Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /interface ethernet
- set 0 name=WAN
- set 1 name=PPPoE
- set 2 name=Local
- set 3 name=Proxy
- /ip address
- add address=119.110.68.10/30 interface=WAN
- add address=192.168.1.2/30 interface=PPPoE
- add address=192.168.100.254/24 interface=Local
- add address=192.168.2.1/30 interface=Proxy
- /interface pppoe-client
- add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="PPPoE" dial-on-demand=no disabled=no interface=PPPoE max-mru=1480 max-mtu=\
- 1480 mrru=disabled name=Speedy password=afmdrz04ft profile=default service-name="" use-peer-dns=no user=122112212947@telkom.net
- /ip route
- add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 gateway=119.110.68.9
- add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=2 gateway=Speedy
- add check-gateway=arp comment="WAN - Distance 1" disabled=no distance=1 gateway=119.110.68.9 routing-mark=to_wan
- add check-gateway=arp comment="PPPoE - Distance 1" disabled=no distance=1 gateway=Speedy routing-mark=to_pppoe
- /ip dns
- set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=180.131.144.144,180.131.145.145
- /ip firewall address-list
- add address=192.168.1.1 comment="" disabled=no list=Transparent
- add address=192.168.2.2 comment="" disabled=no list=Transparent
- add address=192.168.100.0/24 comment="" disabled=no list=LocalNET
- add address=192.168.2.0/30 comment="" disabled=no list=ProxyNET
- add address=192.168.100.254 comment="" disabled=no list=Gateway
- /ip firewall filter
- add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="Port scanners to list " disabled=no protocol=tcp \
- psd=21,3s,3,1
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp \
- tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
- tcp-flags=fin,syn
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
- tcp-flags=syn,rst
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp \
- tcp-flags=fin,psh,urg,!syn,!rst,!ack
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
- tcp-flags=fin,syn,rst,psh,ack,urg
- add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp \
- tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
- add action=drop chain=input comment="Dropping port scanners" disabled=no src-address-list="port scanners"
- add action=accept chain=input comment="Allow Input from LOOPBACK" disabled=no src-address=127.0.0.1
- add action=accept chain=input comment="Allow Input from LOCAL Network" disabled=no in-interface=Local src-address-list=LocalNET
- add action=accept chain=input comment="Allow Input from PROXY Network" disabled=no in-interface=Proxy src-address-list=ProxyNET
- add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no in-interface=WAN
- add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no in-interface=Speedy
- add action=accept chain=input comment="Allow Related connections" connection-state=related disabled=no in-interface=WAN
- add action=accept chain=input comment="Allow Related connections" connection-state=related disabled=no in-interface=Speedy
- add action=accept chain=input comment="Allow Winbox Access ---------- CHECK BEFORE ENABLED" disabled=no dst-port=8291 in-interface=WAN protocol=tcp
- add action=accept chain=input comment="Allow Winbox Access ---------- CHECK BEFORE ENABLED" disabled=no dst-port=8291 in-interface=Speedy protocol=tcp
- add action=drop chain=input comment="Drop everything else" disabled=no
- add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
- add action=jump chain=forward comment="Packet Filtering" disabled=no jump-target=tcp protocol=tcp
- add action=jump chain=forward comment="" disabled=no jump-target=udp protocol=udp
- add action=jump chain=forward comment="" disabled=no jump-target=icmp protocol=icmp
- add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 protocol=tcp
- add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
- add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
- add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
- add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137,138,139 protocol=tcp
- add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 protocol=tcp
- add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
- add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
- add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
- add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=31337 protocol=tcp
- add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
- add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p
- add action=add-dst-to-address-list address-list=GAMES address-list-timeout=1d chain=tcp comment=GAMES disabled=no dst-address-list=!ProxyNET dst-port=\
- 843,9339,39190,49100 protocol=tcp
- add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
- add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
- add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
- add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137,138,139 protocol=udp
- add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 protocol=udp
- add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=31337 protocol=udp
- add action=drop chain=udp comment="deny P2P" disabled=no p2p=all-p2p
- add action=add-dst-to-address-list address-list=GAMES address-list-timeout=1d chain=udp comment=GAMES disabled=no dst-address-list=!ProxyNET dst-port=\
