Friday, May 3, 2013
Setting Mikrotik RB951G untuk ubuntu 12.04 dengan 2 lan card
Type kabel lan antara proxy ke mikrotik :
Jika menggunakan Router Box (RB mikrotik ) ke Proxy , gunakan kabel Straight ------Straight
Jika anda mengikuti langkah-langkah di install-dan-setting-proxy-ubuntu-server dan anda ingin memakai router box (mikrotik) dengan proxy di Ubuntu server.
Maka ikuti langkah2 berikut :
Set ip address mikrotik sebagai berikut dengan new terminal di winbox
/ip address
add address=192.168.0.1/24 comment=Wireless disabled=yes interface=wlan1 network=192.168.0.0
add address=192.168.0.1/24 comment=LAN disabled=no interface=ether5-slave-local network=192.168.0.0
add address=192.168.1.1/24 comment="Proxy to internet" disabled=no interface=ether3-slave-local network=192.168.1.0
add address=172.16.0.2/24 comment=Wan disabled=no interface=ether1-gateway network=172.16.0.0
add address=192.168.2.1/24 comment="Client to proxy" disabled=no interface=ether4-slave-local network=192.168.2.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 scope=30 target-scope=10
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=203.130.193.74,202.134.1.10,202.134.0.155
/interface ethernet
set 0 master-port=none
set 1 master-port=none
set 2 master-port=none
set 3 master-port=none
set 4 master-port=none
/ip firewall address-listadd address=192.168.0.1 disabled=no list=ipwarnet
add address=192.168.0.10 disabled=no list=ipwarnet
add address=192.168.0.11 disabled=no list=ipwarnet
add address=192.168.0.12 disabled=no list=ipwarnet
add address=192.168.0.13 disabled=no list=ipwarnet
add address=192.168.0.14 disabled=no list=ipwarnet
add address=192.168.0.15 disabled=no list=ipwarnet
add address=192.168.0.16 disabled=no list=ipwarnet
add address=192.168.0.17 disabled=no list=ipwarnet
add address=192.168.0.18 disabled=no list=ipwarnet
add address=192.168.0.19 disabled=no list=ipwarnet
add address=192.168.0.20 disabled=no list=ipwarnet
add address=192.168.0.21 disabled=no list=ipwarnet
add address=192.168.0.22 disabled=no list=ipwarnet
add address=192.168.0.23 disabled=no list=ipwarnet
add address=192.168.0.24 disabled=no list=ipwarnet
add address=192.168.2.200 disabled=no list=ipwarnet
add address=192.168.1.200 disabled=no list=ipwarnet
add address=192.168.0.25 disabled=no list=ipwarnet
add address=192.168.0.3 disabled=no list=ipwarnet
add address=192.168.1.0/24 disabled=yes list=proxynet
add address=192.168.2.0/24 disabled=yes list=proxynet
/ip firewall mangle
add action=mark-packet chain=prerouting comment="proxy hit" disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no
add action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=53 new-connection-mark=DNS passthrough=yes protocol=tcp src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 new-connection-mark=DNS passthrough=yes protocol=udp src-address=192.168.1.0/24
add action=mark-packet chain=prerouting connection-mark=DNS disabled=no new-packet-mark=DNS_PACKET passthrough=yes
add action=change-dscp chain=prerouting disabled=no new-dscp=16 packet-mark=DNS_PACKET passthrough=no
add action=mark-connection chain=prerouting comment="manipulasi Type of Service untuk ICMP Packet" disabled=no new-connection-mark=ICMP-CM passthrough=yes protocol=icmp src-address=192.168.1.0/24
add action=mark-packet chain=prerouting connection-mark=ICMP-CM disabled=no new-packet-mark=ICMP-PM passthrough=yes
add action=change-dscp chain=prerouting disabled=no new-dscp=16 packet-mark=ICMP-PM passthrough=no
add action=mark-connection chain=prerouting comment="GAME #pointblank" disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=39100,39110,39220,39190,49100
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=40000-40010
add action=mark-connection chain=prerouting comment="Dragon Nest" disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=15101-15124,14101
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=14300-14506
add action=mark-connection chain=prerouting comment="Lost Saga" disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=14009,14010
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=14009-14026
add action=mark-connection chain=prerouting comment=PW disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=29000
add action=mark-connection chain=prerouting comment="S4 League" disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=54500-56500
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=16666-16668,28000-28013
add action=mark-connection chain=prerouting comment=RF disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=27780
add action=mark-connection chain=prerouting comment=poker disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=9339
add action=mark-connection chain=prerouting comment=Atlantica disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=4300
add action=mark-connection chain=prerouting comment="CS online" disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=36567,8001
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=8001
add action=mark-connection chain=prerouting comment="3 Kingdom" disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=42051-42052
add action=mark-connection chain=prerouting comment=DOTA disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=6000-6152
add action=mark-connection chain=prerouting comment=Idolstreet disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=2001
add action=mark-connection chain=prerouting comment=Ayodance disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=18901-18909
add action=mark-connection chain=prerouting comment=HON disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=11031
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=11235-11335
add action=mark-connection chain=prerouting comment=ElSword disabled=no new-connection-mark=game passthrough=yes protocol=tcp dst-port=9300-9310
add action=mark-connection chain=prerouting disabled=no new-connection-mark=game passthrough=yes protocol=udp dst-port=9101-9105
add action=mark-packet chain=prerouting comment="Mark Packet Game" connection-mark=game disabled=no new-packet-mark=game_packet passthrough=no
add action=mark-connection chain=prerouting comment=http_conn disabled=no new-connection-mark=http_conn passthrough=no protocol=tcp src-address-list=ipwarnet
add action=mark-packet chain=prerouting connection-mark=http_conn disabled=no new-packet-mark=http_conn passthrough=no
add action=mark-connection chain=prerouting comment=https_conn connection-state=new disabled=no dst-port=443 new-connection-mark=https_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=https_conn disabled=no new-packet-mark=https_conn passthrough=no
add action=mark-connection chain=prerouting comment="YM conn" disabled=no dst-port=5050,5100,5051 new-connection-mark=YM passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=YM disabled=no new-packet-mark=YM_conn passthrough=no
add action=mark-connection chain=output comment=winbox disabled=no new-connection-mark=winbox out-interface=ether5-slave-local passthrough=yes protocol=tcp src-port=8291
add action=mark-packet chain=output connection-mark=winbox disabled=no new-packet-mark=winbox passthrough=no
add action=change-mss chain=forward comment="CHANGE MMS" disabled=no in-interface=ether1-gateway new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1441-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no src-address-list=ipwarnet to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=proxyhit connection-mark=http_conn disabled=no dst-port=80,8080,3128 protocol=tcp src-address=!192.168.1.200 src-address-list=ipwarnet to-addresses=192.168.2.200 to-ports=3128
add action=dst-nat chain=dstnat comment=SSH disabled=no dst-address=172.16.0.2 dst-port=22,10000 protocol=tcp to-addresses=192.168.1.200 to-ports=22
/ip firewall filter
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=input comment="SSH for secure shell" disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="From our private LAN" disabled=no src-address=192.168.0.0/24
add action=accept chain=input comment="From proxy" disabled=no src-address=192.168.1.0/24
add action=accept chain=input comment="From proxy" disabled=no src-address=192.168.2.0/24
add action=drop chain=input comment="Drop everything else" disabled=no
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Conficker Worm" disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment="Drop Conficker " disabled=no dst-port=5933 protocol=tcp
add action=drop chain=virus comment="Drop Conficker 2" disabled=no dst-port=4691 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop Kido Worm" disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment=radmin disabled=no dst-port=4899 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp
add action=drop chain=virus comment=p2p disabled=no p2p=all-p2p
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus
add action=drop chain=forward comment="ngeDrop Traceroute dari client" disabled=no icmp-options=11:0 protocol=icmp
add action=drop chain=forward comment="ngeDrop Traceroute dari client" disabled=no icmp-options=3:3 protocol=icmp
add action=accept chain=forward comment="Allow HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=forward comment="Allow SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow ping" disabled=no protocol=icmp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=drop chain=forward comment="drop everything else" disabled=no
/queue type
add kind=pcq name=downsteam-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=1s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=upstream-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=1s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pfifo name=pfifo-64 pfifo-limit=64
add kind=pcq name=PROXYHIT pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=20000
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment="turbo proxy" disabled=no limit-at=0 max-limit=0 name=TURBO-PROXY packet-mark=proxy-hit parent=global-out priority=1 queue=PROXYHIT
add burst-limit=50k burst-threshold=50k burst-time=10s comment="dns up" disabled=no limit-at=20k max-limit=50k name=DNS-UP packet-mark=DNS_PACKET parent=global-in priority=1 queue=pfifo-64
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=8k max-limit=30k name="ICMP UP" packet-mark=ICMP-PM parent=global-out priority=2 queue=pfifo-64
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=winbox packet-mark=winbox parent=global-out priority=1 queue=default
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="proxy to internet" direction=both disabled=no interface=all limit-at=0/0 max-limit=612k/3250k name="Proxy to internet" packet-marks="" parent=none priority=8 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.200/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment=warnet direction=both disabled=no interface=all limit-at=0/0 max-limit=612k/3250k name=evonet packet-marks="" parent=none priority=8 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.0.0/24 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=512k/1M max-limit=512k/1M name="KONEKSI GAME" packet-marks=game_packet parent=evonet priority=1 queue=upstream-pcq/downsteam-pcq target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=55k/295k max-limit=128k/800k name=billing packet-marks="" parent=evonet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.0.3/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=55k/295k max-limit=128k/800k name=kom14 packet-marks="" parent=evonet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.0.24/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=55k/295k max-limit=128k/800k name=kom13 packet-marks="" parent=evonet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.0.23/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=55k/295k max-limit=128k/800k name=kom12 packet-marks="" parent=evonet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.0.22/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=55k/295k max-limit=128k/800k name=kom11 packet-marks="" parent=evonet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.0.21/32 total-queue=default-small
/system ntp client
set enabled=yes mode=unicast primary-ntp=180.211.88.5 secondary-ntp=202.43.117.10
/system clock
set time-zone-name=Asia/Jakarta
/system script
add name=proxy_up policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="/ip firewall nat set [find comment=\"proxyhit\"] disabled=no"
add name=proxy_down policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="/ip firewall nat set [find comment=\"proxyhit\"] disabled=yes"
/tool netwatch
add disabled=no down-script=proxy_down host=192.168.1.200 interval=40s timeout=1s up-script=proxy_up
add disabled=no down-script=proxy_down host=192.168.2.200 interval=40s timeout=1s up-script=proxy_up
/system reboot
Selesai ( The End )
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment