port=5353,123 new-connection-mark=icmp-dns passthrough=yes protocol=\
    tcp src-address-list=private-lokal
    add action=mark-connection chain=prerouting dst-address-list=!private-lokal \
    dst-port=5353,123 new-connection-mark=icmp-dns passthrough=yes protocol=\
    udp src-address-list=private-lokal
    add action=accept chain=prerouting connection-mark=icmp-dns
    add action=mark-packet chain=forward connection-mark=icmp-dns \
    new-packet-mark=icmp-dns passthrough=no
    add action=mark-connection chain=prerouting comment=ggc-telkom \
    connection-mark=no-mark dst-address-list=ggc-telkom new-connection-mark=\
    ggc-telkom passthrough=yes src-address-list=private-lokal
    add action=mark-packet chain=forward connection-mark=ggc-telkom \
    new-packet-mark=ggc-telkom passthrough=no
    add action=mark-connection chain=prerouting comment=sosmed connection-mark=\
    no-mark dst-address-list=sosmed new-connection-mark=sosmed passthrough=\
    yes src-address-list=private-lokal
    add action=mark-packet chain=forward connection-mark=sosmed new-packet-mark=\
    sosmed passthrough=no
    add action=mark-connection chain=prerouting comment=trafik connection-mark=\
    no-mark dst-address-list=!private-lokal dst-port=\
    5000,5500-7100,9000,9091,3000-3200 new-connection-mark=trafik \
    passthrough=yes protocol=tcp src-address-list=private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal dst-port=\
    5000,5500-7100,9000,9091,3000-3200 new-connection-mark=trafik \
    passthrough=yes protocol=udp src-address-list=private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal dst-port=\
    0-2000,5050,8777,8000-8099,5353,5938,8291,12671-12675,16800 \
    new-connection-mark=trafik passthrough=yes protocol=tcp src-address-list=\
    private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal dst-port=\
    0-2000,5050,8777,8000-8099,5353,5938,8291,12671-12675,16800 \
    new-connection-mark=trafik passthrough=yes protocol=udp src-address-list=\
    private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal layer7-protocol=torrent1 \
    new-connection-mark=trafik passthrough=yes src-address-list=private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal layer7-protocol=torrent2 \
    new-connection-mark=trafik passthrough=yes src-address-list=private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal layer7-protocol=torrent3 \
    new-connection-mark=trafik passthrough=yes src-address-list=private-lokal
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!private-lokal layer7-protocol=torrent4 \
    new-connection-mark=trafik passthrough=yes src-address-list=private-lokal
    add action=mark-connection chain=prerouting comment=high-priority \
    connection-mark=no-mark dst-address-list=!private-lokal \
    new-connection-mark=high-priority passthrough=yes src-address-list=\
    private-lokal
    add action=accept chain=prerouting connection-mark=high-priority
    add action=mark-packet chain=forward connection-mark=high-priority \
    new-packet-mark=high-priority passthrough=no
    add action=mark-packet chain=forward comment=browsing connection-mark=trafik \
    connection-rate=0-1M new-packet-mark=browsing passthrough=no
    add action=mark-packet chain=forward comment=midle-trafik connection-mark=\
    trafik connection-rate=1000001-3M new-packet-mark=midle-trafik \
    passthrough=no
    add action=mark-packet chain=forward comment=high-trafik connection-mark=\
    trafik connection-rate=3000001-1G new-packet-mark=high-trafik \
    passthrough=no
    add action=mark-connection chain=prerouting comment=Update-Mobile-Legend \
    dst-address=157.185.128.0/18 dst-port=80 new-connection-mark=\
    koneksi-update-ml passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting connection-mark=koneksi-update-ml \
    new-packet-mark=paket-update-ml passthrough=no
    /ip firewall nat
    add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
    add action=masquerade chain=srcnat comment="NAT ISP1" out-interface=\
    ether1-ONT
    add action=masquerade chain=srcnat comment="NAT ISP2" out-interface=\
    ether2-seamless
    add action=masquerade chain=srcnat comment=masquerade-vpn-id out-interface=\
    VPN-ID
    add action=dst-nat chain=dstnat comment=remoteRM2 disabled=yes dst-address=\
    192.168.195.26 dst-port=22 protocol=tcp to-addresses=192.10.10.2 \
    to-ports=80
    add action=masquerade chain=srcnat disabled=yes
    add action=dst-nat chain=dstnat comment="proxy ID" disabled=yes dst-port=80 \
    protocol=tcp to-addresses=103.31.251.70 to-ports=8080
    add action=dst-nat chain=dstnat comment="proxy SG" disabled=yes dst-port=80 \
    protocol=tcp to-addresses=128.199.140.46 to-ports=9700
    /ip firewall raw
    add action=add-dst-to-address-list address-list=mobile-legend-raw \
    address-list-timeout=0s chain=prerouting comment=mobile-legend dst-port=\
    30100-30110 protocol=tcp
    add action=add-src-to-address-list address-list=client-on-ml \
    address-list-timeout=5m chain=prerouting dst-address=161.202.0.0/16 \
    dst-address-list=!private-lokal
    add action=add-src-to-address-list address-list=client-on-ml \
    address-list-timeout=5m chain=prerouting dst-address=119.81.0.0/16 \
    dst-address-list=!private-lokal
    add action=add-dst-to-address-list address-list=AOV-raw address-list-timeout=\
    0s chain=prerouting comment=aov dst-port=10001-10094 protocol=tcp
    add action=add-src-to-address-list address-list=client-on-aov \
    address-list-timeout=5m chain=prerouting dst-address=183.61.0.0/16
    add action=add-src-to-address-list address-list=client-on-aov \
    address-list-timeout=5m chain=prerouting dst-address=161.202.165.247
    add action=add-src-to-address-list address-list="client-on aov" \
    address-list-timeout=5m chain=prerouting dst-address=23.248.168.0/24
    add action=add-src-to-address-list address-list="client-on aov" \
    address-list-timeout=5m chain=prerouting dst-address=203.104.153.91
    add action=add-dst-to-address-list address-list=COC-raw address-list-timeout=\
    0s chain=prerouting comment=coc dst-port=9330-9340 protocol=tcp
    add action=add-src-to-address-list address-list=client-on-coc \
    address-list-timeout=5m chain=prerouting dst-address=36.86.0.0/16

    Potrebbero piacerti anche