API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 23rd, 2017
526
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.08 KB | None | 0 0
raw download clone embed print report
  1. /interface ethernet
  2. set 0 name=WAN
  3. set 1 name=PPPoE
  4. set 2 name=Local
  5. set 3 name=Proxy
  6.  
  7. /ip address
  8. add address=119.110.68.10/30 interface=WAN
  9. add address=192.168.1.2/30 interface=PPPoE
  10. add address=192.168.100.254/24 interface=Local
  11. add address=192.168.2.1/30 interface=Proxy
  12.  
  13. /interface pppoe-client
  14. add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="PPPoE" dial-on-demand=no disabled=no interface=PPPoE max-mru=1480 max-mtu=\
  15. 1480 mrru=disabled name=Speedy password=afmdrz04ft profile=default service-name="" use-peer-dns=no user=122112212947@telkom.net
  16.  
  17. /ip route
  18. add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 gateway=119.110.68.9
  19. add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=2 gateway=Speedy
  20. add check-gateway=arp comment="WAN - Distance 1" disabled=no distance=1 gateway=119.110.68.9 routing-mark=to_wan
  21. add check-gateway=arp comment="PPPoE - Distance 1" disabled=no distance=1 gateway=Speedy routing-mark=to_pppoe
  22.  
  23. /ip dns
  24. set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=180.131.144.144,180.131.145.145
  25.  
  26. /ip firewall address-list
  27. add address=192.168.1.1 comment="" disabled=no list=Transparent
  28. add address=192.168.2.2 comment="" disabled=no list=Transparent
  29. add address=192.168.100.0/24 comment="" disabled=no list=LocalNET
  30. add address=192.168.2.0/30 comment="" disabled=no list=ProxyNET
  31. add address=192.168.100.254 comment="" disabled=no list=Gateway
  32.  
  33. /ip firewall filter
  34. add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
  35. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="Port scanners to list " disabled=no protocol=tcp \
  36. psd=21,3s,3,1
  37. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp \
  38. tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  39. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
  40. tcp-flags=fin,syn
  41. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
  42. tcp-flags=syn,rst
  43. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp \
  44. tcp-flags=fin,psh,urg,!syn,!rst,!ack
  45. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
  46. tcp-flags=fin,syn,rst,psh,ack,urg
  47. add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp \
  48. tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
  49. add action=drop chain=input comment="Dropping port scanners" disabled=no src-address-list="port scanners"
  50. add action=accept chain=input comment="Allow Input from LOOPBACK" disabled=no src-address=127.0.0.1
  51. add action=accept chain=input comment="Allow Input from LOCAL Network" disabled=no in-interface=Local src-address-list=LocalNET
  52. add action=accept chain=input comment="Allow Input from PROXY Network" disabled=no in-interface=Proxy src-address-list=ProxyNET
  53. add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no in-interface=WAN
  54. add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no in-interface=Speedy
  55. add action=accept chain=input comment="Allow Related connections" connection-state=related disabled=no in-interface=WAN
  56. add action=accept chain=input comment="Allow Related connections" connection-state=related disabled=no in-interface=Speedy
  57. add action=accept chain=input comment="Allow Winbox Access ---------- CHECK BEFORE ENABLED" disabled=no dst-port=8291 in-interface=WAN protocol=tcp
  58. add action=accept chain=input comment="Allow Winbox Access ---------- CHECK BEFORE ENABLED" disabled=no dst-port=8291 in-interface=Speedy protocol=tcp
  59. add action=drop chain=input comment="Drop everything else" disabled=no
  60. add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
  61. add action=jump chain=forward comment="Packet Filtering" disabled=no jump-target=tcp protocol=tcp
  62. add action=jump chain=forward comment="" disabled=no jump-target=udp protocol=udp
  63. add action=jump chain=forward comment="" disabled=no jump-target=icmp protocol=icmp
  64. add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 protocol=tcp
  65. add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
  66. add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
  67. add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
  68. add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137,138,139 protocol=tcp
  69. add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 protocol=tcp
  70. add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
  71. add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
  72. add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
  73. add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=31337 protocol=tcp
  74. add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
  75. add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p
  76. add action=add-dst-to-address-list address-list=GAMES address-list-timeout=1d chain=tcp comment=GAMES disabled=no dst-address-list=!ProxyNET dst-port=\
  77. 843,9339,39190,49100 protocol=tcp
  78. add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
  79. add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
  80. add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
  81. add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137,138,139 protocol=udp
  82. add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 protocol=udp
  83. add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=31337 protocol=udp
  84. add action=drop chain=udp comment="deny P2P" disabled=no p2p=all-p2p
  85. add action=add-dst-to-address-list address-list=GAMES address-list-timeout=1d chain=udp comment=GAMES disabled=no dst-address-list=!ProxyNET dst-port=\
  86. 40000-40010 protocol=udp
  87. add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
  88. add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=3:0 protocol=icmp
  89. add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
  90. add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
  91. add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
  92. add action=accept chain=icmp comment="limit packets 5/secs" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
  93. add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
  94. add action=accept chain=forward comment="Allow Forward from LOCAL Network" disabled=no in-interface=Local src-address-list=LocalNET
  95. add action=accept chain=forward comment="Allow Forward from PROXY Network" disabled=no in-interface=Proxy src-address-list=ProxyNET
  96. add action=accept chain=forward comment="Allow Forward from AP Network" disabled=no in-interface=WAN src-address-list=Transparent
  97. add action=accept chain=forward comment="Allow Forward from MODEM Network" disabled=no in-interface=PPPoE src-address-list=Transparent
  98. add action=accept chain=forward comment="Allow Established connections" connection-state=established disabled=no in-interface=WAN
  99. add action=accept chain=forward comment="Allow Established connections" connection-state=established disabled=no in-interface=Speedy
  100. add action=accept chain=forward comment="Allow Related connections" connection-state=related disabled=no in-interface=WAN
  101. add action=accept chain=forward comment="Allow Related connections" connection-state=related disabled=no in-interface=Speedy
  102. add action=accept chain=forward comment="Allow HTTP Access --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,443 in-interface=WAN protocol=tcp
  103. add action=accept chain=forward comment="Allow SSH Access ----- CHECK BEFORE ENABLED" disabled=yes dst-port=22 in-interface=WAN protocol=tcp
  104. add action=accept chain=forward comment="Allow HTTP Access --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,443 in-interface=Speedy protocol=tcp
  105. add action=accept chain=forward comment="Allow SSH Access ----- CHECK BEFORE ENABLED" disabled=yes dst-port=22 in-interface=Speedy protocol=tcp
  106. add action=drop chain=forward comment="Drop everything else" disabled=no
  107.  
  108. /ip firewall nat
  109. add action=masquerade chain=srcnat comment="MASQUERADE MODEM" disabled=no out-interface=PPPoE
  110. add action=masquerade chain=srcnat comment="MASQUERADE WAN" disabled=no out-interface=WAN
  111. add action=masquerade chain=srcnat comment="MASQUERADE PPPOE" disabled=no out-interface=Speedy
  112. add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no dst-port=53 in-interface=Local protocol=udp to-ports=53
  113. add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=Local protocol=tcp to-ports=53
  114. add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no dst-address-list=!Transparent dst-port=80,81,8080,3128 in-interface=Local \
  115. protocol=tcp to-addresses=192.168.2.2 to-ports=3128
  116. add action=dst-nat chain=dstnat comment="PROXY NAT" disabled=no dst-address-list=Gateway dst-port=22,81,10000 in-interface=Local protocol=tcp to-addresses=\
  117. 192.168.2.2
  118. add action=dst-nat chain=dstnat comment="DMZ --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,22 in-interface=WAN protocol=tcp to-addresses=192.168.2.2
  119. add action=dst-nat chain=dstnat comment="DMZ --- CHECK BEFORE ENABLED" disabled=yes dst-port=81,22 in-interface=Speedy protocol=tcp to-addresses=192.168.2.2
  120.  
  121. /ip firewall mangle
  122. add action=mark-packet chain=postrouting comment="MARK PROXY-HIT" disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no
  123. add action=mark-connection chain=prerouting comment="PROXY CONNMARK" disabled=no in-interface=Proxy new-connection-mark=proxy_conn \
  124. passthrough=yes
  125. add action=mark-connection chain=prerouting comment="" connection-mark=proxy_conn disabled=no in-interface=Proxy dst-address-list=nice new-connection-mark=iix.proxy_conn \
  126. passthrough=yes
  127. add action=mark-connection chain=prerouting comment="" connection-mark=proxy_conn disabled=no in-interface=Proxy dst-address-list=!nice new-connection-mark=ix.proxy_conn \
  128. passthrough=yes
  129. add action=mark-routing chain=prerouting comment="PROXY ROUTE IIX" connection-mark=iix.proxy_conn disabled=no in-interface=Proxy new-routing-mark=to_wan \
  130. passthrough=no
  131. add action=mark-routing chain=prerouting comment="PROXY ROUTE IX" connection-mark=ix.proxy_conn disabled=no in-interface=Proxy new-routing-mark=to_pppoe \
  132. passthrough=no
  133. add action=mark-connection chain=input comment="LOCAL CONNMARK" disabled=no in-interface=Local new-connection-mark=local_conn \
  134. passthrough=yes
  135. add action=mark-connection chain=prerouting comment="" connection-mark=local_conn disabled=no in-interface=Local dst-address-list=nice new-connection-mark=iix.local_conn \
  136. passthrough=no
  137. add action=mark-connection chain=prerouting comment="" connection-mark=local_conn disabled=no in-interface=Local dst-address-list=!nice new-connection-mark=ix.local_conn \
  138. passthrough=no
  139. add action=mark-routing chain=prerouting comment="LOCAL ROUTE IIX" connection-mark=iix.local_conn disabled=no in-interface=Local new-routing-mark=to_wan \
  140. passthrough=no
  141. add action=mark-routing chain=prerouting comment="LOCAL ROUTE IX" connection-mark=ix.local_conn disabled=no in-interface=Local new-routing-mark=to_pppoe \
  142. passthrough=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!