/ip firewall filter
add action=accept chain=input connection-state=related
add action=accept chain=input connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established
add action=drop chain=forward connection-state=invalid
add action=drop chain=virus comment=VIRUS dst-port=135-139 protocol=tcp
add action=drop chain=virus dst-port=135-139 protocol=udp
add action=drop chain=virus dst-port=445 protocol=tcp
add action=drop chain=virus dst-port=445 protocol=udp
add action=drop chain=virus dst-port=4444 protocol=tcp
add action=drop chain=virus dst-port=4444 protocol=udp
add action=drop chain=virus disabled=yes dst-port=22-23 protocol=tcp
add action=drop chain=virus dst-port=593 protocol=tcp
add action=drop chain=virus dst-port=1024-1030 protocol=tcp
add action=drop chain=virus dst-port=1080 protocol=tcp
add action=drop chain=virus dst-port=3127 protocol=tcp
add action=drop chain=virus dst-port=3410 protocol=tcp
add action=drop chain=virus dst-port=5554 protocol=tcp
add action=drop chain=virus dst-port=8866 protocol=tcp
add action=drop chain=virus dst-port=9898 protocol=tcp
add action=drop chain=virus dst-port=10000 protocol=tcp
add action=drop chain=virus dst-port=10080 protocol=tcp
add action=drop chain=virus dst-port=12345 protocol=tcp
add action=drop chain=virus dst-port=17300 protocol=tcp
add action=drop chain=virus dst-port=27374 protocol=tcp
add action=drop chain=virus dst-port=65506 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=21 \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=drop chain=forward comment=00:E0:4C:36:0C:A9 src-mac-address=\
00:E0:4C:36:0C:A9
add action=drop chain=forward comment=00:E0:4C:36:0C:A9 disabled=yes
add action=jump chain=forward comment=jump-VIRUS jump-target=virus
/ip firewall mangle
add action=mark-connection chain=input comment=nusanet dst-address-type="" \
in-interface="eth2 NUSANET" new-connection-mark=nusanet_conn passthrough=\
yes
add action=mark-routing chain=output connection-mark=nusanet_conn \
new-routing-mark=NUSANET passthrough=no
add action=mark-connection chain=prerouting dst-address-list=!nusanet \
dst-address-type=!local in-interface="eth4 LOCAL" new-connection-mark=\
nusanet_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=nusanet_conn \
dst-address-type="" in-interface="eth4 LOCAL" new-routing-mark=NUSANET \
passthrough=yes src-address-list=nusanet
add action=mark-connection chain=input comment=telkom in-interface=\
"eth1 TELKOM" new-connection-mark=telkom_conn passthrough=yes
add action=mark-routing chain=output connection-mark=telkom_conn \
new-routing-mark=TELKOM passthrough=no
add action=mark-connection chain=prerouting dst-address-list=!telkom \
dst-address-type=!local in-interface="eth4 LOCAL" new-connection-mark=\
telkom_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=telkom_conn \
in-interface="eth4 LOCAL" new-routing-mark=TELKOM passthrough=yes \
src-address-list=telkom
add action=mark-connection chain=postrouting comment=UP-Stream \
dst-address-list=upstream dst-port=1935 new-connection-mark=UP-Stream \
out-interface="eth1 TELKOM" passthrough=yes protocol=tcp src-address=\
100.100.10.3
add action=mark-packet chain=postrouting connection-mark=UP-Stream \
new-packet-mark=UP-Stream passthrough=no
add action=mark-connection chain=forward comment=DOWN-Stream dst-address=\
100.100.10.0/24 new-connection-mark=DOWN-Stream passthrough=yes protocol=\
tcp src-port=1935
add action=mark-packet chain=forward connection-mark=DOWN-Stream \
new-packet-mark=DOWN-Stream passthrough=yes
add action=mark-connection chain=prerouting comment="FTP Public" dst-address=\
43.229.252.138 dst-port=2018 in-interface="eth2 NUSANET" \
new-connection-mark="FTP Public" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="FTP Public" \
new-packet-mark="FTP Public" passthrough=no
add action=mark-connection chain=prerouting comment="========" \
dst-address-list=upstream dst-port=1935 new-connection-mark=up \
passthrough=yes protocol=tcp src-address=100.100.10.3
add action=mark-packet chain=prerouting connection-mark=up new-packet-mark=up \
passthrough=no
No comments:
Post a Comment