/interface
set 0 name=Speedy
set 1 name=Lan
/ip address
add address=192.168.1.2/24 interface=Speedy
add address=192.168.0.254/24 interface=Lan
/ip route add gateway=192.168.1.1
/ip dns set servers=203.130.208.18,203.130.196.5 \ allow-remote-requests=yes
/ip firewall address-list
add list=client address=192.168.0.1
add list=client address=192.168.0.2
add list=client address=192.168.0.3
add list=client address=192.168.0.4
add list=client address=192.168.0.5
add list=client address=192.168.0.6
add list=client address=192.168.0.7
add list=client address=192.168.0.8
add list=client address=192.168.0.9
add list=client address=192.168.0.10
add list=client address=192.168.0.11
add list=client address=192.168.0.12
add list=client address=192.168.0.13
add list=client address=192.168.0.14
add list=client address=192.168.0.15
add list=client address=192.168.0.16
add list=client address=192.168.0.17
add list=client address=192.168.0.18
add list=client address=192.168.0.19
add list=client address=192.168.0.20
add list=HC address=192.168.0.200
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Speedy src-address=192.168.1.0/24 disabled=no comment="Masquerade Public Traffic"
add action=dst-nat chain=dstnat protocol=tcp src-address-list=!HC dst-port=80 to-addresses=192.168.0.200 to-ports=8080 comment="Redirect Web Proxy"
/ip firewall mangle
add action=change-dscp chain=output out-interface=Lan new-dscp=4 comment="HIT TRAFFIC FROM PROXY"
add action=mark-packet chain=prerouting in-interface=Lan src-address=192.168.0.0/24 new-packet-mark=up-pkt passthrough=no comment="UPLOAD TRAFFIC"
add action=mark-connection chain=forward src-address=192.168.0.0/24 new-connection-mark=down-conn passthrough=yes comment="DOWNLOAD CONNECTIONS"
add action=mark-packet chain=forward in-interface=Speedy connection-mark=down-conn new-packet-mark=down-pkt passthrough=yes comment="DOWNLOAD TRAFFIC"
add action=mark-packet chain=output out-interface=Lan dscp=4 dst-address=192.168.0.0/24 new-packet-mark=proxy-pkt passthrough=no comment="DOWN-VIA PROXY"
/ip firewall layer7-protocol
add comment="download" name=high regexp="^.*get.+\\.(exe|rar|iso|zip|7zip|0[0-9][1-9]|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*\$"
add comment="download" name=document regexp="^.*get.+\\.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt).*\$"
add comment="video" name=youtube regexp="^.*get.+\\.(c.youtube.com|cdn.dailymotion.com|metacafe.com|mccont.com).*\$"
add comment="video" name=streaming regexp="videoplayback|video"
/ip firewall mangle
add action=mark-packet chain=forward layer7-protocol=high new-packet-mark=dpkt packet-mark=down-pkt passthrough=no comment="CLIENT DOWNLOAD"
add action=mark-packet chain=forward layer7-protocol=document new-packet-mark=dpkt packet-mark=down-pkt passthrough=no comment=""
/ip firewall mangle
add action=mark-packet chain=forward layer7-protocol=youtube new-packet-mark=spkt packet-mark=down-pkt passthrough=no comment="CLIENT VIDEO"
add action=mark-packet chain=forward layer7-protocol=streaming new-packet-mark=spkt packet-mark=down-pkt passthrough=no comment=""
/ip firewall mangle
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=5340-5352,6000-6152,10001-10011,14009-14030,18901-18909 comment="CLIENT ONLINE GAMES"
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=39190,27780,29000,22100,10009,4300,15001,15002,7341,7451
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=40000,9300,9400,9700,7342,8005-8010,37466,36567,8822
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=47611,16666,20000,5105,29000,18901-18909,9015
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=27005,27015
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=27005-27020,13055,7800-7900,12060-12070
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=8005-8010,9068,1293,1479,9401,9600,30000
add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=14009-14030,42051-42052,40000-40050,13000-13080
/ip firewall mangle
add action=mark-packet chain=forward connection-bytes=0-1000000 src-port=80,443 passthrough=no new-packet-mark=bpkt packet-mark=down-pkt protocol=tcp comment="CLIENT BROWSING"
/ip firewall layer7-protocol
add comment="BIT TORENT" name=bittorrent regexp="^(\13bittorrent protocol|azver1\$|get /scrape\\\\?info_hash=)|d1:ad2:id20:|8’7P\\)[RP]"
add comment="TORRENT WEBSITES" name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
/ip firewall mangle
add action=mark-packet chain=forward layer7-protocol=bittorrent new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING BIT TORRENT"
add action=mark-packet chain=forward layer7-protocol=torrentsites new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING TORRENT WEBSITES"
add action=mark-packet chain=forward p2p=all-p2p new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING ALLP2P"
add action=mark-packet chain=forward dst-port=58561,58045,14948,58008,58816,59097 new-packet-mark=tpkt packet-mark=down-pkt passthrough=no protocol=tcp comment="BILLING TORRENT PORT"
/queue type
add name=pcq_upstream kind=pcq pcq-classifier=src-address
add name=pcq_downstream kind=pcq pcq-classifier=dst-address
add name=pcq_game kind=pcq pcq-classifier=dst-address
add name=pcq_browsing kind=pcq pcq-classifier=dst-address
add name=pcq_download kind=pcq pcq-rate=1000k pcq-classifier=dst-address
add name=pcq_undefined kind=pcq pcq-rate=512k pcq-classifier=dst-address
add name=pcq_extensions kind=pcq pcq-rate=512k pcq-classifier=dst-address
add name=pcq_video kind=pcq pcq-rate=512k pcq-classifier=dst-address
add name=pcq_p2ptorrent kind=pcq pcq-rate=150k pcq-classifier=dst-address
/queue tree
add name=a.Upstream parent=global-in queue=pcq_upstream packet-mark=up-pkt priority=8 max-limit=2M
add name=b.Downstream parent=global-out queue=pcq_downstream packet-mark=down-pkt priority=8 max-limit=2M
add name=c.Proxystream parent=global-out queue=default packet-mark=proxy-pkt priority=8
add name=1.Games parent=b.Downstream queue=pcq_game packet-mark=gpkt priority=1 limit-at=256k max-limit=1000k
add name=2.Browsing parent=b.Downstream queue=pcq_browsing packet-mark=bpkt priority=2 limit-at=256k max-limit=1000k
add name=3.Download parent=b.Downstream queue=pcq_download packet-mark=down-pkt priority=3 limit-at=256k max-limit=1000k
add name=3.1.Undefined parent=3.Download queue=pcq_undefined packet-mark=down-pkt priority=4 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s
add name=3.2.Extensions parent=3.Download queue=pcq_extensions packet-mark=dpkt priority=5 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s
add name=3.3.Video parent=3.Download queue=pcq_video packet-mark=spkt priority=6 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s
add name=3.4.P2P&Torrent parent=3.Download queue=pcq_p2ptorrent packet-mark=tpkt priority=7 limit-at=128k max-limit=256k
/ip firewall filter
add chain=input in-interface=Speddy protocol=tcp dst-port=3128 action=add-src-to-address-list address-list=block address-list-timeout=1d comment="filter proxy"
add chain=input action=drop src-address-list=block comment="drop ip-block"
add chain=forward connection-state=invalid action=drop comment="drop_invalid_connections"
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop_Blaster_Worm"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop_Blaster_Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop_Blaster_Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="__________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment=" Drop¬_MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="______"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="BagleVirus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="DropDumaruY"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="DropBeagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="DropBeagle_C-K"
add chain=virus protocol=tcp dst-port=3127 action=drop comment="DropMyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="DropBackdoorOptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm1"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm2"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="DropSasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="DropBeagleB"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="DropDabber-A-B"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="DropMyDoom-B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="DropNetBus"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="DropSubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="DropPhatBot,Agobot,Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
add chain=input connection-state=invalid action=drop comment="Drop_invalid_connections"
add chain=input protocol=udp action=accept comment="UDP"
add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow_limited_pings"
add chain=input protocol=icmp action=drop comment="Drop_excess_pings"
add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork action=accept comment="FTP"
add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork action=accept comment="SSH_for_secure_shell"
add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork action=accept comment="Telnet"
add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork action=accept comment="Web"
add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork action=accept comment="winbox"
add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server"
add chain=input action=log log-prefix="DROP INPUT" comment="Log_everything_else"
add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork action=accept comment="Telnet"
add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork action=accept comment="Web1"
add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server"
add chain=input action=log log-prefix="DROP INPUT" comment="Log¬everythingelse"
add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork action=accept comment="winbox1"
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp src-address-list=spammer address-list=WasASpammerOnce address-list-timeout=0s comment="Log Spammer to address list for future investigation" disabled=no
add chain=forward action=tarpit dst-port=25 protocol=tcp src-address-list=spammer comment="BLOCK SPAMMERS OR INFECTED USERS" disabled=no
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 src-address-list=!WhiteListed address-list=spammer address-list-timeout=30m comment="Detect and add-list SMTP virus or spammers" disabled=no
/ip proxy access
add action=deny dst-port=23-25 comment="block telnet & spam e-mail relaying"
add action=deny dst-port=!443,563 method=connect comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]"
Advertisement
Baca juga: