Firewall Mikrotik Hotspot Gateway

Catatan :

1. Lan card ada 2
2. Alokasi IP address pada Mikrotik Hotspot Gateway :
- to_hotspot ip public
- to_hotspot 10.10.0.1/16

/ip firewall filter add chain=block-forward action=accept protocol=icmp icmp-options=8:0 limit=1,0 comment=”Allow ICMP”

/ip firewall filter add chain=block-forward action=log tcp-flags=syn protocol=tcp limit=5/1m,0 log-prefix=”Firewalled packet:” comment=”# Log Forward”

/ip firewall filter add chain=block-forward action=log protocol=icmp icmp-options=8:0 limit=10/1h,0 log-prefix=”PING of Death ???” comment=”# Log PING of Death”

/ip firewall filter add chain=block-forward action=drop src-address=169.254.0.0/16 comment=”# Block bad IP address”

/ip firewall filter add chain=block-forward action=drop src-address=224.0.0.0/3

/ip firewall filter add chain=block-forward action=drop src-address=224.0.0.0/4

/ip firewall filter add chain=block-forward action=drop src-address=240.0.0.0/5

/ip firewall filter add chain=block-forward action=drop src-address=248.0.0.0/5

/ip firewall filter add chain=block-forward action=drop src-address=255.255.255.255

/ip firewall filter add chain=block-forward action=drop connection-state=invalid comment=”# Drop invalid connections”

/ip firewall filter add chain=block-input action=accept protocol=icmp icmp-options=8:0 limit=5,0 comment=”# Allow ICMP”

/ip firewall filter add chain=block-input action=log protocol=icmp icmp-options=8:0 limit=10/1h,0 log-prefix=”PING of Death ???” comment=”# Log PING of Death”

/ip firewall filter add chain=block-input action=log tcp-flags=syn protocol=tcp limit=5/1m,0 log-prefix=”Firewalled packet:” comment=”# Log input”

/ip firewall filter add chain=block-input action=drop protocol=icmp comment=”# Block PING of Death”

/ip firewall filter add chain=block-input action=drop in-interface=to_internet src-address=10.0.0.0/8 comment=”# Interface facing Public Internet Inbound Section RFC 1918″

/ip firewall filter add chain=block-input action=drop in-interface=to_internet src-address=202.91.11.6

/ip firewall filter add chain=block-input action=drop in-interface=to_internet src-address=192.168.0.0/16

/ip firewall filter add chain=block-input action=drop in-interface=to_internet src-address=202.91.8.160/29

/ip firewall filter add chain=block-input action=drop src-address=0.0.0.0/8

/ip firewall filter add chain=input action=jump jump-target=block-input comment=”# Jump to block-input”

/ip firewall filter add chain=forward action=jump jump-target=block-forward comment=”# Jump to block-forward”

/ip firewall filter add chain=forward action=jump jump-target=block-ddos protocol=udp comment=”# Jump to block-ddos”

/ip firewall filter add chain=forward action=jump jump-target=block-service comment=”# Jump to block-service”

/ip firewall filter add chain=block-service action=drop p2p=all-p2p comment=”# Block ports you don’t want it insert here ..:: drop p2p ::..”

/ip firewall filter add chain=block-service action=drop out-interface=to_internet dst-port=5050 protocol=tcp comment=”..:: drop yahoo messenger ::..”

/ip firewall filter add chain=block-service action=drop out-interface=to_internet dst-port=6666-7000 protocol=tcp comment=”..:: drop irc ::..”

/ip firewall filter add chain=block-input action=drop src-address=127.0.0.0/8

/ip firewall filter add chain=block-input action=drop src-address=169.254.0.0/16

/ip firewall filter add chain=block-input action=drop src-address=172.16.0.0/12

/ip firewall filter add chain=block-input action=drop src-address=192.0.2.0/24

/ip firewall filter add chain=block-input action=drop src-address=204.152.64.0/23

/ip firewall filter add chain=block-input action=drop src-address=224.0.0.0/3

/ip firewall filter add chain=block-input action=drop src-address=224.0.0.0/4

/ip firewall filter add chain=block-input action=drop src-address=240.0.0.0/5

/ip firewall filter add chain=block-input action=drop src-address=248.0.0.0/5

/ip firewall filter add chain=block-input action=drop src-address=255.255.255.255

/ip firewall filter add chain=block-input action=drop in-interface=to_internet src-address=202.91.8.167 comment=”# Block Smurf Attack on all interface”

/ip firewall filter add chain=block-input action=drop in-interface=to_internet src-address=202.91.11.7

/ip firewall filter add chain=block-input action=drop in-interface=to_hotspot src-address=10.10.255.255

/ip firewall filter add chain=block-input action=drop in-interface=to_proxy src-address=192.168.100.255

/ip firewall filter add chain=block-input action=drop dst-port=113 protocol=tcp comment=”# Block Ident”

/ip firewall filter add chain=block-input action=drop fragment=yes comment=”# Block IP Frags”

/ip firewall filter add chain=block-input action=drop ipv4-options=loose-source-routing comment=”# Blocked source routed packets lsrr and ssrr”

/ip firewall filter add chain=block-input action=drop ipv4-options=strict-source-routing

/ip firewall filter add chain=block-input action=reject reject-with=tcp-reset in-interface=to_internet dst-port=80 protocol=tcp comment=”# Reject connection from internet to port 80”

/ip firewall filter add chain=block-forward action=reject reject-with=tcp-reset tcp-flags=syn,ack connection-state=new protocol=tcp comment=”# Reject Bad TCP”

/ip firewall filter add chain=block-forward action=drop protocol=icmp comment=”# Block PING of Death”

/ip firewall filter add chain=block-input action=drop in-interface=to_internet dst-port=23 protocol=tcp comment=”# Block Telnet come from Internet”

/ip firewall filter add chain=block-input action=drop in-interface=to_hotspot dst-port=23 protocol=tcp comment=”# Block Telnet come from Hotspot”

/ip firewall filter add chain=block-forward action=drop dst-port=137-139 protocol=tcp comment=”# Block Netbios Sessions tcp”

/ip firewall filter add chain=block-input action=drop dst-port=137-139 protocol=tcp comment=”# Block Netbios Sessions tcp”

/ip firewall filter add chain=block-input action=drop dst-port=137-139 protocol=udp comment=”# Block Netbios Sessions udp”

/ip firewall filter add chain=block-forward action=drop dst-port=135-139 protocol=udp comment=”# Block Netbios Sessions udp”

/ip firewall filter add chain=block-ddos action=return limit=16,32

/ip firewall filter add chain=block-ddos action=log log-prefix=”DDOS ATTACK:”

/ip firewall filter add chain=block-ddos action=drop limit=16,32

/ip firewall filter add chain=input action=jump jump-target=block-ddos protocol=udp comment=”# Jump to block-ddos”

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=fin,!ack protocol=tcp comment=”# tcp-flags jumpt to bad-flags”

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=psh,!ack protocol=tcp

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=urg,!ack protocol=tcp

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=fin,rst protocol=tcp

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=fin,syn protocol=tcp

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=syn,rst protocol=tcp

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=fin,syn,rst,psh,ack,urg,ece,cwr protocol=tcp

/ip firewall filter add chain=tcp-flags protocol=tcp action=jump jump-target=bad-flags tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg,!ece,!cwr

/ip firewall filter add chain=tcp-flags protocol=tcp action=jump jump-target=bad-flags tcp-flags=fin,psh,urg,!syn,!rst,!ack,!ece,!cwr

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=fin,syn,psh,urg,!rst,!ack,!ece,!cwr protocol=tcp

/ip firewall filter add chain=tcp-flags action=jump jump-target=bad-flags tcp-flags=fin,syn,rst,ack,urg,!psh,!ece,!cwr protocol=tcp

/ip firewall filter add chain=input action=jump jump-target=tcp-flags protocol=tcp comment=”# Jump to tcp-flags”

/ip firewall filter add chain=bad-flags action=log log-prefix=”TCP BAD FLAGS:”

/ip firewall filter add chain=bad-flags action=drop

/ip firewall filter add chain=syn-flood action=return tcp-flags=syn,!fin,!rst,!ack protocol=tcp limit=5,10

/ip firewall filter add chain=syn-flood action=return protocol=!tcp

/ip firewall filter add chain=syn-flood action=return tcp-flags=!,syn,!fin,!rst,!ack protocol=tcp

/ip firewall filter add chain=syn-flood action=log log-prefix=”SYN FLOOD:”

/ip firewall filter add chain=syn-flood action=drop

/ip firewall filter add chain=input action=jump jump-target=syn-flood tcp-flags=syn,!fin,!rst,!ack protocol=tcp comment=”# Jump to syn-flood”

/ip firewall filter add chain=block-forward action=drop dst-port=445 protocol=tcp comment=”# Block CIFS tcp”

/ip firewall filter add chain=block-forward action=drop dst-port=135 protocol=tcp comment=”# Block RPC Portmapper”

/ip firewall filter add chain=block-forward action=drop dst-port=135 protocol=udp

/ip firewall filter add chain=block-forward action=drop dst-port=111 protocol=tcp

/ip firewall filter add chain=block-input action=drop dst-port=135 protocol=tcp comment=”# Block RPC Portmapper”

/ip firewall filter add chain=block-input action=drop dst-port=135 protocol=udp

/ip firewall filter add chain=block-input action=drop dst-port=111 protocol=tcp

/ip firewall filter add chain=block-input action=drop dst-port=111 protocol=udp

/ip firewall filter add chain=block-input action=drop dst-port=445 protocol=tcp comment=”# Block CIFS tcp”

/ip firewall filter add chain=block-forward action=drop dst-port=111 protocol=udp

/ip firewall filter add chain=block-forward action=drop dst-port=69 protocol=tcp comment=”# Block TFTP”

/ip firewall filter add chain=block-input action=drop dst-port=69 protocol=tcp comment=”# Block TFTP”

/ip firewall filter add chain=block-input action=drop dst-port=69 protocol=udp

/ip firewall filter add chain=block-input action=drop dst-port=20034 protocol=tcp comment=”# Block Netbus”

/ip firewall filter add chain=block-input action=drop dst-port=20034 protocol=udp

/ip firewall filter add chain=block-input action=drop dst-port=3133 protocol=tcp comment=”# Block Back0riffice”

/ip firewall filter add chain=block-input action=drop dst-port=3133 protocol=udp

/ip firewall filter add chain=block-forward action=drop dst-port=69 protocol=udp

/ip firewall filter add chain=block-forward action=drop dst-port=20034 protocol=tcp comment=”# Block Netbus”

/ip firewall filter add chain=block-forward action=drop dst-port=20034 protocol=udp

/ip firewall filter add chain=block-forward action=drop dst-port=3133 protocol=tcp comment=”# Block Back0riffice”

/ip firewall filter add chain=block-forward action=drop dst-port=3133 protocol=udp

/ip firewall filter add chain=block-input action=drop dst-port=2049 protocol=udp comment=”# Block NFS”

/ip firewall filter add chain=block-input action=drop dst-port=2049 protocol=tcp

/ip firewall filter add chain=block-forward action=drop dst-port=2049 protocol=udp comment=”# Block NFS”

/ip firewall filter add chain=block-forward action=drop dst-port=2049 protocol=tcp

/ip firewall filter add chain=block-service action=drop out-interface=to_internet dst-port=1818 protocol=tcp comment=”# Block Game online”

/ip firewall filter add chain=block-service action=drop out-interface=to_internet dst-port=6112 protocol=tcp

Setting Mikrotik Untuk Router

KONFIGURASI FIREWALL DAN NETWORK

#/ip firewall nat add action=masquerade chain=srcnat

#/ip firewall filter add chain=input connection-state=invalid action=drop

#/ip firewall filter add chain=input protocol=udp action=accept

#/ip firewall filter add chain=input protocol=icmp action=accept

#/ip firewall filter add chain=input in-interface=(ethernet card yg ke lan) action=accept

#/ip firewall filter add chain=input in-interface=(ethernet card yg ke internet) action=accept

#/ip firewall filter add chain=input action=drop

Jika Anda menggunakan Web Proxy :

#/ip web-proxy set enabled=yes src-address=0.0.0.0. port=8080 hostname=”” parent-proxy=0.0.0.0:0 cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited

#/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128
#/ip firewall nat add in-interface=modem dst-port=80 protocol=tcp action=redirect to-ports=3128 chain=dstnat dst-address=!192.168.0.1/24

Yang 3128 semuanya di ganti 8080 : caranya :

#/ip web-proxy set enable=yes

#/ip web-proxy set port=3128

#/ip web-proxy set max-cache-size=3145728 ( 3 kali total ram )

#/ip web-proxy set hostname=”proxy.saya”

#/ip web-proxy set allow-remote-requests=yes

#/ip web-proxy set cache-administrator: “emailku@yahoo.com”

FILTERING :

#/ ip firewall filter

#add chain=input connection-state=invalid action=drop comment=”Drop Invalid connections”

#add chain=input connection-state=established action=accept comment=”Allow Established connections”

#add chain=input protocol=udp action=accept comment=”Allow UDP”

#add chain=input protocol=icmp action=accept comment=”Allow ICMP”

#add chain=input src-address=192.168.0.0/24 action=accept comment=”Allow access to router from known network”

#add chain=input action=drop comment=”Drop anything else”

ANTI VIRUS UNTUK MIKROTIK :

#add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”

#add chain=forward protocol=icmp comment=”allow ping”add chain=forward protocol=udp comment=”allow udp”add chain=forward action=drop comment=”drop everything else“

SECURITY ROUTER MIKROTIK ANDA :

/ ip firewall filter

#add chain=input connection-state=established comment=”Accept established connections”

#add chain=input connection-state=related comment=”Accept related connections”

#add chain=input connection-state=invalid action=drop comment=”Drop invalid connections”

#add chain=input protocol=udp action=accept comment=”UDP” disabled=no

#add chain=input protocol=icmp limit=50/5s,2 comment=”Allow limited pings”

#add chain=input protocol=icmp action=drop comment=”Drop excess pings”

#add chain=input protocol=tcp dst-port=22 comment=”SSH for secure shell”

#add chain=input protocol=tcp dst-port=8291 comment=”winbox”

# End of Edit #

#add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything else”

#add chain=input action=drop comment=”Drop everything else”

SETTING KEAMANAN JARINGAN HANYA UNTUK LOKAL AREA ANDA :

/ip firewall filter

#add chain=forward connection-state=established comment=”allow established connections”

#add chain=forward connection-state=related comment=”allow related connections”

#add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”

#add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”

#add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”

#add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”

#add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”

#add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”

#add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________”

#add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”

#add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________”

#add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”

#add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”

#add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”

#add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”

#add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”

#add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”

#add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”

#add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”

#add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”

#add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”

#add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”

#add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”

#add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”

#add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”

#add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”

#add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”

#add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”

#add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”

#add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″

#add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”

#add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”

#MatikanPort yang Biasa di pakai Spam :

#/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop

#/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop

#/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop

#/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop

#/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop