Mikrotik and Proxy Conf

Mikrotik and Proxy Conf
Sekrenario :
- PPPOE Telkom Speedy 2M down dan 512 up*
- 1M untuk jatah download semua client dengan batasan maksimal 256kbps/client
- Akses tanpa dibatasi limit untuk beberapa IP tertentu (dalam hal ini IP
192.168.2.27 dan 192.168.2.28)
- Browsing tidak dibatasi
- Aplikasi QOS pada outbound/paket yang keluar dari pppoe telkom speedy
anifest IP address yang digunakan :

[MODEM]
Modem IP Address = 192.168.1.1/24
[CLIENTS]
Client IP Address = 192.168.2.1-29/27
[SQUID BOX]
eth0 = 192.168.3.29/30
squid.conf dengan zph
http_port 3128 transparent

zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136
[MIKROTIK BOX] Basic Configuration
/interface ethernet
set 0 comment="Public Interface" name=Public
set 1 comment="Local Interface" name=Local
set 2 comment="Proxy Interface" name=Proxy
/ip address
add address=192.168.2.30/27 broadcast=192.168.2.31 comment="" disabled=no \
interface=Local network=192.168.2.0
interface=Proxy network=192.168.3.28
interface=Public network=192.168.1.0
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
"PPPOE Speedy" dial-on-demand=no disabled=no interface=Public max-mru=\
1480 max-mtu=1480 mrru=disabled name=Speedy password=****** profile=\
default service-name="" use-peer-dns=no user=******@telkom.net
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
max-udp-packet-size=512 servers="125.160.4.82,203.130.196.155,203.130.196.\
5,222.124.204.34,202.134.0.61,8.8.4.4,8.8.8.8"
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=yes port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/system ntp client

set enabled=yes mode=unicast primary-ntp=131.107.13.100 secondary-ntp=\
192.43.244.18
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=yes port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip firewall address-list

add address=192.168.3.28/30 comment="" disabled=no list=ProxyNET
add address=192.168.2.0/27 comment="" disabled=no list=ApisTECH
end of basic configuration=================

Untuk firewall filternya saya pake home firewalling aja, yang penting aman dari
dalam dan luar…
/ip firewall filter

add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow Related connections" \
connection-state=related disabled=no
add action=accept chain=input comment="Allow ICMP from LOCAL Network" \
disabled=no protocol=icmp src-address-list=ApisTECH
add action=accept chain=input comment="Allow ICMP from PROXY Network" \
disabled=no protocol=icmp src-address-list=ProxyNET
add action=accept chain=input comment="Allow Input from LOCAL Network" \
disabled=no src-address-list=ApisTECH
add action=accept chain=input comment="Allow Input from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=jump chain=forward comment="Bad packets filtering" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp \
protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp \
protocol=icmp
add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 \
protocol=tcp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
icmp-options=3:0 protocol=icmp
icmp-options=3:3 limit=5,5 protocol=icmp
icmp-options=3:4 limit=5,5 protocol=icmp
add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
add action=accept chain=forward comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Allow Forward from LOCAL Network" \
disabled=no src-address-list=ApisTECH
add action=accept chain=forward comment="Allow Forward from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=forward comment="Drop everything else" disabled=no
Nat nya
/ip firewall nat

add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no \
dst-port=53 in-interface=Local protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Local protocol=tcp to-ports=53
in-interface=Proxy protocol=udp to-ports=53
in-interface=Proxy protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \
dst-address-list=!ProxyNET dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.29 to-ports=3128
add action=dst-nat chain=dstnat comment="PROXY NAT" disabled=no dst-address=\
192.168.2.30 dst-port=22,81,10000 in-interface=Local protocol=tcp \
to-addresses=192.168.3.29
add action=masquerade chain=srcnat comment="MASQUERADE MODEM" disabled=no \
out-interface=Public
add action=masquerade chain=srcnat comment="MASQUERADE PPPOE" disabled=no \
out-interface=Speedy
Penjelasan :
- Transparent DNS agar client tidak bisa menggunakan NS selain yang terpasang di
mikrotik
- Masquerade pada modem agar modem dapat diakses dari client*
- Mengarahkan rikwes dari client tujuan port 80,8080,3128 ke squid external
(TSL)
- Services yang digunakan pada TSL yaitu http (port 81), SSH (port 22) dan
webmin (port 10000)
*)Ditemukan secara tidak sengaja oleh senpai cipete I-HO menurut pengakuannya
sih
/ip firewall mangle
add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \
dscp=12 new-packet-mark=proxy-hit passthrough=no
add action=change-dscp chain=postrouting comment=CRITICAL disabled=no \

new-dscp=1 protocol=icmp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=udp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dscp=1 \
new-connection-mark=critical_conn passthrough=yes
add action=mark-packet chain=postrouting comment="" connection-mark=\
critical_conn disabled=no new-packet-mark=critical_pkt passthrough=no

Mikrotik and Proxy Conf

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Mikrotik and Proxy Conf

Caricato da

Copyright:

Formati disponibili

Mikrotik and Proxy Conf

anifest IP address yang digunakan :

http_port 3128 transparent

[MIKROTIK BOX] Basic Configuration

/system ntp client

/ip firewall address-list

end of basic configuration=================

/ip firewall filter

/ip firewall nat

add action=change-dscp chain=postrouting comment=CRITICAL disabled=no \

Potrebbero piacerti anche