API tools faq
paste
Guest User

AntiDDOS Mikrotik

a guest
Nov 12th, 2019
980
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.72 KB | None | 0 0
raw download clone embed print report
  1.  
  2. /interface ethernet
  3. set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
  4. Servidor name=ether1
  5. set [ find default-name=ether1 ] comment=Wi-Fi name=ether2
  6. /interface pppoe-client
  7. add add-default-route=yes comment=Modem disabled=no interface=ether1 max-mru=1492 max-mtu=1500 name=pppoe-out1 \
  8. password=algaralgar use-peer-dns=yes user=algar@algar
  9. /ip neighbor discovery
  10. set ether1 comment=Servidor
  11. set ether2 comment=Wi-Fi
  12. set pppoe-out1 comment=Modem
  13. /interface wireless security-profiles
  14. set [ find default=yes ] supplicant-identity=MikroTik
  15. /ip pool
  16. add name=dhcp_pool1 ranges=192.168.1.2
  17. add name=dhcp_pool2 ranges=192.168.1.6
  18. /ip dhcp-server
  19. add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp2
  20. add address-pool=dhcp_pool2 disabled=no interface=ether1 name=dhcp1
  21. /queue simple
  22. add max-limit=3M/50M name="Controle De Banda Roteador Wi-Fi" target=ether2
  23. /ip settings
  24. set tcp-syncookies=yes
  25. /ip address
  26. add address=192.168.1.5/30 comment=Servidor interface=ether1 network=192.168.1.4
  27. add address=192.168.1.1/30 comment=Wi-Fi interface=ether2 network=192.168.1.0
  28. /ip dhcp-client
  29. add default-route-distance=0 dhcp-options=hostname,clientid interface=ether1
  30. /ip dhcp-server network
  31. add address=192.168.1.0/30 gateway=192.168.1.1
  32. add address=192.168.1.4/30 gateway=192.168.1.5
  33. /ip dns
  34. set servers=192.168.0.1,8.8.8.8
  35. /ip firewall address-list
  36. add address=192.168.1.0/24 list=support
  37. /ip firewall filter
  38. add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP log-prefix="" protocol=icmp
  39. add action=accept chain=input comment="Accept DNS - UDP" log-prefix="" port=53 protocol=udp
  40. add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 log-prefix="" protocol=icmp
  41. add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 log-prefix="" protocol=icmp
  42. add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 log-prefix="" protocol=icmp
  43. add action=drop chain=ICMP comment="Drop to the other ICMPs" log-prefix="" protocol=icmp
  44. add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP log-prefix="" protocol=icmp
  45. add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1w3d chain=input comment=\
  46. "SYN Flood protect" connection-limit=100,32 in-interface=pppoe-out1 log-prefix="" protocol=tcp
  47. add action=tarpit chain=input comment="SYN Flood protect" connection-limit=3,32 log-prefix="" protocol=tcp \
  48. src-address-list=blocked-addr
  49. add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect log-prefix=\
  50. "" protocol=tcp tcp-flags=syn
  51. add action=drop chain=SYN-Protect comment="SYN Flood protect" connection-limit=100,32 connection-state=new log=yes \
  52. log-prefix="DROP SYN FLOOD" protocol=tcp tcp-flags=syn
  53. add action=jump chain=forward comment="anti DDoS" connection-state=new jump-target=detect-ddos log-prefix=""
  54. add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s dst-port=27165,7787 log-prefix=""
  55. protocol=udp
  56. add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1w4d chain=detect-ddos log=yes \
  57. log-prefix=ATACANTE
  58. add action=return chain=detect-ddos comment="DDoS protect" log-prefix="" src-address=192.168.1.0/24
  59. add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1w3d chain=detect-ddos comment=\
  60. "DDoS protect" log-prefix=""
  61. add action=add-src-to-address-list address-list=ddoser address-list-timeout=1w3d chain=detect-ddos comment=\
  62. "DDoS protect" log-prefix=""
  63. /ip firewall mangle
  64. add action=mark-routing chain=prerouting dst-address-list=ddosed log=yes log-prefix=BLACKHOLE new-routing-mark=\
  65. ddoser-route-mark passthrough=no src-address-list=ddoser
  66. /ip firewall nat
  67. add action=masquerade chain=srcnat comment=Internet log-prefix="" out-interface=pppoe-out1
  68. add action=dst-nat chain=dstnat comment="open ports" dst-address-type=local log-prefix=OPENPORTS to-addresses=\
  69. 192.168.1.6
  70. /ip firewall service-port
  71. set ftp disabled=yes
  72. set tftp disabled=yes
  73. set irc disabled=yes
  74. set h323 disabled=yes
  75. set sip disabled=yes
  76. set pptp disabled=yes
  77. set udplite disabled=yes
  78. set dccp disabled=yes
  79. set sctp disabled=yes
  80. /ip route
  81. add distance=1 routing-mark=ddoser-route-mark type=blackhole
  82. add distance=1 dst-address=192.168.2.0/24 gateway=192.168.1.2
  83. /ip service
  84. set telnet disabled=yes
  85. set ftp disabled=yes
  86. set www disabled=yes
  87. set ssh disabled=yes
  88. set api disabled=yes
  89. set winbox address=0.0.0.0/0 port=9191
  90. set api-ssl disabled=yes
  91. /ip traffic-flow
  92. set active-flow-timeout=1m cache-entries=1M enabled=yes
  93. /ip traffic-flow target
  94. add dst-address=192.168.0.150 port=27165
  95. /system identity
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!