- 40000-40010 protocol=udp
- add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
- add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=3:0 protocol=icmp
- add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
- add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
- add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
- add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
- add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
- add action=accept chain=forward comment="Allow Forward from LOCAL Network" disabled=no in-interface=Local src-address-list=LocalNET
- add action=accept chain=forward comment="Allow Forward from PROXY Network" disabled=no in-interface=Proxy src-address-list=ProxyNET
- add action=accept chain=forward comment="Allow Forward from AP Network" disabled=no in-interface=WAN src-address-list=Transparent
- add action=accept chain=forward comment="Allow Forward from MODEM Network" disabled=no in-interface=PPPoE src-address-list=Transparent
- add action=accept chain=forward comment="Allow Established connections" connection-state=established disabled=no in-interface=WAN
- add action=accept chain=forward comment="Allow Established connections" connection-state=established disabled=no in-interface=Speedy
- add action=accept chain=forward comment="Allow Related connections" connection-state=related disabled=no in-interface=WAN
- add action=accept chain=forward comment="Allow Related connections" connection-state=related disabled=no in-interface=Speedy
- add action=accept chain=forward comment="Allow HTTP Access --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,443 in-interface=WAN protocol=tcp
- add action=accept chain=forward comment="Allow SSH Access ----- CHECK BEFORE ENABLED" disabled=yes dst-port=22 in-interface=WAN protocol=tcp
- add action=accept chain=forward comment="Allow HTTP Access --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,443 in-interface=Speedy protocol=tcp
- add action=accept chain=forward comment="Allow SSH Access ----- CHECK BEFORE ENABLED" disabled=yes dst-port=22 in-interface=Speedy protocol=tcp
- add action=drop chain=forward comment="Drop everything else" disabled=no
- /ip firewall nat
- add action=masquerade chain=srcnat comment="MASQUERADE MODEM" disabled=no out-interface=PPPoE
- add action=masquerade chain=srcnat comment="MASQUERADE WAN" disabled=no out-interface=WAN
- add action=masquerade chain=srcnat comment="MASQUERADE PPPOE" disabled=no out-interface=Speedy
- add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no dst-port=53 in-interface=Local protocol=udp to-ports=53
- add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=Local protocol=tcp to-ports=53
- add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no dst-address-list=!Transparent dst-port=80,81,8080,3128 in-interface=Local \
- protocol=tcp to-addresses=192.168.2.2 to-ports=3128
- add action=dst-nat chain=dstnat comment="PROXY NAT" disabled=no dst-address-list=Gateway dst-port=22,81,10000 in-interface=Local protocol=tcp to-addresses=\
- 192.168.2.2
- add action=dst-nat chain=dstnat comment="DMZ --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,22 in-interface=WAN protocol=tcp to-addresses=192.168.2.2
- add action=dst-nat chain=dstnat comment="DMZ --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,22 in-interface=Speedy protocol=tcp to-addresses=192.168.2.2
- /ip firewall mangle
- add action=mark-packet chain=postrouting comment="MARK PROXY-HIT" disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no
- add action=mark-connection chain=prerouting comment="PROXY CONNMARK" disabled=no in-interface=Proxy new-connection-mark=proxy_conn \
- passthrough=yes
- add action=mark-connection chain=prerouting comment="" connection-mark=proxy_conn disabled=no in-interface=Proxy dst-address-list=nice new-connection-mark=iix.proxy_conn \
- passthrough=yes
- add action=mark-connection chain=prerouting comment="" connection-mark=proxy_conn disabled=no in-interface=Proxy dst-address-list=!nice new-connection-mark=ix.proxy_conn \
- passthrough=yes
- add action=mark-routing chain=prerouting comment="PROXY ROUTE IIX" connection-mark=iix.proxy_conn disabled=no in-interface=Proxy new-routing-mark=to_wan \
- passthrough=no
- add action=mark-routing chain=prerouting comment="PROXY ROUTE IX" connection-mark=ix.proxy_conn disabled=no in-interface=Proxy new-routing-mark=to_pppoe \
- passthrough=no
- add action=mark-connection chain=input comment="LOCAL CONNMARK" disabled=no in-interface=Local new-connection-mark=local_conn \
- passthrough=yes
- add action=mark-connection chain=prerouting comment="" connection-mark=local_conn disabled=no in-interface=Local dst-address-list=nice new-connection-mark=iix.local_conn \
- passthrough=no
- add action=mark-connection chain=prerouting comment="" connection-mark=local_conn disabled=no in-interface=Local dst-address-list=!nice new-connection-mark=ix.local_conn \
- passthrough=no
- add action=mark-routing chain=prerouting comment="LOCAL ROUTE IIX" connection-mark=iix.local_conn disabled=no in-interface=Local new-routing-mark=to_wan \
- passthrough=no
- add action=mark-routing chain=prerouting comment="LOCAL ROUTE IX" connection-mark=ix.local_conn disabled=no in-interface=Local new-routing-mark=to_pppoe \
- passthrough=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement