RSS

Simple and Powerfull Firewall Filter Mikrotik

14 Dec

Firewall, merupakan benteng baik server maupun router untuk memfilter traffict jaringan. Demikian juga dengan Mikrotik. Dengan settingan seminimal mungkin tetapi mampu memfilter traffict sehingga kinerja Mikrotik semakin optimal.

Settingan berikut merupakan settingan yang sudah penulis uji coba dan penulis merasa perlu untuk di share di blog ini. Bagaimana cara setting nya.. silakan di lanjut…

Sebelum anda melakukan settingan ini, sebaiknya anda pahami :

ether1=ip public/internet

ether2=ip local/network /lan

oleh karena itu sesuaikan dengan konfigurasi jaringan anda.. berikut ini srcipt nya :

===========================================================

/ip firewall filter
add action=drop chain=input comment=”Drop Invalid connections” connection-state=invalid disabled=no
add action=accept chain=input comment=”Allow UDP” disabled=no protocol=udp
add action=accept chain=input comment=”Allow Established connections” connection-state=established disabled=no
add action=drop chain=forward connection-state=invalid disabled=no protocol=tcp
add action=accept chain=input comment=”Allow ICMP” disabled=no protocol=icmp
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.1.0/24
add action=accept chain=forward comment=”allow related connections” connection-state=related disabled=no
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment=”deny TFTP” disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=135 protocol=tcp
add action=reject chain=tcp comment=”deny NBT” disabled=no dst-port=137-139 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=tcp comment=”deny cifs” disabled=no dst-port=445 protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=tcp comment=”deny NFS” disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=tcp
add action=drop chain=tcp comment=”deny DHCP” disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment=”deny TFTP” disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment=”deny NBT” disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment=”deny NFS” disabled=no dst-port=2049 protocol=udp
add action=reject chain=forward content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
add action=drop chain=udp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=udp
add action=accept chain=icmp comment=”drop invalid connections” disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment=”allow established connections” disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=”allow already established connections” disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=”allow source quench” disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment=”allow echo request” disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment=”allow time exceed” disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment=”deny all other types” disabled=no
add action=drop chain=input comment=”;;;INPUT SELAIN IP NETWORK LAN, DROP” disabled=no in-interface=ether2 src-address=!192.168.1.0/24
add action=drop chain=forward disabled=no in-interface=ether2 src-address=!192.168.1.0/24
add action=drop chain=forward comment=”;;;CONTOH DROP AKSES FB PER IP KLIEN” content=youtube.com disabled=no src-address=192.168.1.12
add action=reject chain=forward comment=”CONTOH DROP VIRUS DAN AKSES  ” content=.internetdownloadmanager.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
add action=reject chain=input disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
add action=reject chain=input content=loader.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=loader.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input content=svchost.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=www.wieistmeineip.de disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=dialer.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
add action=reject chain=forward content=svchost.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input content=dialer.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=downloader.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=.downloader disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
add action=drop chain=forward content=getmyip.org disabled=no
add action=drop chain=input comment=”::::::::DROP PING ON PUBLIC :::::;” disabled=no in-interface=ether1 protocol=icmp
add action=drop chain=forward disabled=no in-interface=ether1 protocol=icmp
add action=drop chain=forward comment=”::::::::LIMIT PORT OUT IN ON PUBLIC INTERFACE:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!53,843,9339,5000-15000,2778,6005,2112,600-6005 out-interface=ether1 protocol=udp src-address=\
0.0.0.0/0
add action=drop chain=input comment=”::::::::INPUT SELAIN PORT REMOTE IP PUBLIC, DROP:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!8291,22,10000 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect disabled=no protocol=tcp
add action=jump chain=input disabled=no jump-target=icmp protocol=icmp
add action=accept chain=icmp comment=”Limited Ping Flood” disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp disabled=no protocol=icmp

================================================================================

Sekali lagi jangan asal copy paste pelajari terlebih dahulu dengan baik… intinya masing-masing administrator jaringan beda orang beda selera… settingan di atas adalah settingan minimal dengan hasil maksimal..

Untuk mengoptimalkan kerja mikrotik tunggu posting berikutnya  tentang SNTP Client, flushing, scheduler sehingga Mikrotik kita betul-betul optimal… Selamat mencoba

 
28 Comments

Posted by on December 14, 2011 in Tutorial Mikrotik

 

28 responses to “Simple and Powerfull Firewall Filter Mikrotik

  1. Taufiq Muslih (@tovExs)

    February 6, 2012 at 11:00 pm

    add action=drop chain=forward disabled=no src-address=0.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
    add action=drop chain=forward disabled=no src-address=127.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
    add action=drop chain=forward disabled=no src-address=224.0.0.0/3
    add action=drop chain=forward disabled=no dst-address=224.0.0.0/3

    ITU maksudnya ip apa pak

     
  2. Taufiq Muslih (@tovExs)

    February 6, 2012 at 11:16 pm

    oh ya pak dibagian ini kuk muncul merah
    add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
    add action=jump chain=forward disabled=no jump-target=udp protocol=udp
    add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp

    saya gunain MT 5.10
    apa tiap versi MT beda cara ya pak

     
    • tamam_papua

      February 10, 2012 at 1:32 pm

      disable aja kalo gak ngefeck

       
  3. Hasrijal Haddade

    February 9, 2012 at 3:28 pm

    mau nanya nih mas,,setting firewall untuk maksain client agar masuk dhcp server yang sudh disetting admin gimn carannya???soalx kalau ip dah masuk ke client ada dhcp server lain yang terdeteksi..mohon bantuannya pak.
    terima kasih

     
    • tamam_papua

      February 10, 2012 at 1:25 pm

      ya tentunya anda harus setting dhcp server nya bosss.. baca dolo di tutorial step by step setting RB750.. baca jangan tanggung-tanggung bozz

       

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: